A Survey of Visualization Systems for Malware Analysis

Eurographics Conference on Visualization - State of the Art Reports, EuroVis-STAR 2015

Volumn , Issue , 2015, Pages 105-125

  Wagner, M ^a,b   Fischer, F ^c   Luh, R ^a   Haberson, A ^a   Rind, A ^a,b   Keim, D A ^c   Aigner, W ^a,b  

^a St Poelten University of Applied Sciences   (Austria)

^b VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^c UNIVERSITY OF KONSTANZ   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

DATA VISUALIZATION; SURVEYS; VISUALIZATION;

ANALYSIS PROCESS; AUTOMATIC APPROACHES; AUTOMATIC TECHNIQUE; MALWARE ANALYSIS; SOFTWARE MONITORING; SOFTWARE VISUALIZATION; VISUAL ANALYTICS; VISUAL ANALYTICS SYSTEMS; VISUALIZATION SYSTEM; VULNERABLE SYSTEMS;

MALWARE;

EID: 85123294947     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.2312/eurovisstar.20151114     Document Type: Conference Paper

References (81)

1. ALVAREZ V. M.:. YARA - the pattern matching swiss knife for malware researchers [online]. 2015. URL: http://plusvic.github.io/yara/ [cited 2015-04-07]. 5
2. AIGNER W., MIKSCH S., SCHUMANN H., TOMINSKI C.: Visualization of time-oriented data. Human-computer interaction series. Springer, 2011. 10, 12, 13
3. ANDREWS D. F.: Plots of high-dimensional data. Biometrics 28, 1 (1972), 125-136. doi:10.2307/2528964. 11
4. ANDERSON B., STORLIE C., LANE T.: Improving malware classification: Bridging the static/dynamic gap. In Proc. 5th ACM Workshop on Security and Artificial Intelligence, AISec (2012), ACM, pp. 3-14. doi:10.1145/2381896. 2381900. 6, 7, 10, 11, 12, 13, 14, 15, 16
5. AUTOIT CONSULTING LTD.:. Autoit [online]. 2014. URL: https://www.autoitscript.com/site/autoit/ [cited 2014-12-29]. 5
6. BATRA R.:. API Monitor [online]. 2014. URL: http://www.rohitab.com/apimonitor [cited 2014-12-29]. 5
7. BHUYAN M. H., BHATTACHARYYA D., KALITA J.: Surveying port scans and their detection methodologies. The Computer Journal 54, 10 (Oct. 2011), 1565-1581. doi:10. 1093/comjnl/bxr035. 3
8. BELLARD F.: QEMU, a fast and portable dynamic translator. In Proc. USENIX Annual Technical Conf., ATEC (2005), USENIX Association, Berkeley, CA, USA, pp. 41-46. 3, 5
9. BOU-HARB E., DEBBABI M., ASSI C.: Cyber scanning: A comprehensive survey. IEEE Communications Surveys Tutorials 16, 3 (2014), 1496-1519. doi:10.1109/SURV. 2013.102913.00020. 3
10. BAZRAFSHAN Z., HASHEMI H., FARD S., HAMZEH A.: A survey on heuristic malware detection techniques. In 5th Conf. Information and Knowledge Technology, IKT (2013), pp. 113-120. doi:10.1109/IKT.2013.6620049. 2, 17
11. BAYER U., KRUEGEL C., KIRDA E.: TTAnalyze: A tool for analyzing malware. In Proc. 15th Annual Conf. European Institute for Computer Antivirus Research, EICAR (2006). 5
12. BREHMER M., MUNZNER T.: A multi-level typology of abstract visualization tasks. IEEE Transactions on Visualization and Computer Graphics 19, 12 (2013), 2376-2385. doi:10. 1109/TVCG.2013.124. 15
13. BAYER U., MOSER A., KRUEGEL C., KIRDA E.: Dynamic analysis of malicious code. Journal in Computer Virology 2, 1 (2006), 67-77. 5
14. CONTI G., DEAN E., SINDA M., SANGSTER B.: Visual reverse engineering of binary and data files. In Visualization for Computer Security, Proc. VizSec (2008), Goodall J. R., Conti G., Ma K.-L., (Eds.), LNCS 5210, Springer, pp. 1-17. doi:10.1007/978-3-540-85933-8_1. 7, 8, 11, 12, 13, 14, 15, 16
15. CHERNOFF H.: The use of faces to represent points in k-dimensional space graphically. Journal of the American Statistical Association 68, 342 (1973), 361-368. doi:10.1080/01621459.1973.10482434. 11
16. CONTI G.: Security data visualization: graphical techniques for network analysis. No Starch Press, 2007. 2
17. DIEHL S.: Software Visualization: Visualizing the Structure, Behaviour, and Evolution of Software. Springer, Berlin, 2007. 2
18. DORNHACKL H., KADLETZ K., LUH R., TAVOLATO P.: Malicious behavior patterns. In Proc. IEEE 8th Int. Symp. Service Oriented System Engineering (2014), pp. 384-389. doi: 10.1109/SOSE.2014.52. 1, 5, 17
19. DONAHUE J., PATURI A., MUKKAMALA S.: Visualization techniques for efficient malware detection. In Proc. 2013 IEEE Int. Conf. Intelligence and Security Informatics, ISI (2013), pp. 289-291. doi:10.1109/ISI.2013.6578845. 7, 8, 11, 12, 13, 14, 15, 16
20. DUARTE F., SIKANSI F., FATORE F., FADEL S., PAULOVICH F.: Nmap: A novel neighborhood preservation space-filling algorithm. IEEE Transactions on Visualization and Computer Graphics 20, 12 (2014), 2063-2071. doi:10. 1109/TVCG.2014.2346276. 11
21. EGELE M., SCHOLTE T., KIRDA E., KRUEGEL C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys 44, 2 (2012), 6:1-6:42. doi: 10.1145/2089125.2089126. 2, 3
22. FELT A. P., FINIFTER M., CHIN E., HANNA S., WAGNER D.: A survey of mobile malware in the wild. In Proc. 1st ACM Workshop on Security and Privacy in Smart-phones and Mobile Devices, SPSM (2011), ACM, pp. 3-14. doi:10.1145/2046614.2046618. 3
23. FIREEYE INC.: FireEye MAS 6.4.0 Operator's Guide, 2013. 5
24. FIREEYE INC.:. FireEye malware analysis [online]. 2014. URL: https://www.fireeye.com/products/malware-analysis.html [cited 2014-12-29]. 5
25. GRÉGIO A. R. A., BARUQUE A. O. C., AFONSO V. M., FILHO D. S. F., GEUS P. L. D., JINO M., SANTOS R. D. C. D.: Interactive, visual-aided tools to analyze malware behavior. In Computational Science and Its Applications, ICCSA, LNCS 7336. Springer, 2012, pp. 302-313. doi:10.1007/978-3-642-31128-4_22. 7, 8, 11, 12, 13, 14, 15, 16
26. GUARNIERI C., ET AL.: Cuckoo Sandbox Book, Release 1.2-dev ed., 2014. 5
27. GOLDBERG R. P.: Survey of virtual machine research. Computer 7, 6 (1974), 34-45. 3
28. GRÉGIO A. R. A., SANTOS R. D. C.: Visualization techniques for malware behavior analysis. In Proc. Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense X (2011), vol. 8019, SPIE, pp. 801905:1-801905:9. doi:10. 1117/12.883441. 7, 8, 11, 12, 13, 14, 15, 16
29. GOVE R., SAXE J., GOLD S., LONG A., BERGAMO G.: SEEM: A scalable visualization for comparing multiple large sets of attributes for malware analysis. In Proc. 11th Workshop on Visualization for Cyber Security, VizSec (2014), ACM. doi: 10.1145/2671491.2671496. 7, 8, 9, 11, 12, 13, 14, 15, 16
30. HAN K., KANG B., IM E. G.: Malware analysis using visualized image matrices. The Scientific World Journal 2014 (2014), 15. doi:10.1155/2014/132713. 6, 7, 10, 11, 12, 13, 14, 15, 16
31. HAN K., LIM J. H., IM E. G.: Malware analysis method using visualization of binary files. In Proc. Research in Adaptive and Convergent Systems, RACS (2013), pp. 317-321. doi:10. 1145/2513228.2513294. 6, 7, 10, 11, 12, 13, 14, 15, 16
