We address the semantic gap problem in behavioral monitoring by using hierarchical behavior graphs to infer high-level behaviors from myriad low-level events that could be parts of many different kinds of behavior. Our experimental system traces the execution of a process, performing data-flow analysis to identify meaningful actions such as “proxying”, “keystroke logging”, “data leaking”, and “downloading and executing a program” from complex combinations of rudimentary system calls. To preemptively address evasive malware behavior, our specifications are carefully crafted to detect alternate sequences of events that achieve the same high-level goal. We tested seven malicious bots and eleven benign programs and found that we were able to thoroughly identify high-level behaviors across this diverse code base. Moreover, we were able to distinguish malicious execution of high-level behaviors from benign by distinguishing remotely-initiated from locally-initiated actions.
A Layered Architecture for Detecting Malicious Behaviors / L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, J.C. Mitchell - In: Recent Advances in Intrusion Detection : 11th International Symposium, RAID 2008, Cambridge, MA, USA, September 15-17, 2008. Proceedings / [a cura di] R. Lippmann, E. Kirda, A. Trachtenberg. - Berlin : Springer, 2008 Sep. - ISBN 978-3-540-87402-7. - pp. 78-97 (( convegno International Symposium on Recent Advances in Intrusion Detection [10.1007/978-3-540-87403-4].
A Layered Architecture for Detecting Malicious Behaviors
L. MartignoniPrimo
;
2008
Abstract
We address the semantic gap problem in behavioral monitoring by using hierarchical behavior graphs to infer high-level behaviors from myriad low-level events that could be parts of many different kinds of behavior. Our experimental system traces the execution of a process, performing data-flow analysis to identify meaningful actions such as “proxying”, “keystroke logging”, “data leaking”, and “downloading and executing a program” from complex combinations of rudimentary system calls. To preemptively address evasive malware behavior, our specifications are carefully crafted to detect alternate sequences of events that achieve the same high-level goal. We tested seven malicious bots and eleven benign programs and found that we were able to thoroughly identify high-level behaviors across this diverse code base. Moreover, we were able to distinguish malicious execution of high-level behaviors from benign by distinguishing remotely-initiated from locally-initiated actions.File | Dimensione | Formato | |
---|---|---|---|
paper.pdf
accesso aperto
Tipologia:
Publisher's version/PDF
Dimensione
1.4 MB
Formato
Adobe PDF
|
1.4 MB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.