2012 IEEEIPSJ 12 th International Symposium on Applications and the Internet 102062596 陳盈妤 1 10 Outline Introduction of proposed method Previous works by catching random behavior ID: 277592
Download Presentation The PPT/PDF document "Malware Detection Method by Catching The..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Malware Detection Method by Catching Their Random Behavior in Multiple Executions
2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet
102062596 陳盈妤
1
/10Slide2
OutlineIntroduction of proposed methodPrevious works by catching random behavior
Procedure of proposed methodResultsConclusion2/10Slide3
Introduction of proposed method
Random Behavior- change filename- random domain name
Static Software Analysis vs. Dynamic Software Analysis
Packing and code obfuscation
3
/10Slide4
Previous works by catching random behaviorBalzarotti
– difference of emulated analysis environment and reference hostKolbitsch – compare if malware’s essential information flow match suspect programSakai – repetitive behavior in propagationMatsuki – execute decoy processes to find malwares which will kill process of anti-virus software and firewall
4/10Slide5
Start
Sample, i = Number of Executions
i = i -1
Compare the lists
Conduct dynamic analysis on the sample
i > 0
Generate lists of parameters from each execution
Benign
Malicious
End
Yes
No
Exactly match or
Inclusion relation
Difference
5
/10Slide6
Procedure of proposed method
5697 malware samples, 819 benign samples.Execute each sample for 60 seconds and collect the API call logIsolated from the real InternetIn this experiment, each sample will only be executed twice.
Symantec and McAfee6/10Slide7
Procedure of proposed method
APIRegSetValueExRegSetValue
CreateFileLZOpenFile_lcreatCopyFile
Lzcopy
MoveFile
DNSQuery
HttpOpenRequest
InternetConnect
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion
\RunHKEY_CURRENT_USER\S\M\Windows\CurrentVersion\Run
7
/10Slide8
Result
True Positive
False NegativeTP Rate
All
3864
1833
67.83
Registry
478
5219
8.39
File
3799
1898
66.68
Network
2018
3679
35.42
False
Positive
True Negative
FP Rate
All
13
806
1.59
Registry
0
819
0.00
File
12
807
1.47
Network
1
818
0.12
It could detect 117 malware samples out of 273 malware samples which could not be detected by the antivirus software(Symantec and McAfee)
8
/10Slide9
ConclusionAdvantage:
won’t be disturbed by packing and code obfuscation techniquesDisadvantage: Slow, sandbox may be detectedThe proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods
9/10Slide10
Thanks for listening
10/10