32. HAN K. S., LIM J. H., KANG B., IM E. G.: Malware analysis using visualized images and entropy graphs. Int. Journal of Information Security (2014), 1-14. doi:10.1007/s10207-014-0242-0. 6, 7, 9, 11, 12, 13, 14, 15, 16
33. IDIKA N., MATHUR A. P.: A survey of malware detection techniques. Technical Report, Purdue University, 2007. 3
34. IVANOV I.: API hooking revealed. The Code Project (2002). 5
35. JOE SECURITY LLC:. JoeSandbox [online]. 2014. URL: http://www.joesecurity.org [cited 2014-12-29]. 5
36. KEIM D.: Information visualization and visual data mining. IEEE Transactions on Visualization and Computer Graphics 8, 1 (2002), 1-8. doi:10.1109/2945.981847. 10, 11, 12
37. KEIM D., KOHLHAMMER J., ELLIS G., MANSMANN F. (Eds.): Mastering the information age: solving problems with visual analytics. Eurographics Association, 2010. 1, 17
38. KENDALL K., MCMILLAN C.: Practical malware analysis. Mandiant, 2007. 3
39. KANCHERLA K., MUKKAMALA S.: Image visualization based malware detection. In Proc. 2013 IEEE Symp. Computational Intelligence in Cyber Security, CICS (2013), pp. 40-44. doi:10.1109/CICYBS.2013.6597204. 7, 9, 11, 12, 13, 14, 15, 16
40. KEIM D. A., MANSMANN F., SCHNEIDEWIND J., THOMAS J., ZIEGLER H.: Visual Analytics: Scope and challenges. In Visual Data Mining, Simoff S. J., Böhlen M. H., Mazeika A., (Eds.), LNCS 4404. Springer, Berlin, 2008, pp. 76-90. doi:10.1007/978-3-540-71080-6_6. 14
41. LINUX FOUNDATION:. Xen project [online]. 2014. URL: http://www.xenproject.org [cited 2014-12-29]. 3
42. LANZENBERGER M., MIKSCH S., POHL M.: Exploring highly structured data: a comparative study of stardinates and parallel coordinates. In Proc. Int. Conf. Information Visualisation (2005), pp. 312-320. doi:10.1109/IV.2005.49. 11
43. LONG A., SAXE J., GOVE R.: Detecting malware samples with similar image sets. In Proc. 11th Workshop on Visualization for Cyber Security, VizSec (2014), ACM. doi: 10.1145/2671491.2671500. 7, 8, 11, 12, 13, 14, 15, 16
44. LEE D., SONG I. S., KIM K., JEONG J.-H.: A study on malicious codes pattern analysis using visualization. In Proc. Int. Conf. Information Science and Applications, ICISA (2011), pp. 1-5. doi:10.1109/ICISA.2011.5772330. 1, 17
45. LEBLANC J., WARD M., WITTELS N.: Exploring n-dimensional databases. In Proc. 1st IEEE Conf. Visualization, Vis (1990), pp. 230-237. doi:10.1109/VISUAL.1990. 146386. 11
46. MIKSCH S., AIGNER W.: A matter of time: Applying a data-users-tasks design triangle to visual analytics of time-oriented data. Computers & Graphics 38 (2014), 286-290. doi:10.1016/j.cag.2013.11.002. 17
47. MICROSOFT CORPORATION: Microsoft Portable Executable and Common Object File Format Specification. Microsoft Corporation, 1999. 4
48. MÜHLBACHER T., PIRINGER H., GRATZL S., SEDLMAIR M., STREIT M.: Opening the black box: Strategies for increased user involvement in existing algorithm implementations. IEEE Transactions on Visualization and Computer Graphics 20, 12 (2014), 1643-1652. doi:10.1109/TVCG.2014. 2346578. 17
49. MUNZNER T.: Visualization Analysis and Design. A K Peters Ltd, Boca Raton, 2014. 10, 15, 16, 17
