Multi-channel Change-Point Malware Detection

The complex computing systems employed by governments, corporations, and other institutions are frequently targeted by cyber-attacks designed for espionage and sabotage. The malicious software used in such attacks are typically custom-designed or obfuscated to avoid detection by traditional antivirus software. Our goal is to create a malware detection system that can quickly and accurately detect such otherwise difficult-to-detect malware. We pose the problem of malware detection as a multi-channel change-point detection problem, wherein the goal is to identify the point in time when a system changes from a known clean state to an infected state. We present a host-based malware detection system designed to run at the hypervisor level, monitoring hypervisor and guest operating system sensors and sequentially determining whether the host is infected. We present a case study wherein the detection system is used to detect various types of malware on an active web server under heavy computational load.

[1]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[2]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[3]  Jamie Kurtz,et al.  The Drupal Content Management System , 2013 .

[4]  E. S. Page CONTINUOUS INSPECTION SCHEMES , 1954 .

[5]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[6]  Rudolf B. Blazek,et al.  Detection of intrusions in information systems by sequential change-point methods , 2005 .

[7]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[8]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[9]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[10]  Di-Bao Wang,et al.  CLASSIFICATION OF AIRFOILS BY ABNORMAL BEHAVIOR OF LIFT CURVES AT LOW REYNOLDS NUMBER , 2005 .

[11]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[12]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[13]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[14]  G ShinKang,et al.  Change-Point Monitoring for the Detection of DoS Attacks , 2004 .

[15]  A. M. Hussain,et al.  Multisensor distributed sequential detection , 1994 .

[16]  J. Thomas Nonparametric detection , 1970 .

[17]  Carey Nachenberg,et al.  Computer virus-antivirus coevolution , 1997, Commun. ACM.

[18]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[19]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.

[20]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[21]  P.K. Varshney,et al.  Optimal Data Fusion in Multiple Sensor Detection Systems , 1986, IEEE Transactions on Aerospace and Electronic Systems.

[22]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[23]  Arjun K. Gupta,et al.  Parametric Statistical Change Point Analysis , 2000 .

[24]  Spiros Mancoridis,et al.  On the use of computational geometry to detect software faults at runtime , 2010, ICAC '10.

[25]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[26]  Yuval Elovici,et al.  F-Sign: Automatic, Function-Based Signature Generation for Malware , 2011, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[27]  Moshe Kam,et al.  Asynchronous distributed detection , 1994 .

[28]  N. Smirnov Table for Estimating the Goodness of Fit of Empirical Distributions , 1948 .

[29]  Lior Rokach,et al.  Detection of unknown computer worms based on behavioral classification of the host , 2008, Comput. Stat. Data Anal..

[30]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[31]  Hongjoong Kim,et al.  A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods , 2006, IEEE Transactions on Signal Processing.

[32]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[33]  Xin Xu,et al.  Sequential anomaly detection based on temporal-difference learning: Principles, models and case studies , 2010, Appl. Soft Comput..

[34]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[35]  Douglas C. Schmidt,et al.  Ultra-Large-Scale Systems: The Software Challenge of the Future , 2006 .

[36]  Demosthenis Teneketzis The decentralized quickest detection problem , 1982, 1982 21st IEEE Conference on Decision and Control.

[37]  Herbert Bos,et al.  Pointless tainting?: evaluating the practicality of pointer tainting , 2009, EuroSys '09.

[38]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[39]  Rick S. Blum,et al.  Distributed detection with multiple sensors I. Advanced topics , 1997, Proc. IEEE.