Despite the widespread deployment of malware detection software, in many situations it is difficult to preemptively block a malicious program from infecting a system. Rather, signatures for detection are usually available only after malware have started to infect a large group of systems. Ideally, infected systems should be reinstalled from scratch. However, due to the high cost of reinstallation, users may prefer to rely on the remediation capabilities of malware detectors to revert the effects of an infection. Unfortunately, current malware detectors perform this task poorly, leaving users’ systems in an unsafe or unstable state. This paper presents an architecture to automatically generate remediation procedures from malicious programs—procedures that can be used to remediate all and only the effects of the malware’s execution in any infected system. We have implemented a prototype of this architecture and used it to generate remediation procedures for a corpus of more than 200 malware binaries. Our evaluation demonstrates that the algorithm outperforms the remediation capabilities of top-rated commercial malware detectors.
Automatic generation of remediation procedures for malware infections / R. Paleari, L. Martignoni, E. Passerini, D. Davidson, M. Fredrikson, J. Giffin, S. Jha - In: Proceedings of the 19th USENIX Security Symposium[s.l] : USENIX association, 2010. - ISBN 978-1-931971-77-5. - pp. 419-434 (( Intervento presentato al 19. convegno USENIX security tenutosi a Washington nel 2010.
Automatic generation of remediation procedures for malware infections
R. Paleari;E. Passerini;
2010
Abstract
Despite the widespread deployment of malware detection software, in many situations it is difficult to preemptively block a malicious program from infecting a system. Rather, signatures for detection are usually available only after malware have started to infect a large group of systems. Ideally, infected systems should be reinstalled from scratch. However, due to the high cost of reinstallation, users may prefer to rely on the remediation capabilities of malware detectors to revert the effects of an infection. Unfortunately, current malware detectors perform this task poorly, leaving users’ systems in an unsafe or unstable state. This paper presents an architecture to automatically generate remediation procedures from malicious programs—procedures that can be used to remediate all and only the effects of the malware’s execution in any infected system. We have implemented a prototype of this architecture and used it to generate remediation procedures for a corpus of more than 200 malware binaries. Our evaluation demonstrates that the algorithm outperforms the remediation capabilities of top-rated commercial malware detectors.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