50. NATARAJ L., KARTHIKEYAN S., JACOB G., MANJUNATH B. S.: Malware images: Visualization and automatic classification. In Proc. 8th Int. Symp. Visualization for Cyber Security, VizSec (2011), ACM, pp. 4:1-4:7. doi:10.1145/2016904.2016908. 7, 9, 11, 12, 13, 14, 15, 16
51. NATARAJ L., YEGNESWARAN V., PORRAS P., ZHANG J.: A comparative assessment of malware classification using binary texture analysis and dynamic analysis. In Proc. 4th ACM Workshop on Security and Artificial Intelligence, AISec (2011), pp. 21-30. doi:10.1145/2046684.2046689. 9
52. ORACLE CORPORATION:. Oracle VirtualBox [online]. 2014. URL: https://www.virtualbox.org [cited 2014-12-29]. 3
53. PANAS T.: Signature visualization of software binaries. In Proc. 4th ACM Symp. Software Visualization, SoftVis (2008), pp. 185-188. doi:10.1145/1409720.1409749. 6, 7, 9, 11, 12, 13, 14, 15, 16
54. PANDALAB: Quarterly Report. Tech. rep., 2014. 1
55. PATURI A., CHERUKURI M., DONAHUE J., MUKKAMALA S.: Mobile malware visual analytics and similarities of attack toolkits (malware gene analysis). In Proc. Int. Conf. Collaboration Technologies and Systems, CTS (2013), pp. 149-154. doi:10.1109/CTS.2013.6567221. 7, 10, 11, 12, 13, 14, 15, 16
56. PICKETT R., GRINSTEIN G.: Iconographic displays for visualizing multidimensional data. In Proc. 1988 IEEE Int. Conf. Systems, Man, and Cybernetics (1998), vol. 1, pp. 514-519. doi:10.1109/ICSMC.1988.754351. 11
57. QUIST D., LIEBROCK L.: Visualizing compiled executables for malware analysis. In Proc. 6th Int. Workshop on Visualization for Cyber Security, VizSec (2009), pp. 27-32. doi: 10.1109/VIZSEC.2009.5375539. 6, 7, 8, 11, 12, 13, 14, 15, 16
58. QUIST D. A., LIEBROCK L. M.: Reversing compiled executables for malware analysis via visualization. Information Visualization 10, 2 (2011), 117-126. doi:10.1057/ivs. 2010.11. 6, 7, 8, 11, 12, 13, 14, 15, 16
59. RUSSINOVICH M., COGSWELL B.:. Process monitor v3.1 [online]. 2014. URL: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx [cited 2014-12-29]. 5
60. [online]. 2015. URL: https://www.zotero.org/support/dev/web_api/v3/basics [cited 2015-04-07]. 6
61. RUSSINOVICH M., SOLOMON D., IONESCU A.: Windows Internals, Part 1: Covering Windows Server 2008 R2 and Windows 7, 6th ed. Microsoft Press, 2012. 4, 5
62. SIKORSKI M., HONIG A.: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, 1 ed. No Starch Press, 2012. 1
63. SHNEIDERMAN B.: The eyes have it: a task by data type taxonomy for information visualizations. In Proc. IEEE Symp. Visual Languages (1996), pp. 336-343. doi:10.1109/VL. 1996.545307. 14, 17
64. SHAID S., MAAROF M.: Malware behavior image for malware variant identification. In Proc. 2014 Int. Symp. on Biometrics and Security Technologies, ISBAST (2014), pp. 238-243. doi:10.1109/ISBAST.2014.7013128. 6, 7, 9, 11, 12, 13, 14, 15, 16
65. SHAID, S.Z.M., MAAROF, M.A.: Malware behaviour visualization. Jurnal Teknologi 70, 5 (2014), 25-33. doi:10. 11113/jt.v70.3512. 6, 7, 9, 11, 12, 13, 14, 15, 16
66. SAXE J., MENTIS D., GREAMO C.: Visualization of shared system call sequence relationships in large malware corpora. In Proc. 9th Int. Symp. Visualization for Cyber Security, VizSec (2012), ACM, pp. 33-40. doi:10.1145/2379690. 2379695. 7, 8, 11, 12, 13, 14, 15, 16, 17
