AccessMiner: Using system-centric models for malware protection

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 399-412

  Lanzi, Andrea ^a   Balzarotti, Davide ^a   Kruegel, Christopher ^b   Christodorescu, Mihai ^c   Kirda, Engin ^a  

^a EURECOM   (France)

^b UNIVERSITY OF CALIFORNIA   (United States)

^c IBM T J WATSON RESEARCH CENTER   (United States)

Author keywords

Anomaly based detector; Malware; System Call

Indexed keywords

ANALYSIS APPROACH; ANOMALY-BASED DETECTOR; BENIGN PROCESS; COMPUTING INFRASTRUCTURES; DETECTION MODELS; FALSE POSITIVE; FALSE POSITIVE RATES; INTRUSION DETECTION SYSTEMS; MALICIOUS CODES; MALWARES; OPERATING SYSTEMS; REAL-WORLD APPLICATION; RUNTIMES; SECURITY THREATS; SYSTEM CALLS; SYSTEM-CALL SEQUENCE;

ACCESS CONTROL; COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; DETECTORS; INTRUSION DETECTION; SECURITY SYSTEMS;

MATHEMATICAL MODELS;

EID: 78650024495     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866353     Document Type: Conference Paper

References (30)

1. Anubis. http://anubis.seclab.tuwien.ac.at. 2008.
2. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated classification and analysis of internet malware. In C. Kruegel, R. Lippmann, and A. Clark, editors, Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID'07), volume 4637 of Lecture Notes in Computer Science, pages 178-197, Gold Goast, Australia, Sept. 2007. Springer-Verlag.
3. U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS'09), San Diego, CA, USA, Feb. 2009.
4. D. Bruschi, L. Martignoni, and M. Monga. Detecting self-mutating malware using control-flow graph matching. In R. Büschkes and P. Laskov, editors, Proceedings of the 3rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'06), volume 4064 of Lecture Notes in Computer Science, pages 129-143. Springer-Verlag, 2006.
5. M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P'05), pages 32-46, Oakland, CA, USA, May 8-11, 2005. IEEE Computer Society.
6. M. Christodorescu, C. Kruegel, and S. Jha. Mining specifications of malicious behavior. In Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'07), pages 5-14, New York, NY, USA, 2007. ACM Press.
7. M. Debbabi, M. Girard, L. Poulin, M. Salois, and N. Tawbi. Dynamic monitoring of malicious activity in software systems. In Proceedings of the Symposium on Requirements Engineering for Information Security(SREIS'01), pages 1-10, Indianapolis, IN, USA, Mar. 2001.
8. W. Enck, P. D. McDaniel, and T. Jaeger. Pinup: Pinning user files to known applications. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC'08), pages 55-64, Anaheim, CA, USA, Dec. 2008. IEEE Computer Society.
9. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (S&P'96), pages 120-128. IEEE Computer Society Press, 1996.
10. G. Hoglund and J. Butler. Rootkits: Subverting the Windows kernel. Addison-Wesley Professional, 2005.
11. T. Holz, M. Engelberth, and F. Freiling. Learning more about the Underground Economy: A Case-Study of Keyloggers and Dropzones. In European Symposium on Research in Computer Security (ESORICS), 2009.
12. J. John, A. Moshchuk, S. Gribble, and A. Krishnamurthy. Studying Spamming Botnets using Botlab. In Usenix NSDI, 2009.
13. D. Kang, D. Fuller, and V. Honavar. Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In 6th IEEE Systems Man and Cybernetics Information Assurance Workshop (IAW), 2005.
14. E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th USENIX Security Symposium (Security'06), Vancouver, BC, Canada, August 2006.
15. C. Kolbitsch, P. Milani, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proceedings of the 18th USENIX Security Symposium (Security'09), pages 351-366, Montréal, Canada, Aug. 2009. USENIX Association.
16. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th USENIX Security Symposium (Security'05), Baltimore, MD, USA, August 2005.
17. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic Worm Detection Using Structural Information of Executables. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID'05), volume 3858 of LNCS, pages 207-226, Seattle, WA, September 2005. Springer-Verlag.
18. T. Lee and J. J. Mody. Behavioral classification. In Proceedings of the 15th Annual European Institute for Computer Antivirus Research Conference (EICAR'06), May 2006.
19. W.-J. Li, K. Wang, S. J. Stolfo, and B. Herzog. Fileprints: Identifying file types by n-gram analysis. In Proceedings of the 6th Annual IEEE Systems, Man, and Cybernetics (SMC) Workshop on Information Assurance, pages 64-71, West Point, NY, June 2005. United States Military Academy.
20. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. In Proceedings of the FREENIX Track of the 2001 USENIX Annual Technical Conference, pages 29-42, Berkeley, CA, USA, 2001. USENIX Association.
21. L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, and J. C. Mitchell. A layered architecture for detecting malicious behaviors. In Proceedings of the 11th international Symposium on Recent Advances in Intrusion Detection (RAID'08), pages 78-97, Berlin, Heidelberg, 2008. Springer-Verlag.
22. S. Mukkamala, A. Sung, D. Xu, and P. Chavez. Static analyzer for vicious executables (SAVE). In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), pages 326-334, Tucson, AZ, USA, Dec. 2004.
23. K. Rieck, T. Holz, C. Willems, P. Düssel1, and P. Laskov. Learning and classification of malware behavior. In D. Zamboni, editor, Proceedings of the 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'08), volume 5137 of Lecture Notes in Computer Science, pages 108-125. Springer-Verlag, 2008.
24. M. Salois and R. Charpentier. Dynamic detection of malicious code in COTS software. In Proceedings of the Information Systems Technology Panel (IST) Symposium on Commercial Off-the-Shelf Products in Defence Applications "The Ruthless Pursuit of COTS", pages 16-1-16-13, Brussels, Belgium, Apr. 2000. NATO Research and Technology Organization.
25. M. G. Schultz, E. Eskin, E. Zadok, and S. J. Stolfo. Data mining methods for detection of new malicious executables. In Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P'01), pages 38-49, May 2001.
26. E. Stinson and J. C. Mitchell. Characterizing bots remote control behavior. In C. Kruegel, R. Lippmann and A. Clark, editors, Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID'07), volume 4637 of Lecture Notes in Computer Science. Springer-Verlag, 2007.
27. P. Ször. The Art of Computer Virus Research and Defense. Addison-Wesley, 2005.
28. D. Wagner and P. Soto. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM conference on Computer and Communications Security (CCS'02), pages 255-264, New York, NY, USA, 2002. ACM.
29. J. Xu, A. H. Sung, P. Chavez, and S. Mukkamala. Polymorphic malicious executable scanner by API sequence analysis. In Proceedings of the 4th International Conference on Hybrid Intelligent Systems (HIS'04), pages 378-383, Kitakyushu, Japan, Dec. 2004. IEEE Computer Society.
30. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS'07), pages 116-127, New York, NY, USA, 2007. ACM.