Computer virus-antivirus coevolution
Communications of the ACM
Undocumented Windows NT
Data Mining Methods for Detection of New Malicious Executables
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
Behavior-based spyware detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
On preventing intrusions by process behavior monitoring
ID'99 Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1
An Automated Signature-Based Approach against Polymorphic Internet Worms
IEEE Transactions on Parallel and Distributed Systems
Panorama: capturing system-wide information flow for malware detection and analysis
Proceedings of the 14th ACM conference on Computer and communications security
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Detection of unknown computer worms based on behavioral classification of the host
Computational Statistics & Data Analysis
A semantics-based approach to malware detection
ACM Transactions on Programming Languages and Systems (TOPLAS)
Windows® 2000 device driver book: a guide for programmers, second edition, the
Windows® 2000 device driver book: a guide for programmers, second edition, the
Learning and Classification of Malware Behavior
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Multi-Level Intrusion Detection System (ML-IDS)
ICAC '08 Proceedings of the 2008 International Conference on Autonomic Computing
Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior
ICCSN '09 Proceedings of the 2009 International Conference on Communication Software and Networks
On the use of computational geometry to detect software faults at runtime
Proceedings of the 7th international conference on Autonomic computing
AccessMiner: using system-centric models for malware protection
Proceedings of the 17th ACM conference on Computer and communications security
Analysis of Machine learning Techniques Used in Behavior-Based Malware Detection
ACT '10 Proceedings of the 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies
"Andromaly": a behavioral malware detection framework for android devices
Journal of Intelligent Information Systems
A model-based approach to self-protection in computing system
Proceedings of the 2013 ACM Cloud and Autonomic Computing Conference
| Hi-index | 0.00 |
We present a technique for dynamic malware detection that relies on a set of sensors that monitor the interaction of applications with the underlying operating system. By monitoring the requests that each process makes to kernel-level operating system functions, we build a statistical model that describes both clean and infected systems in terms of the distribution of data collected from each sensor. The model parameters are learned from labeled training data gathered from machines infected with canonical samples of malware. We present a technique for detecting malware using the Neyman-Pearson test from classical detection theory. This technique classifies a system as either clean or infected at runtime as measurements are collected from the sensors. We provide experimental results that illustrate the effectiveness of this technique for a selection of malware samples. Additionally, we provide a performance analysis of our sensing and detection techniques in terms of the overhead they introduce to the system. Finally, we show this method to be effective in detecting previously unknown malware when trained to detect similar malware under similar load conditions.