Online malware defense using attack behavior model

Malware detection is one central topic in cybersecurity, which ideally requires an accurate, efficient and robust (to malware variants) solution. In this work, we propose a hardwareassisted architecture to perform online malware detection with two phases. In the offline phase, we learn the attack model of malware in the form of Deterministic Finite Automaton (DFA). During the runtime phase, we implement a DFA-based detection approach in hardware to check whether a program's execution contains the malicious behavior specified in the DFA. We evaluate our method using real world data of 168 Linux malware samples and 370 benign applications. The results show that our DFA-based approach can recognize malware variants of same family with the potential to detect zero-day attacks. Implemented in hardware, our architecture offers a real time detection with low performance and resource overhead, and more importantly, it cannot be bypassed by malware using sophisticated evasion techniques.

[1]  Ronald L. Rivest,et al.  Inference of finite automata using homing sequences , 1989, STOC '89.

[2]  Christopher Krügel,et al.  A quantitative study of accuracy in system call-based malware detection , 2012, ISSTA 2012.

[3]  Wei Zhang,et al.  Semantics-Based Online Malware Detection: Towards Efficient Real-Time Protection Against Malware , 2016, IEEE Transactions on Information Forensics and Security.

[4]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[5]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[6]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[7]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[8]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[9]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[10]  Jun Sun,et al.  Detection and classification of malicious JavaScript via attack behavior modelling , 2015, ISSTA.

[11]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[12]  Hessam Kooti,et al.  Hardware-Assisted Detection of Malicious Software in Embedded Systems , 2012, IEEE Embedded Systems Letters.