67. SEDLMAIR M., MEYER M., MUNZNER T.: Design study methodology: Reflections from the trenches and the stacks. IEEE Transactions on Visualization and Computer Graphics 18, 12 (2012), 2431-2440. doi:10.1109/TVCG.2012.213. 17
68. SHIRAVI H., SHIRAVI A., GHORBANI A.: A survey of visualization systems for network security. IEEE Transactions on Visualization and Computer Graphics 18, 8 (2012), 1313-1329. doi:10.1109/TVCG.2011.144. 2
69. SACHA D., STOFFEL A., STOFFEL F., KWON B. C., ELLIS G., KEIM D.: Knowledge generation model for visual analytics. IEEE Transactions on Visualization and Computer Graphics 20, 12 (2014), 1604-1613. doi:10.1109/TVCG. 2014.2346481. 17
70. SIDDIQUI M., WANG M. C., LEE J.: A survey of data mining techniques for malware detection using file features. In Proc. 46th Ann. Southeast Regional Conference on XX (2008), ACM-SE 46, pp. 509-510. doi:10.1145/1593105.1593239. 2
71. THOMAS J. J., COOK K. A. (Eds.): Illuminating the Path: The Research and Development Agenda for Visual Analytics. IEEE, 2005. 1, 2, 14, 17
72. TRINIUS P., HOLZ T., GOBEL J., FREILING F.: Visual analysis of malware behavior using treemaps and thread graphs. In Proc. 6th Int. Workshop on Visualization for Cyber Security, VizSec (2009), pp. 33-38. doi:10.1109/VIZSEC. 2009.5375540. 7, 8, 11, 12, 13, 14, 15, 16
73. VMWARE INC.:. Vmware workstation [online]. 2014. URL: http://www.vmware.com/products/workstation/features.html [cited 2014-12-29]. 3
74. WAGNER M., AIGNER W., RIND A., DORNHACKL H., KADLETZ K., LUH R., TAVOLATO P.: Problem characterization and abstraction for visual analytics in behavior-based malware pattern analysis. In Proc. 11th Workshop on Visualization for Cyber Security, VizSec (2014), ACM, pp. 9-16. doi:10.1145/2671491.2671498. 1, 17
75. WEGNER P.: Why interaction is more powerful than algorithms. Communications of the ACM 40, 5 (1997), 80-91. doi:10.1145/253769.253801. 2
76. WILLEMS C., HOLZ T., FREILING F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Security and Privacy 5, 2 (2007), 32-39. doi:10.1109/MSP. 2007.45. 5
77. WÜCHNER T., PRETSCHNER A., OCHOA M.: Davast: Data-centric system level activity visualization. In Proc. 11th Workshop on Visualization for Cyber Security, VizSec (2014), ACM, pp. 25-32. doi:10.1145/2671491.2671499. 7, 8, 11, 12, 13, 14, 15, 16
78. WU Y., YAP R. H. C.: Experiments with malware visualization. In Proc. 9th Int. Conf. Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA (2013), Flegel U., Markatos E., Robertson W., (Eds.), LNCS 7591, Springer, pp. 123-133. doi:10.1007/978-3-642-37300-8_7. 7, 9, 11, 12, 13, 14, 15, 16
79. YEE C. L., CHUAN L. L., ISMAIL M., ZAINAL N.: A static and dynamic visual debugger for malware analysis. In Proc. 18th Asia-Pacific Conf. Communications, APCC (2012), pp. 765-769. doi:10.1109/APCC.2012.6388211. 7, 8, 11, 12, 13, 14, 15, 16
80. YOO I.: Visualizing windows executable viruses using self-organizing maps. In Proc. ACM Workshop on Visualization and Data Mining for Computer Security, VizSec (New York, NY, USA, 2004), ACM, pp. 82-89. doi:10.1145/1029208. 1029222. 7, 10, 11, 12, 13, 14, 15, 16
81. ZHUO W., NADJIN Y.: MalwareVis: Entity-based visualization of malware network traces. In Proc. 9th Int. Symp. Visualization for Cyber Security, VizSec (2012), ACM, pp. 41-47. doi:10.1145/2379690.2379696. 7, 8, 11, 12, 13, 14, 15, 16