TY - GEN
T1 - Dynamic binary instrumentation-based framework for malware defense
AU - Aaraj, Najwa
AU - Raghunathan, Anand
AU - Jha, Niraj K.
N1 - Copyright:
Copyright 2011 Elsevier B.V., All rights reserved.
PY - 2008
Y1 - 2008
N2 - Malware is at the root of a large number of information security breaches. Despite widespread effort devoted to combating malware, current techniques have proven to be insufficient in stemming the incessant growth in malware attacks. In this paper, we describe a tool that exploits a combination of virtualized (isolated) execution environments and dynamic binary instrumentation (DBI) to detect malicious software and prevent its execution. We define two isolated environments: (i) a Testing environment, wherein an untrusted program is traced during execution using DBI and subjected to rigorous checks against extensive security policies that express behavioral patterns of malicious software, and (ii) a Real environment, wherein a program is subjected to run-time monitoring using a behavioral model (in place of the security policies), along with a continuous learning process, in order to prevent non-permissible behavior. We have evaluated the proposed methodology on both Linux and Windows XP operating systems, using several virus benchmarks as well as obfuscated versions thereof. Experiments demonstrate that our approach achieves almost complete coverage for original and obfuscated viruses. Average execution times go up to 28.57X and 1.23X in the Testing and Real environments, respectively. The high overhead imposed in the Testing environment does not create a severe impediment since it occurs only once and is transparent to the user. Users are only affected by the overhead imposed in the Real environment. We believe that our approach has the potential to improve on the state-of-the-art in malware detection, offering improved accuracy with low performance penalty.
AB - Malware is at the root of a large number of information security breaches. Despite widespread effort devoted to combating malware, current techniques have proven to be insufficient in stemming the incessant growth in malware attacks. In this paper, we describe a tool that exploits a combination of virtualized (isolated) execution environments and dynamic binary instrumentation (DBI) to detect malicious software and prevent its execution. We define two isolated environments: (i) a Testing environment, wherein an untrusted program is traced during execution using DBI and subjected to rigorous checks against extensive security policies that express behavioral patterns of malicious software, and (ii) a Real environment, wherein a program is subjected to run-time monitoring using a behavioral model (in place of the security policies), along with a continuous learning process, in order to prevent non-permissible behavior. We have evaluated the proposed methodology on both Linux and Windows XP operating systems, using several virus benchmarks as well as obfuscated versions thereof. Experiments demonstrate that our approach achieves almost complete coverage for original and obfuscated viruses. Average execution times go up to 28.57X and 1.23X in the Testing and Real environments, respectively. The high overhead imposed in the Testing environment does not create a severe impediment since it occurs only once and is transparent to the user. Users are only affected by the overhead imposed in the Real environment. We believe that our approach has the potential to improve on the state-of-the-art in malware detection, offering improved accuracy with low performance penalty.
KW - Control-data flow
KW - Dynamic binary instrumentation
KW - Execution context
KW - Malware
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=49949108190&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=49949108190&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-70542-0_4
DO - 10.1007/978-3-540-70542-0_4
M3 - Conference contribution
AN - SCOPUS:49949108190
SN - 3540705414
SN - 9783540705413
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 64
EP - 87
BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 5th International Conference, DIMVA 2008, Proceedings
T2 - 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2008
Y2 - 10 July 2008 through 11 July 2008
ER -