Computer viruses: theory and experiments
Computers and Security
MEF: Malicious Email Filter - A UNIX Mail Filter That Detects Malicious Windows Executables
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
MET: an experimental system for Malicious Email Tracking
Proceedings of the 2002 workshop on New security paradigms
Proceedings of the 2004 ACM workshop on Rapid malcode
ACT: attachment chain tracing scheme for email virus detection and control
Proceedings of the 2004 ACM workshop on Rapid malcode
Avfs: an on-access anti-virus file system
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Detecting malicious software by monitoring anomalous windows registry accesses
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Reliable identification of bounded-length viruses is NP-complete
IEEE Transactions on Information Theory
Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
Compatibility is not transparency: VMM detection myths and realities
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Hiding "real" machine from attackers and malware with a minimal virtual machine monitor
Proceedings of the 4th international conference on Security and privacy in communication netowrks
CloudAV: N-version antivirus in the network cloud
SS'08 Proceedings of the 17th conference on Security symposium
Feature based techniques for auto-detection of novel email worms
PAKDD'07 Proceedings of the 11th Pacific-Asia conference on Advances in knowledge discovery and data mining
VM-based security overkill: a lament for applied systems security research
Proceedings of the 2010 workshop on New security paradigms
FLIPS: hybrid adaptive intrusion prevention
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A survey of security issues in hardware virtualization
ACM Computing Surveys (CSUR)
Analyzing and defending against web-based malware
ACM Computing Surveys (CSUR)
Hi-index | 0.00 |
We present an architecture for detecting “zero-day” worms and viruses in incoming email. Our main idea is to intercept every incoming message, pre-scan it for potentially dangerous attachments, and only deliver messages that are deemed safe. Unlike traditional scanning techniques that rely on some form of pattern matching (signatures), we use behavior-based anomaly detection. Under our approach, we “open” all suspicious attachments inside an instrumented virtual machine looking for dangerous actions, such as writing to the Windows registry, and flag suspicious messages. The attachment processing can be offloaded to a cluster of ancillary machines (as many as are needed to keep up with a site's email load), thus not imposing any computational load on the mail server. Messages flagged are put in a “quarantine” area for further, more labor-intensive processing. Our implementation shows that we can use a large number of malware-checking VMs operating in parallel to cope with high loads. Finally, we show that we are able to detect the actions of all malicious software we tested, while keeping the false positive rate to under 5%.