Malicious software, often referred to as malware, is one of the major threats related to computer systems. Sensitive information is constantly under threat of these software. Malware authors, motivated by financial gain, spread new threats every day. To counteract malware, we need to analyze it. We can classify analysis techniques in static or dynamic analysis. Static analysis works on the code (e.g., machine, assembly, source). The advantages are high code covera- ge and scalability, while obfuscation or packing may render it ineffective. Dynamic analysis observes the execution flow of a running program, for example tracing dependencies among API functions. One of a main problems in malware analysis is to automatically define inte- resting behaviors. The state of the art requires analysts to manually define rules that represent behaviors, then search them into malware. Due to the rising number of malware and the growth of potential features, manual analysis became infeasible, so automatic processes are needed to increase coverage of the analyzed malware. Hereby, we present Jackdaw, an automatic behavior extractor and seman- tic tagger. In the first phase, the system exploits both static and dynamic analysis on malware instances in order to find interesting sequences of even- ts that could be behaviors, and maps them on code. Once behaviors are detected, Jackdaw associates a semantic to them. We tested Jackdaw by matching the automatic behaviors extracted again- st a ground truth of manual define behaviors, reaching an approximate 95% match. We also verified that the semantics we give to behaviors are meaningful, through an empirical test.
Jackdaw : automatic behavior extractor and semantic tagger
SCORTI, ANDREA;POLINO, MARIO
2012/2013
Abstract
Malicious software, often referred to as malware, is one of the major threats related to computer systems. Sensitive information is constantly under threat of these software. Malware authors, motivated by financial gain, spread new threats every day. To counteract malware, we need to analyze it. We can classify analysis techniques in static or dynamic analysis. Static analysis works on the code (e.g., machine, assembly, source). The advantages are high code covera- ge and scalability, while obfuscation or packing may render it ineffective. Dynamic analysis observes the execution flow of a running program, for example tracing dependencies among API functions. One of a main problems in malware analysis is to automatically define inte- resting behaviors. The state of the art requires analysts to manually define rules that represent behaviors, then search them into malware. Due to the rising number of malware and the growth of potential features, manual analysis became infeasible, so automatic processes are needed to increase coverage of the analyzed malware. Hereby, we present Jackdaw, an automatic behavior extractor and seman- tic tagger. In the first phase, the system exploits both static and dynamic analysis on malware instances in order to find interesting sequences of even- ts that could be behaviors, and maps them on code. Once behaviors are detected, Jackdaw associates a semantic to them. We tested Jackdaw by matching the automatic behaviors extracted again- st a ground truth of manual define behaviors, reaching an approximate 95% match. We also verified that the semantics we give to behaviors are meaningful, through an empirical test.| File | Dimensione | Formato | |
|---|---|---|---|
|
jackdaw_thesis.pdf
solo utenti autorizzati dal 17/09/2014
Descrizione: Thesis text
Dimensione
4.21 MB
Formato
Adobe PDF
|
4.21 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/85226