Abstract | ||
---|---|---|
Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate --- now over 100 thousand new variants each day --- there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors). |
Year | DOI | Venue |
---|---|---|
2013 | 10.1145/2523649.2523659 | ACSAC |
Keywords | Field | DocType |
significant malware behavior,training data,new graph instance,thousand new variant,new malware,system call dependency graph,significant malicious behavior,new method,malicious software,new behavior,malware system call dependency,isolation,decomposition,virtualization | Sandbox (computer security),Virtualization,Graph,Computer science,Computer security,System call,Malware,Dependency graph,Binary number,Executable | Conference |
Citations | PageRank | References |
10 | 0.53 | 15 |
Authors | ||
4 |
Name | Order | Citations | PageRank |
---|---|---|---|
Sirinda Palahan | 1 | 10 | 0.87 |
Domagoj Babić | 2 | 145 | 7.11 |
Swarat Chaudhuri | 3 | 981 | 67.68 |
Daniel Kifer | 4 | 1509 | 86.63 |