Combining Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments

Hsiao, Shun-Wen; Chen, Yi-Ning; Sun, Yeali S.; Chen, Meng Chang

doi:10.1007/978-3-642-38631-2_59

Cited by 7 publications

(5 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some were explicitly designed to improve or propose new sandbox techniques, while others simply relied on sandboxes to collect data to perform other experiments -such as modeling the behavior of samples, extracting new detection signatures, train a classifier, or report on the internals of certain malware characteristics (such as packing, use of encryption, etc.). [44]- [46], [94], [109] 1 2 [56], [108] 2 14 [21], [26], [35], [40], [43], [52], [70], [85], [91], [95], [100], [101], [105], [110] 3 7 [15], [65]- [67], [71], [81], [93] 4 1 [58] 5 13 [12], [13], [23], [29], [38], [50], [51], [69], [78], [88], [92], [102], [106] 8 2 [20], [89] 10 7 [24], [25], [36], [41], …”

Section: A Research Experimentsmentioning

confidence: 99%

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The amount of time in which a sample is executed is one of the key parameters of a malware analysis sandbox. Setting the threshold too high hinders the scalability and reduces the number of samples that can be analyzed in a day; too low and the samples may not have the time to show their malicious behavior, thus reducing the amount and quality of the collected data. Therefore, an analyst needs to find the 'sweet spot' that allows to collect only the minimum amount of information required to properly classify each sample. Anything more is wasting resources, anything less is jeopardizing the experiments. Despite its importance, there are no clear guidelines on how to choose this parameter, nor experiments that can help companies to assess the pros and cons of a choice over another. To fill this gap, in this paper we provide the first large-scale study of the impact that the execution time has on both the amount and the quality of the collected events. We measure the evolution of system calls and code coverage, to draw a precise picture of the fraction of runtime behavior we can expect to observe in a sandbox. Finally, we implemented a machine learning based malware detection method, and applied it to the data collected in different time windows, to also report on the relevance of the events observed at different points in time. Our results show that most samples run for either less than two minutes or for more than ten. However, most of the behavior (and 98% of the executed basic blocks) are observed during the first two minutes of execution, which is also the time windows that result in a higher accuracy of our ML classifier. We believe this information can help future researchers and industrial sandboxes to better tune their analysis systems.

show abstract

Section: A Research Experimentsmentioning

confidence: 99%

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Alexander¹,

Mantovani²,

Han

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Hsiao et al . proposed an approach that combines dynamic passive analysis and active fingerprinting for bot detection in virtualized environments . A passive detection agent on a virtual machine monitors its host for profiles of bot behavior and checks monitored behavior with behavior on other hosts.…”

Section: Related Workmentioning

confidence: 99%

“…Combining signature‐based and behavior‐based bot detection can maintain some advantages and overcome some critical disadvantages, such as the ineffectiveness of signature‐based detection against unknown bots and obfuscation techniques, and the high risk and low detection accuracy of behavior‐based detection. However, many challenges must be overcome in order to combine the two detection methods, such as how to assign weight to each method . Although there are many techniques for combining scores (linear discriminant analysis, quadratic discriminant analysis, machine learning, etc.…”

Section: Introductionmentioning

confidence: 99%

BotCatch: leveraging signature and behavior for bot detection

et al. 2014

Security Comm Networks

View full text Add to dashboard Cite

The goal of bot detection is to discover malicious bot processes by signature comparison or behavior analysis. Existing approaches have several drawbacks, such as requiring a lot of prior knowledge, low detection accuracy, and high false alarm rate. In this paper, we propose a multi‐feedback approach, BotCatch, to detect bots effectively and efficiently on a host by leverage of a combination of signature and behavior. First, BotCatch assigns suspicious files to signature‐analysis and behavior‐analysis modules, which generate each detection result. Second, BotCatch correlates signature and behavior results to generate the final detection result through correlation engine. Third, BotCatch feeds back signature, behavior, and correlation results to dynamically adjust detecting modules through multi‐feedback engine. We evaluated the performance of BotCatch with 636 bot and 150 benign samples. Our results indicate that BotCatch achieves an accuracy of 97.1% and an F‐measure value of 0.982 simultaneously, which is better than existing approaches without feedbacks. BotCatch, due to the multi‐feedback mechanism, has the ability to gradually get more robust and accurate as the number of samples increases. The final stage even reaches an accuracy of 98.5% and F‐measure value of 0.991. Copyright © 2014 John Wiley & Sons, Ltd.

show abstract

“…Another possibility might be to know what are the processes that a given customer typically execute. Other possible applications are in the area of malware detection [26]. In this respect, running processes can be monitored to see if their workload is the same or it changes during time.…”

Section: Introductionmentioning

confidence: 99%

Cloud-Based Machine Learning Tools for Enhanced Big Data Applications

Cuzzocrea

Mumolo

Corona

2015

2015 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing

View full text Add to dashboard Cite

We propose Cloud-based machine learning tools for enhanced Big Data applications, where the main idea is that of predicting the "next" workload occurring against the target Cloud infrastructure via an innovative ensemble-based approach that combine the effectiveness of different well-known classifiers in order to enhance the whole accuracy of the final classification, which is very relevant at now in the specific context of Big Data. So-called workload categorization problem plays a critical role towards improving the efficiency and the reliability of Cloudbased big data applications. Implementation-wise, our method proposes deploying Cloud entities that participate to the distributed classification approach on top of virtual machines, which represent classical "commodity" settings for Cloud-based big data applications. Preliminary experimental assessment and analysis clearly confirm the benefits deriving from our classification framework. 2015 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing 978-1-4799-8006-2/15 $31.00

show abstract

Combining Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments

Cited by 7 publications

References 7 publications

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes

BotCatch: leveraging signature and behavior for bot detection

Cloud-Based Machine Learning Tools for Enhanced Big Data Applications

Contact Info

Product

Resources

About