2007
DOI: 10.1109/msp.2007.45
|View full text |Cite
|
Sign up to set email alerts
|

Toward Automated Dynamic Malware Analysis Using CWSandbox

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
2

Citation Types

1
298
0
15

Year Published

2009
2009
2023
2023

Publication Types

Select...
4
3
2

Relationship

0
9

Authors

Journals

citations
Cited by 610 publications
(314 citation statements)
references
References 3 publications
1
298
0
15
Order By: Relevance
“…In-host solutions include DiskMon [24], part of the Sysinternals tools, and CWSandbox [28]; both provide disk access instrumentation capabilities for Windows systems. Similarly, Janus [11], DTrace [5], and Systrace [23] provide in-host instrumentation for Unix-based systems through system call interposition, also providing the ability to instrument disk accesses.…”
Section: Related Workmentioning
confidence: 99%
“…In-host solutions include DiskMon [24], part of the Sysinternals tools, and CWSandbox [28]; both provide disk access instrumentation capabilities for Windows systems. Similarly, Janus [11], DTrace [5], and Systrace [23] provide in-host instrumentation for Unix-based systems through system call interposition, also providing the ability to instrument disk accesses.…”
Section: Related Workmentioning
confidence: 99%
“…CWSandbox [36] uses hooking to log the invocations of Windows API function. Similarly, Anubis [1] performs its analysis via virtual machine introspection [13] on an application that is executed in an emulated machine.…”
Section: Related Workmentioning
confidence: 99%
“…These features characterize the obfuscation techniques frequently used in malicious PDF. The combination of static and runtime features will be more effective and robust than existing methods, which are either fully static [5] [4] [6] or fully dynamic [9] [13]. A more thorough comparison between our method and others is presented in Table I.…”
Section: Introductionmentioning
confidence: 99%
“…This method, to the best of our knowledge, has never been explored before for PDF malware detection and confinement. For each PDF Javascript snippet, we include a prologue and epilogue to inform our runtime detector for the entry to and exit from [6] No Yes No Yes Extract-and-Emulate [9] Neutral No Yes No Lexical Analysis of Javascript [7] Neutral Yes No Yes Adobe Sandboxing [12] Neutral Yes No Yes CWSandbox [13] Neutral Javascript context. The advantage of using static document instrumentation over the other two alternatives lies in three aspects.…”
Section: Introductionmentioning
confidence: 99%