Proceedings ArticleDOI
Ether: malware analysis via hardware virtualization extensions
Artem Dinaburg,Paul Royal,Monirul I. Sharif,Wenke Lee +3 more
- pp 51-62
TLDR
Ether, a transparent and external approach to malware analysis, is proposed, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware.Abstract:
Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and cleanup. The focal point in the malware analysis battle is how to detect versus how to hide a malware analyzer from malware during runtime. State-of-the-art analyzers reside in or emulate part of the guest operating system and its underlying hardware, making them easy to detect and evade. In this paper, we propose a transparent and external approach to malware analysis, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware. Our analyzer, Ether, is based on a novel application of hardware virtualization extensions such as Intel VT, and resides completely outside of the target OS environment. Thus, there are no in-guest software components vulnerable to detection, and there are no shortcomings that arise from incomplete or inaccurate systememulation. Our experiments are based on our study of obfuscation techniques used to create 25,000 recent malware samples. The results show that Ether remains transparent and defeats the obfuscation tools that evade existing approaches.read more
Citations
More filters
Journal ArticleDOI
A survey on automated dynamic malware-analysis techniques and tools
TL;DR: An overview of techniques based on dynamic analysis that are used to analyze potentially malicious samples and analysis programs that employ these techniques to assist human analysts in assessing whether a given sample deserves closer manual inspection due to its unknown malicious behavior is provided.
Proceedings Article
DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis
Lok Kwong Yan,Heng Yin +1 more
TL;DR: DroidScope is presented, an Android analysis platform that continues the tradition of virtualization-based malware analysis and reconstructs both the OS-level and Java-level semantics simultaneously and seamlessly.
Journal ArticleDOI
Automatic analysis of malware behavior using machine learning
TL;DR: An incremental approach for behavior-based analysis, capable of processing the behavior of thousands of malware binaries on a daily basis is proposed, significantly reduces the run-time overhead of current analysis methods, while providing accurate discovery and discrimination of novel malware variants.
Proceedings Article
Building a dynamic reputation system for DNS
TL;DR: Notos, a dynamic reputation system for DNS, is proposed that malicious, agile use of DNS has unique characteristics and can be distinguished from legitimate, professionally provisioned DNS services.
Journal ArticleDOI
A Survey on Malware Detection Using Data Mining Techniques
TL;DR: There is an urgent need to develop intelligent methods for effective and efficient malware detection from the real and large daily sample collection and a comprehensive investigation on both the feature extraction and the classification/clustering techniques is provided.
References
More filters
Journal ArticleDOI
Xen and the art of virtualization
Paul Barham,Boris Dragovic,Keir Fraser,Steven Hand,Tim Harris,Alex Ho,Rolf Neugebauer,Ian Pratt,Andrew Warfield +8 more
TL;DR: Xen, an x86 virtual machine monitor which allows multiple commodity operating systems to share conventional hardware in a safe and resource managed fashion, but without sacrificing either performance or functionality, considerably outperform competing commercial and freely available solutions.
Book
Introduction to the Theory of Computation
TL;DR: Throughout the book, Sipser builds students' knowledge of conceptual tools used in computer science, the aesthetic sense they need to create elegant systems, and the ability to think through problems on their own.
Proceedings Article
QEMU, a fast and portable dynamic translator
TL;DR: QEMU supports full system emulation in which a complete and unmodified operating system is run in a virtual machine and Linux user mode emulation where a Linux process compiled for one target CPU can be run on another CPU.
Proceedings Article
A Virtual Machine Introspection Based Architecture for Intrusion Detection.
Tal Garfinkel,Mendel Rosenblum +1 more
TL;DR: This paper presents an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance, achieved through the use of a virtual machine monitor.