AUTOVAC: Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization

Xu, Zhaoyan; Zhang, Jialong; Gu, Guofei; Lin, Zhiqiang

doi:10.1109/icdcs.2013.69

Cited by 15 publications

(5 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similar logic has also been found in Zeus [21] and Conficker [43]. For these cases, even though the clean environment, which does not contain the mutex, is the ideal environment for analysis, we can still see that GOLDEN-EYE's extracted information is useful, potentially for malware prevention, as discussed in [48]. Displayed Windows and Installed Library.…”

Section: Case Studiessupporting

confidence: 68%

GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

Zhang

et al. 2014

Research in Attacks, Intrusions and Defenses

Self Cite

View full text Add to dashboard Cite

Abstract. A critical challenge when combating malware threat is how to efficiently and effectively identify the targeted victim's environment, given an unknown malware sample. Unfortunately, existing malware analysis techniques either use a limited, fixed set of analysis environments (not effective) or employ expensive, time-consuming multi-path exploration (not efficient), making them not well-suited to solve this challenge. As such, this paper proposes a new dynamic analysis scheme to deal with this problem by applying the concept of speculative execution in this new context. Specifically, by providing multiple dynamically created, parallel, and virtual environment spaces, we speculatively execute a malware sample and adaptively switch to the right environment during the analysis. Interestingly, while our approach appears to trade space for speed, we show that it can actually use less memory space and achieve much higher speed than existing schemes. We have implemented a prototype system, GOLDENEYE, and evaluated it with a large real-world malware dataset. The experimental results show that GOLDENEYE outperforms existing solutions and can effectively and efficiently expose malware's targeted environment, thereby speeding up the analysis in the critical battle against the emerging targeted malware threat.

show abstract

Section: Case Studiessupporting

confidence: 68%

GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

Zhang

et al. 2014

Research in Attacks, Intrusions and Defenses

Self Cite

View full text Add to dashboard Cite

show abstract

“…Malware detection is a different task from malware classification, which is the theme of this study, as the goal of the later is to classify malware variants into their corresponding families. In some recent works, machine learning has also been applied to automate the process of malware classification (e.g., [21,40,15,19,38,20,39]). The main differences among these works lie in the types of features used for malware classification.…”

Section: Related Work and Discussionmentioning

confidence: 99%

Be Sensitive to Your Errors

Yan

2015

Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

View full text Add to dashboard Cite

Thwarting the severe threat posed by the voluminous malware variants demands effective, yet efficient, techniques for malware classification. Although machine learning offers a promising approach to automating malware classification, existing methods are oblivious of the costs associated with the different types of errors in malware classification, i.e., false positive errors and false negative errors. Such treatment adversely affects later applications of per-family malware analysis such as trend analysis. Against this backdrop, we propose a unified cost-sensitive framework for automated malware classification. This framework enforces the Neyman-Pearson criterion, which aims to maximize the detection rate under the constraint that the false positive rate should be no greater than a certain threshold. We develop a novel scheme to chain multiple Neyman-Pearson criteria on heterogeneous malware features, some of which may have missing values. Using a large malware dataset with labeled samples belonging to 12 families, we show that our method offers great flexibility in controlling different types of errors involved in malware classification and thus provides a valuable tool for malware defense.

show abstract

“…Another dynamic method is deploying active anti-evasion countermeasures after figuring out how evasions detect analysis environments. Xu et al [27] introduced taint analysis [28] for dissecting evasions based on system resource conditions such as files, mutexes, registries, windows, processes, libraries, and services. Based on prior knowledge, recent works systematically classified and dismantled various evasive techniques, creating a transparent analysis environment to trigger more malicious behaviors.…”

Section: Related Workmentioning

confidence: 99%

Multi-path exploration guided by taint and probability against evasive malware

Qiang¹,

Xu²,

Zhang³

et al. 2023

Security and Safety

View full text Add to dashboard Cite

Static analysis is often impeded by malware obfuscation techniques, such as encryption and packing, whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information. Unfortunately, malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly. While known evasive techniques can be explicitly dismantled, the challenge lies in generically dismantling evasions without full knowledge, such as logic bombs that rely on uncertain conditions, let alone unsupported evasive techniques, which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations. In this paper, we present Antitoxin, a prototype for automatically exploring evasive malware. Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques. The probabilities of branch execution are derived from dynamic coverage, while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions. Subsequently, Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration. This is achieved through forced execution, which forcefully sets the outcomes of branches on selected paths. Additionally, Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques, thereby reducing exploration overhead. Furthermore, Antitoxin provides valuable insights into sensitive behaviors, facilitating deeper manual analysis. Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner. The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge, enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear exploration when dealing with complex control flows. Additionally, taint analysis can accurately identify branches related to logic bombs, facilitating preferential exploration.

show abstract

AUTOVAC: Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization

Cited by 15 publications

References 21 publications

GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment

Be Sensitive to Your Errors

Multi-path exploration guided by taint and probability against evasive malware

Contact Info

Product

Resources

About