Malware virtualization-resistant behavior detection

Ming Kung Sun, Mao Jie Lin, Michael Chang, Chi Sung Laih, Hui Tang Lin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

19 Citations (Scopus)

Abstract

Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.

Original languageEnglish
Title of host publicationProceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011
Pages912-917
Number of pages6
DOIs
Publication statusPublished - 2011
Event2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011 - Tainan, Taiwan
Duration: 2011 Dec 72011 Dec 9

Publication series

NameProceedings of the International Conference on Parallel and Distributed Systems - ICPADS
ISSN (Print)1521-9097

Other

Other2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011
Country/TerritoryTaiwan
CityTainan
Period11-12-0711-12-09

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture

Fingerprint

Dive into the research topics of 'Malware virtualization-resistant behavior detection'. Together they form a unique fingerprint.

Cite this