Detection of Malicious PDF Files Based on Hierarchical Document Structure

20th Annual Network and Distributed System Security Symposium, NDSS 2013

Volumn , Issue , 2013, Pages

  Šrndić, Nedim ^a   Laskov, Pavel ^a  

^a UNIVERSITY OF TÜBINGEN   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

ANTI VIRUS; CLIENT SOFTWARE; COMPUTER USERS; DOCUMENT STRUCTURE; END USER SYSTEM; HIERARCHICAL DOCUMENT; PDF FILES; PDF FORMAT; SECURITY INCIDENT; SECURITY PATCHES;

USER PROFILE;

EID: 85180414841     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (38)

1. P. Akritidis, E. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic sled detection through instruction sequence analysis. In 20th International Conference on Information Security, pages 375-392, 2005.
2. M. Barreno, B. Nelson, A. Joseph, and J. Tygar. The security of machine learning. Machine Learning, 81(2):121-148, 2010.
3. M. Barreno, B. Nelson, R. Sears, A. Joseph, and J. Tygar. Can machine learning be secure? In ACM Symposium on Information, Computer and Communication Security, pages 16-25, 2006.
4. C. M. Bishop. Pattern Recognition and Machine Learning. Springer, 2007.
5. L. Breiman, J. Friedman, J. Olshen, and C. Stone. Classification and Regression Trees. Wadsworth, 1984.
6. D. Canali, M. Cova, G. Vigna, and C. Kruegel. Prophiler: a fast filter for the large-scale detection of malicious web pages. In International Conference on World Wide Web (WWW), pages 197-206, 2011.
7. W. Cohen. Fast effective rule induction. In International Conference on Machine Learning (ICML), pages 115-123, 1995.
8. C. Cortes and V. Vapnik. Support vector networks. Machine Learning, 20:273-297, 1995.
9. M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In International Conference on World Wide Web (WWW), pages 281-290, 2010.
10. C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. ZOZ-ZLE: Fast and precise in-browser JavaScript malware detection. In USENIX Security Symposium, pages 33-48, 2011.
11. M. Engelberth, C. Willems, and H. T. MalOffice - analysis of various application data files. In Virus Bulletin International Conference, 2009.
12. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In USENIX Security Symposium, pages 167-182, 2007.
13. Google warns of using adobe reader - particularly on linux. http://www.h-online.com/open/news/item/Googlewarns-of-using-Adobe-Reader-particularly-on-Linux-1668153.html.
14. T. Hastie, R. Tibshirani, and J. Friedman. The Elements of Statistical Learning: data mining, inference and prediction. Springer series in statistics. Springer, New York, N.Y., 2009. 2nd edition.
15. Vorsicht bei angeblicher telekom-onlinerechnung. http://heise.de/-1545909.
16. S. Jana and V. Shmatikov. Abusing file processing in malware detectors for fun and profit. In IEEE Symposium on Security and Privacy, pages 80-94, 2012.
17. S. Kaplan, B. Livshits, B. Zorn, C. Siefert, and C. Cursinger. “nofus: Automatically detecting” + string.fromcharcode(32) + “obfuscated”.tolowercase() + “javascript code”. Technical report, Microsoft Research, 2011.
18. P. Laskov and M. Kloft. A framework for quantitative security analysis of machine learning. In Proceedings of the 2nd ACM Workshop on AISec, pages 1-4, Nov. 2009.
19. P. Laskov and N. Šrndić. Static detection of malicious JavaScript-bearing PDF documents. In Annual Computer Security Applications Conference (ACSAC), pages 373-382, 2011.
20. W. Lee, S. Stolfo, and K. Mok. A data mining framework for building intrusion detection models. In IEEE Symposium on Security and Privacy, pages 120-132, 1999.
21. W.-J. Li, S. Stolfo, A. Stavrou, E. Androulaki, and A. Keromytis. A study of malcode-bearing documents. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 231-250, 2007.
22. M. Mahoney and P. Chan. Learning rules for anomaly detection of hostile network traffic. In International Conference on Data Mining (ICDM), 2003.
23. D. Maiorca, G. Giacinto, and I. Corona. A pattern recognition system for malicious pdf files detection. pages 510-524, 2012.
24. T. V. Overveldt, C. Kruegel, and G. Vigna. FlashDetect: ActionScript 3 malware detection. In Recent Adances in Intrusion Detection (RAID), pages 274-293, 2012.
25. PDF Reference. http://www.adobe.com/devnet/pdf/pdf reference.html, 2008.
26. M. Polychronakis, K. Anagnostakis, and E. Markatos. Comprehensive shellcode detection using runtime heuristics. In Annual Computer Security Applications Conference (ACSAC), pages 287-296, 2010.
27. N. Provos, P. Mavrommatis, M. Abu Rajab, and F. Monrose. All your iFRAMEs point to us. In USENIX Security Symposium, pages 1-16, 2008.
28. J. Quinlan. C4.5: Programs for Machine Learning. Morgan Kaufmann, 1992.
29. Blackhole crimeware kit drives web threat spike. http://www.theregister.co.uk/2012/01/26/sophos fakeav conficker/.
30. K. Rieck, T. Holz, K. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 5th International Conference, pages 108-125, July 2008.
31. K. Rieck, T. Krüger, and A. Dewald. Cujo: Efficient detection and prevention of drive-by-download attacks. In Annual Computer Security Applications Conference (ACSAC), pages 31-39, 2010.
32. Z. Shafiq, S. Khayam, and M. Farooq. Embedded malware detection using markov n-grams. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 88-107, 2008.
33. C. Smutz and A. Stavrou. Malicious PDF detection using metadata and structural features. In Annual Computer Security Applications Conference (ACSAC), 2012. To appear.
34. K. Z. Snow, S. Krishnan, F. Monrose, and N. Provos. ShellOS: Enabling fast detection and forensic analysis of code injection attacks. In USENIX Security Symposium, 2011.
35. PDF malware writers keep targeting vulnerability. http://www.symantec.com/connect/blogs/pdf-malwarewriters-keep-targeting-vulnerability.
36. T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Recent Adances in Intrusion Detection (RAID), pages 274-291, 2002.
37. Z. Tzermias, G. Sykiotakis, M. Polychronakis, and E. Markatos. Combining static and dynamic analysis for the detection of malicious documents. In European Workshop on System Security (EuroSec), 2011.
38. C. Willems, T. Holz, and F. Freiling. CWSandbox: Towards automated dynamic binary analysis. IEEE Security and Privacy, 5(2):32-39, 2007.