Hongyuan Qiu scite author profile

Hongyuan Qiu

2Publications

7Citation Statements Received

36Citation Statements Given

How they've been cited

How they cite others

Affiliations

Brandeis University

Publications

Order By: Most citations

Static malware detection with Segmented Sandboxing

Qiu

Osorio

2013

View full text Add to dashboard Cite

Traditionally, dynamic detection approaches to Malware identification are commended for their simplicity and small sized signature database. In practice they suffer from two major defects. First, Malware might need to be emulated for a long time before traces of harmful behavior are first exhibited. Second, a few Anti-VM techniques are widely known and can be easily employed by any program to thwart the attempt of having it executed in a sandbox and observe its original behavior, rendering the approach less than effective.On the other hand, static detection approaches, have their own limitations, ranging from parsing obfuscated executables to the scalability issues due to the ever-increasing size of the signature database. Fundamentally, in the last 10-15 years polymorphic and metamorphic obfuscation techniques have become prevalent making static approaches less than effective due to the sheer magnitude of the sample set 1 .While the benefits of either dynamic or static approaches look quite tempting from each of their counterparts perspectives, their weakness are daunting in their own sight as well. In this manuscript we attempted to combine the best part of both worlds, without bringing in the disadvantage of either of them. We call this mixed approach "Segmented Sandboxing".

show abstract

Segmented sandboxing - A novel approach to Malware polymorphism detection

Osorio

Qiu

Arrott³

2015

View full text Add to dashboard Cite

Malware polymorphic and metamorphic obfuscation techniques combined with so-called "sandboxing evasion techniques" continue to erode the effectiveness of both static detection (signature matching), and dynamic detection (sandboxing). Specifically, signature based techniques are overwhelmed by the sheer number of samples generated from a single seminal binary through the use of polymorphic variations (encryption, ISP obfuscation together with ISP emulators, semantically neutral transformations, and so forth). Anti-virus security vendors often report more than 100,000 new Malware signatures a day. In most cases, the preponderance of these variations can be attributed to just a handful of seminal Malware families. In 2011, FireEye reported that over 50% of observed successful Malware infections were attributable to just 13 Malware families (seminals). 1 Similarly, sandboxing 2 , also known as dynamic Malware detection, has suffered from its own set of limitations. Mainly, (1) Malware writers embed in their code the ability to discover virtualized environments by checking for live internet access, or certain system properties inherent to virtualized environments, (2) Wait and seek (aka dormant Malware), a technique where knowing the execution time limitations of sandboxes, the Malware just waits, and (3) evasion techniques based on diverse communication. While the benefits of either dynamic or static approaches for Malware detection look quite tempting from each of their counterpart's perspectives, their weakness are daunting in their own right as well. In this manuscript we attempted to combine the best part of both approaches, while minimizing the disadvantages of either of them. We call this mixed approach "static Malware detection with segmented sandboxing". It was first developed by modeling the problem from a classical automata theory that leads from a formal problem formulation to a practical solution implementation. Preliminary results have shown that this approach is 1 FireEye Advanced Threat Report -2H 2011, http://www.cio.com.au/whitepaper/370860/fireeyeadvanced-threat-report-2h-2011/. 2 Defn: a tightly controlled environment that allows the execution of untrusted or unknown binaries. extremely effective in at least two significant ways. First, it sequentially minimizes both false negatives (misses) and false positives (FPs) enabling response resources to be focused on a more complete set of attacks with far less distraction from false alarms. Second, it overcomes many of the known limitations of sandboxing technology. 978-1-5090-0319-8/15/$31.00 ©2015 IEEE

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Hongyuan Qiu

Static malware detection with Segmented Sandboxing

Segmented sandboxing - A novel approach to Malware polymorphism detection

Contact Info

Product

Resources

About