Towards automated malware behavioral analysis and profiling for digital forensic investigation purposes

Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

Volumn 114 LNICST, Issue , 2013, Pages 66-80

  Shosha, Ahmed F ^a   James, Joshua I ^a   Hannaway, Alan ^a   Liu, Chen Ching ^a   Gladyshev, Pavel ^a  

^a UNIVERSITY COLLEGE DUBLIN   (Ireland)

Author keywords

Dynamic malware analysis; Kernel object profiling; Malware investigation; Memory forensics; Post mortem analysis

Indexed keywords

CRIME; ELECTRONIC CRIME COUNTERMEASURES; MALWARE;

BEHAVIORAL ANALYSIS; DYNAMIC MALWARE ANALYSIS; DYNAMIC PROFILING; FORENSIC INVESTIGATION; KERNEL OBJECT PROFILING; MALWARE ANALYSIS; MEMORY FORENSICS; POST MORTEM ANALYSIS;

COMPUTER FORENSICS;

EID: 84916886217     PISSN: 18678211     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-3-642-39891-9_5     Document Type: Conference Paper

References (39)

1. Yin, H., et al.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (2007)
2. Yin, H., Liang, Z., Song, D.: HookFinder: Identifying and Understanding Malware Hooking Behaviors. In: Proceedings of Distributed System Security Symposium (2008)
3. Kolbitsch, C., et al.: Effective and Efficient Malware Detection at the End Host. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009)
4. Vasudevan, A., Yerraballi, R.: Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions. In: Proceedings of IEEE Symposium on Security and Privacy (2006)
5. Dinaburg, A., et al.: Ether: Malware Analysis Via Hardware Virtualization Extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (2008)
6. Lanzi, A., Sharif, M., Lee, W.: K-Tracer: A System for Extracting Kernel Malware Behavior. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (2009)
7. Bayer, U., et al.: Dynamic Analysis of Malicious Code. Journal in Computer Virology 2(1), 67–77 (2006)
8. Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: Proceedings of the 12th USENIX Security Symposium (2003)
9. Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Proceedings of Computer Security Applications Conference (2007)
10. Egele, M., et al.: A Survey on Automated Dynamic Malware Analysis Techniques and Tools. ACM Comput. Surv. 44(2), 1–42 (2012)
11. Farmer, D., Venema, W.: Forensic Discovery. Addison-Wesley (2005)
12. Nance, K., Bishop, M., Hay, B.: Virtual Machine Introspection: Observation or Interference? In: IEEE Security and Privacy (2008)
13. Sharif, M., et al.: Impeding Malware Analysis Using Conditional Code Obfuscation. In: Proceedings of the Network and Distributed System Security Symposium (2008)
14. You, I., Yim, K.: Malware Obfuscation Techniques: A Brief Survey. In: Proceedings of the Int. Conf. on Broadband, Wireless Company (2010)
15. Balzarotti, D., et al.: Efficient Detection of Split Personalities in Malware. In: Symposium on Network and Distributed System Security (NDSS) (2010)
16. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)
17. Shosha, A.F., James, J.I., Gladyshev, P.: A Novel Methodology for Malware Intrusion Attack Path Reconstruction. In: Gladyshev, P., Rogers, M.K. (eds.) ICDF2C 2011. LNICST, vol. 88, pp. 131–140. Springer, Heidelberg (2012)
18. Gladyshev, P., Patel, A.: Finite State Machine Approach to Digital Event Reconstruction. In: Digital Investigation (2004)
19. Forrest, S., Hofmeyr, S., Somayaji, A.: The Evolution of System-Call Monitoring. In: Proceedings of the Annual Computer Security Applications Conference (2008)
20. Mutz, D., et al.: Anomalous System Call Detection. ACM Trans. Information System Security (2006)
21. Riley, R., Jiang, X., Xu, D.: Multi-Aspect Profiling of Kernel Rootkit Behavior. In: Proceedings of the 4th ACM European Conference on Computer Systems (2009)
22. Rhee, J., Lin, Z., Xu, D.: Characterizing Kernel Malware Behavior With Kernel Data Access Patterns. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (2011)
23. Malin, C., Casey, E., Aquilina, J.: Malware Forensics: Investigating and Analyzing Malicious Code. Syngress (2008)
24. Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2005)
25. Schwartz, E., Avgerinos, T., Brumley, D.: All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution. In: IEEE Symposium on Security and Privacy (Oakland 2010) (2010)
26. Volatility.: An Advanced Memory Forensics Framework (2012), https://www.volatilesystems.com/default/volatility
27. Dolan-Gavitt, B.: The VAD Tree: A Process-Eye View of Physical Memory. In: Digital Investigation (2007)
28. Schuster, A.: Searching for Processes and Threads in Microsoft Windows Memory Dumps. In: Proceedings of the 6th Annual Digital Forensic Research Workshop (2006)
29. Marrington, A., et al.: A Model for Computer Profiling. In: The Third International Workshop on Digital Forensics (2010)
30. Hoglund, G.: Rootkits: Subverting the Windows Kernel. Addison-Wesley (2005)
31. Wang, Z., et al.: Countering Kernel Rootkits With Lightweight Hook Protection. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)
32. Russinovich, M.: Windows Internals. Microsoft Press (2009)
33. Dolan-Gavitt, B., et al.: Robust Signatures for Kernel Data Structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)
34. Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press (2000)
35. Bellard, F.: QEMU, A Fast and Portable Dynamic Translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference (2005)
36. Van Baar, R.B., Alink, W., Van Ballegooij, A.R.: Forensic Memory Analysis: Files Mapped in Memory. Digital Investigation (2008)
37. Binsalleeh, H., et al.: On the Analysis of the Zeus Botnet Crimeware Toolkit. In: Proceedings of the Eighth Annual International Conference on Privacy Security and Trust (2010)
38. Shosha, F.A., James, J., Chen-Ching, L., Gladyshev, P.: Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects. In: Proceedings of the 7th Intl. Conference on Risks and Security of Internet Systems (CRiSIS) (2012)
39. Shosha, A.F., James, J.I., Liu, C.-C., Gladyshev, P.: Towards Automated Forensic Event Reconstruction of Malicious Code (Poster abstract). In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 388–389. Springer, Heidelberg (2012)