1. Publications
  2. AccessMiner: using system-centric models for malware protection
print

AccessMiner: using system-centric models for malware protection

Lanzi, Andrea; Balzarotti, Davide; Kruegel, Christopher; Christodorescu, Mihai; Kirda, Engin
CCS 2010, 17th ACM Conference on Computer and Communications Security, October 4-8, 2010, Chicago, IL, USA

Models based on system calls are a popular and common approach to characterize the run-time behavior of programs. For example, system calls are used by intrusion detection systems to detect software exploits. As another example, policies based on system calls are used to sandbox applications or to enforce access control. Given that malware represents a significant security threat for today's computing infrastructure, it is not surprising that system calls were also proposed to distinguish between benign processes and malicious code.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Most proposed malware detectors that use system calls follows program-centric analysis approach. That is, they build models based on specific behaviors of individual applications. Unfortunately, it is not clear how well these models generalize, especially when exposed to a diverse set of previously-unseen, real-world applications that operate on realistic inputs. This is particularly problematic as most previous work has used only a small set of programs to measure their technique's false positive rate. Moreover, these programs were run for a short time, often by the authors themselves.

 

 

 

 

 

 

 

In this paper, we study the diversity of system calls by performing a large-scale collection (compared to previous efforts) of system calls on hosts that run applications for regular users on actual inputs. Our analysis of the data demonstrates that simple malware detectors, such as those based on system call sequences, face significant challenges in such environments. To address the limitations of program-centric approaches, we propose an alternative detection model that characterizes the general interactions between benign programs and the operating system (OS). More precisely, our system-centric approach models the way in which benign programs access OS resources (such as files and registry entries). Our experiments demonstrate that this approach captures well the behavior of benign programs and raises very few (even zero) false positives while being able to detect a significant fraction of today's malware.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Detail
Document
DOI
BIBTEX
Type:
Conférence
City:
Chicago
Date:
2010-10-04
Department:
Sécurité numérique
Eurecom Ref:
3236
Copyright:
© ACM, 2010. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in CCS 2010, 17th ACM Conference on Computer and Communications Security, October 4-8, 2010, Chicago, IL, USA http://dx.doi.org/10.1145/1866307.1866353
See also:
LANZI Andrea
BALZAROTTI Davide
PERMALINK : https://www.eurecom.fr/publication/3236