AGIS: Towards automatic generation of infection signatures
作者: Zhuowei Li , XiaoFeng Wang , Zhenkai Liang , Michael K. Reiter
关键词:
摘要: An important yet largely uncharted problem in malware defense is how to automate generation of infection signatures for detecting compromised systems, i.e., that characterize the behavior residing on a system. To this end, we develop AGIS, host-based technique detects infections by and automatically generates an signature malware. AGIS monitors runtime suspicious code according set security policies detect infection, then identifies its characteristic terms system or API calls. statically analyzes corresponding executables extract instructions infectionpsilas mission. These can be used build template static-analysis-based scanner, regular-expression legacy scanners. also encrypted from plaintext decryption loop. We implemented Windows XP evaluated it against real-life malware, including keyloggers, mass-mailing worms, well-known mutation engine. The experimental results demonstrate effectiveness our new generating high-quality signatures.
indiana.edu 参考文章(38)
Thomas Raffetseder, Christopher Kruegel, Engin Kirda, Detecting System Emulators Lecture Notes in Computer Science. pp. 1- 18 ,(2007) , 10.1007/978-3-540-75496-1_1
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Zhuowei Li, XiaoFeng Wang, Jong Youl Choi, SpyShield: preserving privacy from spy add-ons recent advances in intrusion detection. pp. 296- 316 ,(2007) , 10.1007/978-3-540-74320-0_16
Galen Hunt, Doug Brubacher, Detours: binary interception of Win32 functions conference on usenix windows nt symposium. pp. 14- 14 ,(1999)
R. Sekar, P. Uppuluri, Synthesizing fast intrusion prevention/detection systems from high-level specifications usenix security symposium. pp. 6- 6 ,(1999)
Mihai Christodorescu, Somesh Jha, Static analysis of executables to detect malicious patterns usenix security symposium. pp. 12- 12 ,(2003) , 10.21236/ADA449067
Engin Kirda, Richard A. Kemmerer, Christopher Kruegel, Greg Banks, Giovanni Vigna, Behavior-based spyware detection usenix security symposium. pp. 19- ,(2006)
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, Automated worm fingerprinting operating systems design and implementation. pp. 4- 4 ,(2004)
Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji, Intrusion detection using sequences of system calls Journal of Computer Security. ,vol. 6, pp. 151- 180 ,(1998) , 10.3233/JCS-980109
Mihai Christodorescu, Somesh Jha, Testing malware detectors international symposium on software testing and analysis. ,vol. 29, pp. 34- 44 ,(2004) , 10.1145/1007512.1007518