TY - GEN
T1 - Malware virtualization-resistant behavior detection
AU - Sun, Ming Kung
AU - Lin, Mao Jie
AU - Chang, Michael
AU - Laih, Chi Sung
AU - Lin, Hui Tang
PY - 2011
Y1 - 2011
N2 - Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.
AB - Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.
UR - http://www.scopus.com/inward/record.url?scp=84863066873&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84863066873&partnerID=8YFLogxK
U2 - 10.1109/ICPADS.2011.78
DO - 10.1109/ICPADS.2011.78
M3 - Conference contribution
AN - SCOPUS:84863066873
SN - 9780769545769
T3 - Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS
SP - 912
EP - 917
BT - Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011
T2 - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011
Y2 - 7 December 2011 through 9 December 2011
ER -