Malware virtualization-resistant behavior detection

Ming Kung Sun; Mao Jie Lin; Michael Chang; Chi Sung Laih; Hui Tang Lin

doi:10.1109/ICPADS.2011.78

Malware virtualization-resistant behavior detection

Ming Kung Sun, Mao Jie Lin, Michael Chang, Chi Sung Laih, Hui Tang Lin

電機工程學系

研究成果: Conference contribution

21 引文斯高帕斯（Scopus）

摘要

Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.

原文	English
主出版物標題	Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011
頁面	912-917
頁數	6
DOIs	https://doi.org/10.1109/ICPADS.2011.78
出版狀態	Published - 2011
事件	2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011 - Tainan, Taiwan 持續時間: 2011 12月 7 → 2011 12月 9

出版系列

名字	Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS
ISSN（列印）	1521-9097

Other

Other	2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011
國家/地區	Taiwan
城市	Tainan
期間	11-12-07 → 11-12-09

All Science Journal Classification (ASJC) codes

硬體和架構

存取文件

10.1109/ICPADS.2011.78

其它文件與鏈接

引用此

Sun, M. K., Lin, M. J., Chang, M., Laih, C. S., & Lin, H. T. (2011). Malware virtualization-resistant behavior detection. 於 Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011 (頁 912-917). 文章 6121379 (Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS). https://doi.org/10.1109/ICPADS.2011.78

@inproceedings{c3898bb74b1746bca4d5eaca29f3997d,

title = "Malware virtualization-resistant behavior detection",

abstract = "Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.",

author = "Sun, {Ming Kung} and Lin, {Mao Jie} and Michael Chang and Laih, {Chi Sung} and Lin, {Hui Tang}",

year = "2011",

doi = "10.1109/ICPADS.2011.78",

language = "English",

isbn = "9780769545769",

series = "Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS",

pages = "912--917",

booktitle = "Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011",

note = "2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011 ; Conference date: 07-12-2011 Through 09-12-2011",

}

Sun, MK, Lin, MJ, Chang, M, Laih, CS & Lin, HT 2011, Malware virtualization-resistant behavior detection. 於 Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011., 6121379, Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS, 頁 912-917, 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011, Tainan, Taiwan, 11-12-07. https://doi.org/10.1109/ICPADS.2011.78

TY - GEN

T1 - Malware virtualization-resistant behavior detection

AU - Sun, Ming Kung

AU - Lin, Mao Jie

AU - Chang, Michael

AU - Laih, Chi Sung

AU - Lin, Hui Tang

PY - 2011

Y1 - 2011

N2 - Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.

AB - Many researchers monitor malicious software (malware) behavior using Virtual Machines (VM) to protect the underlying operating system. For virtual machines, the malware monitor process exists at the same layer as the real system so the monitor can get detailed behavior information without being discovered. There are some Anti-VM techniques employed by malware authors to ward off collection, analysis and reverse engineering of their malicious programs. Therefore, malware researchers may obtain inaccurate analysis from VM aware programs. This paper presents a solution to detect Anti-VM techniques. We collect behavioral information from malware and use an enhanced behavior distance algorithm to calculate the difference between real and virtual environments to distinguish if the malware has Anti-VM capability. Our experiments show this algorithm works well. This idea can improve malware analysis results and reduce malware misdetection.

UR - http://www.scopus.com/inward/record.url?scp=84863066873&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84863066873&partnerID=8YFLogxK

U2 - 10.1109/ICPADS.2011.78

DO - 10.1109/ICPADS.2011.78

M3 - Conference contribution

AN - SCOPUS:84863066873

SN - 9780769545769

T3 - Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS

SP - 912

EP - 917

BT - Proceedings - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011

T2 - 2011 17th IEEE International Conference on Parallel and Distributed Systems, ICPADS 2011

Y2 - 7 December 2011 through 9 December 2011

ER -

Malware virtualization-resistant behavior detection

摘要

出版系列

Other

All Science Journal Classification (ASJC) codes

存取文件

其它文件與鏈接

指紋

引用此