A cuckoo's egg in the malware nest on-the-fly signature-less malware analysis, detection, and containment for large networks

Authors:
Damiano Bolzoni;Christiaan Schade;Sandro Etalle
Affiliations:
University of Twente, The Netherlands;University of Twente, The Netherlands;University of Twente, The Netherlands and Eindhoven Technical University, The Netherlands
Venue:
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
Year:
2011

Citing 15
Cited 0

A Network Worm Vaccine Architecture

WETICE '03 Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises
Testing malware detectors

ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
The Art of Computer Virus Research and Defense

The Art of Computer Virus Research and Defense
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Toward Automated Dynamic Malware Analysis Using CWSandbox

IEEE Security and Privacy
BotHunter: detecting malware infection through IDS-driven dialog correlation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium
Malware detection using statistical analysis of byte-level file content

Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics
Your botnet is my botnet: analysis of a botnet takeover

Proceedings of the 16th ACM conference on Computer and communications security
PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Identifying Dormant Functionality in Malware Programs

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Effective and efficient malware detection at the end host

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Detecting malicious code by model checking

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

Avatar is a new architecture devised to perform on-the-fly malware analysis and containment on ordinary hosts; that is, on hosts with no special setup. The idea behind Avatar is to inject the suspected malware with a specially crafted piece of software at the moment that it tries to download an executable. The special software can cooperate with a remote analysis engine to determine the main characteristics of the suspected malware, and choose an appropriate containment strategy, which may include process termination, in case the process under analysis turns out to be malicious, or let it continue otherwise. Augmented with additional detection heuristics we present in the paper, Avatar can also perform signature-less malware detection and containment.