Inoculation against malware infection using kernel-level software sensors

We present a technique for dynamic malware detection that relies on a set of sensors that monitor the interaction of applications with the underlying operating system. By monitoring the requests that each process makes to kernel-level operating system functions, we build a statistical model that describes both clean and infected systems in terms of the distribution of data collected from each sensor. The model parameters are learned from labeled training data gathered from machines infected with canonical samples of malware. We present a technique for detecting malware using the Neyman-Pearson test from classical detection theory. This technique classifies a system as either clean or infected at runtime as measurements are collected from the sensors. We provide experimental results that illustrate the effectiveness of this technique for a selection of malware samples. Additionally, we provide a performance analysis of our sensing and detection techniques in terms of the overhead they introduce to the system. Finally, we show this method to be effective in detecting previously unknown malware when trained to detect similar malware under similar load conditions.

[1]  Carey Nachenberg,et al.  Computer virus-antivirus coevolution , 1997, Commun. ACM.

[2]  Prasad Dabak,et al.  Undocumented Windows NT , 1999 .

[3]  Ferenc Szidarovszky,et al.  Multi-Level Intrusion Detection System (ML-IDS) , 2008, 2008 International Conference on Autonomic Computing.

[4]  Jianmin Pang,et al.  Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior , 2009, 2009 International Conference on Communication Software and Networks.

[5]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[6]  K. Schreiner New viruses up the stakes on old tricks , 2002 .

[7]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[8]  Alva Erwin,et al.  Analysis of Machine learning Techniques Used in Behavior-Based Malware Detection , 2010, 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies.

[9]  Spiros Mancoridis,et al.  On the use of computational geometry to detect software faults at runtime , 2010, ICAC '10.

[10]  Yong Tang,et al.  An Automated Signature-Based Approach against Polymorphic Internet Worms , 2007, IEEE Trans. Parallel Distributed Syst..

[11]  Art Baker,et al.  Windows® 2000 device driver book: a guide for programmers, second edition, the , 2000 .

[12]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[13]  M. Melamed Detection , 2021, SETI: Astronomy as a Contact Sport.

[14]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[15]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[16]  R. Sekar,et al.  On Preventing Intrusions by Process Behavior Monitoring , 1999, Workshop on Intrusion Detection and Network Monitoring.

[17]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[18]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[19]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[20]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[21]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[22]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2007, POPL '07.

[23]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[24]  H. V. Trees Detection, Estimation, And Modulation Theory , 2001 .

[25]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[26]  Lior Rokach,et al.  Detection of unknown computer worms based on behavioral classification of the host , 2008, Comput. Stat. Data Anal..