Fileprint analysis for Malware Detection 1
作者: Wei-Jen Li , Ke Wang , Salvatore J. Stolfo
DOI:
关键词:
摘要: Malcode can be easily hidden in document files and embedded application executables. We demonstrate this opportunity of stealthy malcode insertion several experiments using a standard COTS Anti-Virus (AV) scanner. In the case zero-day malicious exploit code, signature-based AV scanners would fail to detect such even if scanner knew where look. propose use statistical binary content analysis order suspicious anomalous file segments that may suggest infection by malcode. Experiments are performed determine whether approach n-gram provide useful evidence an infected subsequently subjected further scrutiny. Our goal is develop efficient means detecting suspect for online network communication or scanning large store collected information, as data warehouse shared documents. 1. Introduction Attackers have used variety ways embedding code otherwise normal appearing infect systems. Viruses attach themselves system files, media nothing new. State-of-the-art products scan apply signature these known malware. For various performance optimization reasons, however, not perform deep all malcodes been arbitrary location. Other stealth avoid detection well known. Various self-encryption obfuscation techniques simply making unavailable inspection new “zero day” had access paper we explore sharing streaming, acquired content. The first contribution astonishing observation anti-virus systems deceived given our experiments, inserted into PDF DOC files. Although captured they appear stand alone quite few poisoned carrying inside were flagged popular Furthermore, some successfully opened Adobe Word. Thus, formats logic provides ready made stealthily infecting host with innocent This implies sandboxing their execution effective detectors cases. also note existing vulnerability certain windows executables [23] remains available malware while avoiding detection. simple block padding portion MS WINWORD.EXE creating operates correctly original executable.
columbia.edu 参考文章(21)
Aleksey Kurchuk, Angelos D. Keromytis, RECURSIVE SANDBOXES: EXTENDING SYSTRACE TO EMPOWER APPLICATIONS information security conference. pp. 473- 487 ,(2004) , 10.1007/1-4020-8143-X_31
Jeremy Z. Kolter, Marcus A. Maloof, Learning to Detect Malicious Executables Springer, London. pp. 47- 63 ,(2006) , 10.1007/1-84628-253-5_4
K. G. Anagnostakis, K. Xinidis, A. D. Keromytis, E. Markatos, S. Sidiroglou, P. Akritidis, Detecting targeted attacks using shadow honeypots usenix security symposium. pp. 9- 9 ,(2005) , 10.7916/D8WM1PS8
Mihai Christodorescu, Somesh Jha, Static analysis of executables to detect malicious patterns usenix security symposium. pp. 12- 12 ,(2003) , 10.21236/ADA449067
Ke Wang, Gabriela Cretu, Salvatore J. Stolfo, Anomalous Payload-Based Worm Detection and Signature Generation Lecture Notes in Computer Science. pp. 227- 246 ,(2006) , 10.1007/11663812_12
Fredrik Valeur, Christopher Kruegel, Giovanni Vigna, William Robertson, Static disassembly of obfuscated binaries usenix security symposium. pp. 18- 18 ,(2004)
Barton P. Miller, Somesh Jha, Jonathon T. Giffin, Detecting Manipulated Remote Call Streams usenix security symposium. pp. 61- 79 ,(2002)
Erez Zadok, Eleazar Eskin, Salvatore J. Stolfo, Manasi Bhattacharyya, Matthew G. Schultz, MEF: Malicious Email Filter - A UNIX Mail Filter That Detects Malicious Windows Executables usenix annual technical conference. pp. 245- 252 ,(2001) , 10.7916/D8W38329
R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, S. Zhou, Specification-based anomaly detection Proceedings of the 9th ACM conference on Computer and communications security - CCS '02. pp. 265- 274 ,(2002) , 10.1145/586110.586146
George C. Necula, Proof-carrying code symposium on principles of programming languages. pp. 106- 119 ,(1997) , 10.1145/263699.263712