MEDUSA: Malware Detection Using Statistical Analysis of System's Behavior

Traditional malware detection techniques have focused on analyzing known malware samples' codes and behaviors to construct an effective database of malware signatures. In recent times, however, such techniques have inherently exposed limitations in detecting unknown malware samples and maintaining the database up-to-date, as many polymorphic and metamorphic malware samples are newly created and spread very quickly throughout the Internet. To address the limitations of existing signature-based malware scanners, we take a different view and focus on designing a novel malware detection framework, called MEDUSA (MalwarE Detection Using Statistical Analysis of system's behavior), for building a model for a system's behaviors with normal processes. Unlike traditional approaches for malware detection, MEDUSA has the potential to effectively detect unknown malware samples because it is designed to monitor a system's behavior and detect significant changes from the system's normal status. In this paper, we specifically discuss several important considerations that must be taken into account to successfully develop MEDUSA in practice.

[1]  Michael I. Jordan,et al.  Variational inference for Dirichlet process mixtures , 2006 .

[2]  Stacy J. Prowell,et al.  Malware Detection on General-Purpose Computers Using Power Consumption Monitoring: A Proof of Concept and Case Study , 2017, ArXiv.

[3]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[4]  Helge Janicke,et al.  Design of an Anomaly-based Threat Detection & Explication System , 2017, ICISSP.

[5]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[6]  Christopher Krügel,et al.  BareCloud: Bare-metal Analysis-based Evasive Malware Detection , 2014, USENIX Security Symposium.

[7]  S. Sitharama Iyengar,et al.  A Survey on Malware Detection Using Data Mining Techniques , 2017, ACM Comput. Surv..

[8]  Isil Dillig,et al.  Automated Synthesis of Semantic Malware Signatures using Maximum Satisfiability , 2016, NDSS.

[9]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[10]  Salvatore J. Stolfo,et al.  Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses , 2002, RAID.

[11]  Alessandro Orso,et al.  RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking , 2017, CCS.

[12]  Christopher Krügel,et al.  Revolver: An Automated Approach to the Detection of Evasive Web-based Malware , 2013, USENIX Security Symposium.

[13]  Jean-Pierre Seifert,et al.  pBMDS: a behavior-based malware detection system for cellphone devices , 2010, WiSec '10.

[14]  Avinash Srinivasan,et al.  Lightweight behavioral malware detection for windows platforms , 2017, 2017 12th International Conference on Malicious and Unwanted Software (MALWARE).

[15]  Carla E. Brodley,et al.  Approaches to Online Learning and Concept Drift for User Identification in Computer Security , 1998, KDD.

[16]  Carsten Willems,et al.  Down to the bare metal: using processor features for binary analysis , 2012, ACSAC '12.

[17]  Alva Erwin,et al.  Analysis of Machine learning Techniques Used in Behavior-Based Malware Detection , 2010, 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies.

[18]  Michalis Polychronakis,et al.  Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts , 2017, 2017 IEEE Symposium on Security and Privacy (SP).