Paper Info
Title
Extraction of statistically significant malware behaviors
Abstract
Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate --- now over 100 thousand new variants each day --- there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).
Year
DOI
Venue
2013
10.1145/2523649.2523659
ACSAC
Keywords
Field
DocType
significant malware behavior,training data,new graph instance,thousand new variant,new malware,system call dependency graph,significant malicious behavior,new method,malicious software,new behavior,malware system call dependency,isolation,decomposition,virtualization
Sandbox (computer security),Virtualization,Graph,Computer science,Computer security,System call,Malware,Dependency graph,Binary number,Executable
Conference
Citations 
PageRank 
References 
10
0.53
15
Authors
4
Name
Order
Citations
PageRank
Sirinda Palahan1100.87
Domagoj Babić21457.11
Swarat Chaudhuri398167.68
Daniel Kifer4150986.63