Malware virtualization-resistant behavior detection

Ming Kung Sun; Mao Jie Lin; Michael Chang; Chi Sung Laih; Hui Tang Lin

doi:10.1109/ICPADS.2011.78

Malware virtualization-resistant behavior detection

Ming Kung Sun, Mao Jie Lin, Michael Chang, Chi Sung Laih, Hui Tang Lin

Department of Electrical Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

19 Citations (Scopus)

Abstract

Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.

Original language	English
Title of host publication	Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011
Pages	912-917
Number of pages	6
DOIs	https://doi.org/10.1109/ICPADS.2011.78
Publication status	Published - 2011
Event	2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011 - Tainan, Taiwan Duration: 2011 Dec 7 → 2011 Dec 9

Publication series

Name	Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS
ISSN (Print)	1521-9097

Other

Other	2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011
Country/Territory	Taiwan
City	Tainan
Period	11-12-07 → 11-12-09

All Science Journal Classification (ASJC) codes

Hardware and Architecture

Access to Document

10.1109/ICPADS.2011.78

Cite this

Sun, M. K., Lin, M. J., Chang, M., Laih, C. S., & Lin, H. T. (2011). Malware virtualization-resistant behavior detection. In Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011 (pp. 912-917). [6121379] (Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS). https://doi.org/10.1109/ICPADS.2011.78

@inproceedings{c3898bb74b1746bca4d5eaca29f3997d,

title = "Malware virtualization-resistant behavior detection",

abstract = "Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.",

author = "Sun, {Ming Kung} and Lin, {Mao Jie} and Michael Chang and Laih, {Chi Sung} and Lin, {Hui Tang}",

year = "2011",

doi = "10.1109/ICPADS.2011.78",

language = "English",

isbn = "9780769545769",

series = "Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS",

pages = "912--917",

booktitle = "Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011",

note = "2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011 ; Conference date: 07-12-2011 Through 09-12-2011",

}

Sun, MK, Lin, MJ, Chang, M, Laih, CS & Lin, HT 2011, Malware virtualization-resistant behavior detection. in Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011., 6121379, Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS, pp. 912-917, 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011, Tainan, Taiwan, 11-12-07. https://doi.org/10.1109/ICPADS.2011.78

Malware virtualization-resistant behavior detection. / Sun, Ming Kung; Lin, Mao Jie; Chang, Michael et al.

Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011. 2011. p. 912-917 6121379 (Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Malware virtualization-resistant behavior detection

AU - Sun, Ming Kung

AU - Lin, Mao Jie

AU - Chang, Michael

AU - Laih, Chi Sung

AU - Lin, Hui Tang

PY - 2011

Y1 - 2011

N2 - Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.

AB - Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.

UR - http://www.scopus.com/inward/record.url?scp=84863066873&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84863066873&partnerID=8YFLogxK

U2 - 10.1109/ICPADS.2011.78

DO - 10.1109/ICPADS.2011.78

M3 - Conference contribution

AN - SCOPUS:84863066873

SN - 9780769545769

T3 - Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS

SP - 912

EP - 917

BT - Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011

T2 - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011

Y2 - 7 December 2011 through 9 December 2011

ER -

Malware virtualization-resistant behavior detection

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this