MAPMon: A Host-Based Malware Detection Tool

In order for financial-motivated malware programs such as spyware, virus and worm to survive after system rebooted, they have to modify entries in auto start extensibility points (ASEPs), system calls or system files on a comprised system. We call these system resources which a malware program could attack once it intrudes a host as malware attacking points (MAPs). Based on this observation, we design and implement MAPMon, a monitoring mechanism to detect any suspicious change of malware attacking points. This paper describes the design and implementation tradeoff of the MAPMon tool. The effectiveness of the MAPMon tool for malware detection is evaluated by using real-world malware programs including those that do not have signatures.

[1]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[2]  Laura Marie Feeney,et al.  An Energy Consumption Model for Performance Analysis of Routing Protocols for Mobile Ad Hoc Networks , 2001, Mob. Networks Appl..

[3]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[4]  Robert Tappan Morris,et al.  Span: An Energy-Efficient Coordination Algorithm for Topology Maintenance in Ad Hoc Wireless Networks , 2001, MobiCom '01.

[5]  Jie Wu,et al.  A generic distributed broadcast scheme in ad hoc wireless networks , 2004, IEEE Transactions on Computers.

[6]  Sy-Yen Kuo,et al.  Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management , 2004, LISA.

[7]  N. Bambos,et al.  Toward power-sensitive network architectures in wireless communications: concepts, issues, and design aspects , 1998, IEEE Wirel. Commun..

[8]  Gregory J. Pottie,et al.  Wireless integrated network sensors , 2000, Commun. ACM.

[9]  Deborah Estrin,et al.  Geography-informed energy conservation for Ad Hoc routing , 2001, MobiCom '01.

[10]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[11]  Vahab S. Mirrokni,et al.  Fault-Tolerant and 3-Dimensional Distributed Topology Control Algorithms in Wireless Multi-hop Networks , 2002, Proceedings. Eleventh International Conference on Computer Communications and Networks.

[12]  John Anderson,et al.  Wireless sensor networks for habitat monitoring , 2002, WSNA '02.

[13]  Tzi-cker Chiueh,et al.  Accurate and Automated System Call Policy-Based Intrusion Prevention , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[14]  Mani Srivastava,et al.  STEM: Topology management for energy efficient sensor networks , 2002, Proceedings, IEEE Aerospace Conference.

[15]  Wendi Heinzelman,et al.  Proceedings of the 33rd Hawaii International Conference on System Sciences- 2000 Energy-Efficient Communication Protocol for Wireless Microsensor Networks , 2022 .

[16]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[17]  Peng-Jun Wan,et al.  New distributed algorithm for connected dominating set in wireless ad hoc networks , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[18]  Ting-Chao Hou,et al.  Transmission Range Control in Multihop Packet Radio Networks , 1986, IEEE Trans. Commun..

[19]  Ian F. Akyildiz,et al.  Sensor Networks , 2002, Encyclopedia of GIS.

[20]  Jie Gao,et al.  Boundary recognition in sensor networks by topological methods , 2006, MobiCom '06.

[21]  Kymie M. C. Tan,et al.  Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits , 2002, RAID.