Abstract | ||
---|---|---|
Malicious code (malware) is used to steal sensitive data, to attack corporate networks, and to deliver spam. To silently compromise systems and maintain their access, malware developers usually apply obfuscation techniques that result in a massive amount of malware variants and that can render static analysis approaches ineffective. To address the limitations of static approaches, researchers have proposed dynamic analysis systems. These systems usually rely on a sandboxing environment that captures the system calls performed by a program under analysis. In this paper, we propose a novel approach to capture and model malware behavior that is based on the monitoring of the data values that a certain subset of instructions writes to memory during program execution. We have implemented a malware clustering component and a component to detect code reuse between different malware families. To validate our proposed techniques, we analyzed 16,248 malware samples. We found that our techniques produce clusters with high accuracy, as well as interesting cases of code reuse among malicious programs. |
Year | DOI | Venue |
---|---|---|
2012 | 10.1007/978-3-642-37300-8_8 | DIMVA |
Keywords | Field | DocType |
different malware family,dynamic analysis system,malware variant,model malware behavior,malware classification,malware developer,code reuse identification,malware clustering component,static analysis,malicious code,malware sample,code reuse | Sandbox (computer security),Cryptovirology,Computer security,Computer science,Static analysis,System call,Code reuse,Obfuscation,Cyber-collection,Malware | Conference |
Citations | PageRank | References |
1 | 0.38 | 14 |
Authors | ||
4 |
Name | Order | Citations | PageRank |
---|---|---|---|
André Ricardo Abed Grégio | 1 | 66 | 9.51 |
Paulo Lício de Geus | 2 | 83 | 13.37 |
Christopher Kruegel | 3 | 8799 | 516.05 |
Giovanni Vigna | 4 | 7121 | 507.72 |