Stochastic identification of malware with dynamic traces
Weil, Scott Vander
MetadataShow full item record
A novel approach to malware classification is introduced based on analysis of instruction traces that are collected dynamically from the program in question. The method has been implemented online in a sandbox environment (i.e., a security mechanism for separating running programs) at Los Alamos National Laboratory, and is in- tended for eventual host-based use, provided the issue of sampling the instructions executed by a given process without disruption to the user can be satisfactorily addressed. The procedure represents an instruction trace with a Markov chain structure in which the transi- tion matrix, P, has rows modeled as Dirichlet vectors. The malware class (malicious or benign) is modeled using a flexible spline logistic regression model with variable selection on the elements of P, which are observed with error. The utility of the method is illustrated on a sample of traces from malware and nonmalware programs, and the results are compared to other leading detection schemes (both sig- nature and classification based). This article also has supplementary materials available online.
The article of record as published may be located at http://dx.doi.org/10.1214/13-AOAS703
Showing items related by title, author, creator and subject.
Eagle, Chris (2006-10-31);Virtually every virus and worm that circulates the Internet today is ""protected"" by some form of obfuscation that hides the code's true intent. In the Window's world where worms prevail, the use of tools such as UPX, ...
Zarate, Carolina; Garfinkel, Simson L.; Heffernan, Aubin; Gorak, Kyle; Horras, Scott (Monterey, California. Naval Postgraduate School, 2014-01-17); NPS-CS-13-005To determine the usage of XOR and the need to adapt additional tools, we analyzed 2,411 drive images from devices acquired around the world for the use of bytewise XOR as an obfuscation technique. Using a modified version ...
Longoria, Jr., Ray (Monterey, California. Naval Postgraduate School, 2012-09);MAST Malicious Activity Simulation Tool aims to support the conduct of network administrator security training on the very network that the administrator is supposed to manage. A key element of MAST is to use malware mimics ...