Abstract
Malicious software, or malware, has evolved into one of the most severe security threats on today’s Internet. Despite many years of research and development from both academia and industry, the problem is still poorly contained. In this paper, we make the case for a malware defense approach that uses expressive behavior specifications that are general enough to characterize and detect a wide variety of malicious programs. Moreover, our approach can quickly react to new malware families. To this end, the system automatically generates specifications based on the observation of the execution of malware programs. That is, the system executes and monitors new malware programs in a controlled analysis environment. Based on these observations, the system identifies behavior that reflects malicious activity. This program behavior is then automatically translated into specifications that can be used for malware detection.
The work discussed in this paper would not have been possible without the tireless efforts of many graduate students and the collaboration with my colleges. I would like to especially thank Clemens Kolbitsch, Paolo Milani Comparetti, Andreas Moser and Engin Kirda, who have made major contributions to those techniques that are described in more detail in this paper.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: Annual Conference of the European Institute for Computer Antivirus Research, EICAR (2006)
Christodorescu, M., Jha, S., Kruegel, C.: Mining Specifications of Malicious Behavior. In: 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE (2007)
Crandall, J., Chong, F.: Minos: Control Data Attack Prevention Orthogonal to Memory Model. In: 37th International Symposium on Microarchitecture, MICRO (2004)
Crandall, J., Wassermann, G., de Oliveira, D., Su, Z., Wu, F., Chong, F.: Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines. In: Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS (2006)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android Permissions: User Attention, Comprehension, and Behavior. In: Symposium on Usable Privacy and Security, SOUPS (2012)
Florencio, D., Herley, C.: Sex, Lies and Cyber-crime Surveys. In: 10th Workshop on the Economics of Information Security, WEIS (2011)
Kanich, C., Weaver, N., McCoy, D., Halvorson, T., Kreibich, C., Levchenko, K., Paxson, V., Voelker, G., Savage, S.: Show Me the Money: Characterizing Spam-advertised Revenue. In: Usenix Security Symposium (2011)
Kolbitsch, C., Holz, T., Kruegel, C., Kirda, E.: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries. In: IEEE Symposium on Security and Privacy (2010)
Kolbitsch, C., Kirda, E., Kruegel, C.: The Power of Procrastination: Detection and Mitigation of Execution-Stalling Malicious Code. In: 18th ACM Conference on Computer and Communications Security, CCS (2011)
Kolbitsch, C., Milani Comparetti, P., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and Efficient Malware Detection at the End Host. In: 18th Usenix Security Symposium (2009)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)
McAfee, Inc.: Businesses Lose More Than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime (2009), http://www.bloomberg.com/apps/news?pid=newsarchive&sid=ae9ZFdLMXDrM
Milani Comparetti, P., Salvaneschi, G., Kirda, E., Kolbitsch, C., Kruegel, C., Zanero, S.: Identifying Dormant Functionality in Malware Programs. In: IEEE Symposium on Security and Privacy (2010)
Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)
Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: 23rd Annual Computer Security Applications Conference, ACSAC (2007)
Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Network and Distributed System Security Symposium, NDSS (2005)
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: 11th Usenix Security Symposium (2002)
Stone-Gross, B., Abman, R., Kemmerer, R., Kruegel, C., Steigerwald, D., Vigna, G.: The Underground Economy of Fake Antivirus Software. In: 10th Workshop on the Economics of Information Security, WEIS (2011)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: 16th ACM Conference on Computer and Communications Security, CCS (2009)
Weber, T.: Criminals ’may overwhelm the web’ (2009), http://news.bbc.co.uk/2/hi/business/6298641.stm
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: ACM Conference on Computer and Communication Security, CCS (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kruegel, C. (2012). Fighting Malicious Software. In: Venkatakrishnan, V., Goswami, D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35130-3_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-35130-3_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35129-7
Online ISBN: 978-3-642-35130-3
eBook Packages: Computer ScienceComputer Science (R0)