Top

Published in:

2017 | OriginalPaper | Chapter

Malware Analysis and Detection via Activity Trees in User-Dependent Environment

Authors : Arnur Tokhtabayev, Anton Kopeikin, Nurlan Tashatov, Dina Satybaldina

Published in: Computer Network Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We present a new system that offers detection and analysis of modern complex malware including user-oriented and targeted attacks. These attacks stem from users’ misbehavior, e.g. misinterpreting or ignoring security alerts, which lead to proliferation of malicious objects inside trusted perimeter of cyber-security systems (e.g. exclusion list of AVs). The attack mechanisms include strategic web compromise, spear phishing, insider threat and social network malware. Moreover, targeted attacks often deliver zero-day malware that is made difficult to be detected, e.g. due to distributed malicious payload.

The system provides a secure container enabling user-dependent environment in malicious activity analysis, which is achieved by user interaction simulation in real time. The user interaction simulator recognizes GUI components and clicks through them according to click patterns of a typical user, e.g. office employee. To provide effective malware detection, our team developed a new technology for deep dynamic inspection of system-wide behavior, which is based on structural analysis of so-called activity trees defined in the domain of system functionalities. We use Modified Hierarchical Colored Petri Nets for run-time recognition of system functionalities including obfuscated and distributed ones. We our system with corpus of real malware families. Results show high efficiency of our system in detecting and blocking malware while having low system overhead.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter tLab: A System Enabling Malware Clustering Based on Suspicious Activity Trees

next chapter A Concept of Clustering-Based Method for Botnet Detection

Cohen, F.: Computer viruses theory and experiments, Computers and Security, v. 6 (1987)

Malware Statistics Report by AV-Test Institute. https://www.av-test.org/en/statistics/malware/

Tokhtabayev, A.G., Skormin, V.A., Dolgikh, A.M.: Expressive, efficient and obfuscation resilient behavior based IDS. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 698–715. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15497-3_42 CrossRef

Tokhtabayev, A., Skormin, V., Dolgikh, A.: Detection of worm propagation engines in the system call domain using colored petri nets. In: Proceedings of the IEEE IPCCC ’07, USA, December 2008

Jensen, K.: Coloured Petri nets (2nd ed.): basic concepts, analysis methods and practical use, vol. 1. Springer, Berlin (1996)

Bernaschi, M., Grabrielli, E., Mancini, L.: Operating system enhancements to prevent the misuse of system calls. In: Proceedings of the ACM CCS 2000, pp. 174–183 (2000)

Kang, D., Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings of the 6th IEEE Systems Man and Cybernetics Information Assurance Workshop (IAW), pp. 118–125 (2005)

Skormin, V., Volynkin, A., et al.: Run-Time detection of malicious self-replication in binary executables. J. Comput. Secur. 15(2), pp. 273–301 (2007)

Bayer, U., et al.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006)

10.

Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the ESEC-FSE’07, NY, USA (2007)

11.

Kouznetsov, V.: US Patent 6973577 B1: System and Method for Dynamically Detecting Computer Viruses Through Associative Behavioral Analysis of Runtime State, 6 December 2005

12.

Martignoni, L., et al.: A layered architecture for detecting malicious behaviors. In: Proceedings of the RAID 2008 (2008)

Title: Malware Analysis and Detection via Activity Trees in User-Dependent Environment
Authors: Arnur Tokhtabayev
Anton Kopeikin
Nurlan Tashatov
Dina Satybaldina
Publisher: Springer International Publishing
Book: Computer Network Security
Print ISBN: 978-3-319-65126-2

Electronic ISBN: 978-3-319-65127-9

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-65127-9_17

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner