Combining static and dynamic analysis for the detection of malicious documents

Authors:
Zacharias Tzermias;Giorgos Sykiotakis;Michalis Polychronakis;Evangelos P. Markatos
Affiliations:
Institute of Computer Science, Greece;University of Crete, Greece;Columbia University;Institute of Computer Science, Greece
Venue:
Proceedings of the Fourth European Workshop on System Security
Year:
2011

Citing 9
Cited 7

Toward Automated Dynamic Malware Analysis Using CWSandbox

IEEE Security and Privacy
A Study of Malcode-Bearing Documents

DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Detection and analysis of drive-by-download attacks and malicious JavaScript code

Proceedings of the 19th international conference on World wide web
NOZZLE: a defense against heap-spraying code injection attacks

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Malicious origami in PDF

Journal in Computer Virology
Comprehensive shellcode detection using runtime heuristics

Proceedings of the 26th Annual Computer Security Applications Conference
Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks

Proceedings of the 26th Annual Computer Security Applications Conference
Malicious PDF Documents Explained

IEEE Security and Privacy

SHELLOS: enabling fast detection and forensic analysis of code injection attacks

SEC'11 Proceedings of the 20th USENIX conference on Security
Static detection of malicious JavaScript-bearing PDF documents

Proceedings of the 27th Annual Computer Security Applications Conference
A pattern recognition system for malicious PDF files detection

MLDM'12 Proceedings of the 8th international conference on Machine Learning and Data Mining in Pattern Recognition
Malicious PDF detection using metadata and structural features

Proceedings of the 28th Annual Computer Security Applications Conference
HDM-Analyser: a hybrid analysis approach based on data mining techniques for malware detection

Journal in Computer Virology
Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Weaknesses in defenses against web-borne malware

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

The widespread adoption of the PDF format for document exchange has given rise to the use of PDF files as a prime vector for malware propagation. As vulnerabilities in the major PDF viewers keep surfacing, effective detection of malicious PDF documents remains an important issue. In this paper we present MDScan, a standalone malicious document scanner that combines static document analysis and dynamic code execution to detect previously unknown PDF threats. Our evaluation shows that MDScan can detect a broad range of malicious PDF documents, even when they have been extensively obfuscated.