Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Integrating Flexible Support for Security Policies into the Linux Operating System
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Data Mining Methods for Detection of New Malicious Executables
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Static Analyzer of Vicious Executables (SAVE)
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Polymorphic Malicious Executable Scanner by API Sequence Analysis
HIS '04 Proceedings of the Fourth International Conference on Hybrid Intelligent Systems
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
Automating mimicry attacks using static binary analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Behavior-based spyware detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Mining specifications of malicious behavior
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
Learning and Classification of Malware Behavior
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
A Layered Architecture for Detecting Malicious Behaviors
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
PinUP: Pinning User Files to Known Applications
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Automated classification and analysis of internet malware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Learning more about the underground economy: a case-study of keyloggers and dropzones
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Effective and efficient malware detection at the end host
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Detecting self-mutating malware using control-flow graph matching
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Inoculation against malware infection using kernel-level software sensors
Proceedings of the 8th ACM international conference on Autonomic computing
Opcode-sequence-based semi-supervised unknown malware detection
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Risk-based security decisions under uncertainty
Proceedings of the second ACM conference on Data and Application Security and Privacy
KLIMAX: profiling memory write patterns to detect keystroke-harvesting malware
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Customized normalcy profiles for the detection of targeted attacks
EvoApplications'12 Proceedings of the 2012t European conference on Applications of Evolutionary Computation
PeerPress: utilizing enemies' P2P strength against them
Proceedings of the 2012 ACM conference on Computer and communications security
Using low-level dynamic attributes for malware detection based on data mining methods
MMM-ACNS'12 Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security
DiffSig: resource differentiation based malware behavioral concise signature generation
ICT-EurAsia'13 Proceedings of the 2013 international conference on Information and Communication Technology
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
On the feasibility of online malware detection with performance counters
Proceedings of the 40th Annual International Symposium on Computer Architecture
EFFORT: A new host-network cooperated framework for efficient and effective bot malware detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Vetting undesirable behaviors in android apps with permission use analysis
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Generating Lightweight Behavioral Signature for Malware Detection in People-Centric Sensing
Wireless Personal Communications: An International Journal
Hi-index | 0.00 |
Models based on system calls are a popular and common approach to characterize the run-time behavior of programs. For example, system calls are used by intrusion detection systems to detect software exploits. As another example, policies based on system calls are used to sandbox applications or to enforce access control. Given that malware represents a significant security threat for today's computing infrastructure, it is not surprising that system calls were also proposed to distinguish between benign processes and malicious code. Most proposed malware detectors that use system calls follows program-centric analysis approach. That is, they build models based on specific behaviors of individual applications. Unfortunately, it is not clear how well these models generalize, especially when exposed to a diverse set of previously-unseen, real-world applications that operate on realistic inputs. This is particularly problematic as most previous work has used only a small set of programs to measure their technique's false positive rate. Moreover, these programs were run for a short time, often by the authors themselves. In this paper, we study the diversity of system calls by performing a large-scale collection (compared to previous efforts) of system calls on hosts that run applications for regular users on actual inputs. Our analysis of the data demonstrates that simple malware detectors, such as those based on system call sequences, face significant challenges in such environments. To address the limitations of program-centric approaches, we propose an alternative detection model that characterizes the general interactions between benign programs and the operating system (OS). More precisely, our system-centric approach models the way in which benign programs access OS resources (such as files and registry entries). Our experiments demonstrate that this approach captures well the behavior of benign programs and raises very few (even zero) false positives while being able to detect a significant fraction of today's malware.