DOI: 10.1007/978-3-540-87403-4_5
|View full text |Cite
|
Sign up to set email alerts
|

A Layered Architecture for Detecting Malicious Behaviors

Abstract: Abstract. We address the semantic gap problem in behavioral monitoring by using hierarchical behavior graphs to infer high-level behaviors from myriad low-level events. Our experimental system traces the execution of a process, performing data-flow analysis to identify meaningful actions such as "proxying", "keystroke logging", "data leaking", and "downloading and executing a program" from complex combinations of rudimentary system calls. To preemptively address evasive malware behavior, our specifications are… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
72
0

Publication Types

Select...
4
3
2

Relationship

0
9

Authors

Journals

citations
Cited by 89 publications
(74 citation statements)
references
References 14 publications
0
72
0
Order By: Relevance
“…Other approaches overcame this limitation by focusing on information flows rather than on mere sequences of syscalls. Malware profiles, by leveraging more-contextual information in terms of library [5] or system calls [9,6], started to grasp the semantics lying behind a malicious activity. However, mimicry attacks were still possible [7].…”
Section: Related Workmentioning
confidence: 99%
“…Other approaches overcame this limitation by focusing on information flows rather than on mere sequences of syscalls. Malware profiles, by leveraging more-contextual information in terms of library [5] or system calls [9,6], started to grasp the semantics lying behind a malicious activity. However, mimicry attacks were still possible [7].…”
Section: Related Workmentioning
confidence: 99%
“…Finally, the whole abstraction process could be repeated, as in Martignoni et al's layered architecture [19]. A first layer would look up behavior patterns defined in terms of raw analysis data.…”
Section: Projecting the Abstract Trace Language On γmentioning
confidence: 99%
“…Recent approaches [19] deal with functional polymorphism by preprocessing execution traces and transforming them into a high-level representation which captures their semantic meaning. But as these approaches deal with the execution trace being observed, they analyze a single behavior at a time.…”
Section: Introductionmentioning
confidence: 99%
“…Anti-malware tools are only able to detect known instances and the success rate is circa 30 % [1]. In an effort to extend both the static and dynamic approaches, some researchers apply machine learning (ML) algorithms, which show promising results both in detecting known and new malware.…”
Section: Introductionmentioning
confidence: 99%