Languages

You are here

Combing Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments

[Project Closed] From Jan. 2010 to Dec. 2013 @ Department of Information Management, National Taiwan University as PhD candidate under the supervision of Dr. Yeali S. Sun.

Problem. Network-based detection approach monitors the network traffic by signature matching or anomaly detection techniques. It is transparent to the monitored hosts; however, as a passive detector, it misses malwares when they are in their incubation period. On the other hand, host-based detection system can closely monitor the host and collect extra information; however, the detection agent may be detected by the bots, i.e., not transparent.

Goal. In order to overcome 1) the passivity issue of current detectors and 2) the transparency issue. I propose a bot profiling and detection mechanism within the VMM with both passive and active detection approaches. It takes both passive and active detection approaches that the passive detection agent lies in the VMM to examine the tainted data used by a bot to check against bot behavior profiles and the active detection agent that performs active bot fingerprinting can actively send specific stimulus to a guest and examine if there exists expected triggered behavior.

Design. The logic for API instrumentation is shown below.

The design of dynamic analysis in a virtualized environment

Result.

The example of Windows execution profile in terms of Windows API calls.

Research Achievement.

  • An automatic dynamic profiling system for Windows malware.
  • Provide more than 400+ malware profiles for academic use.

Publication

  • Shun-Wen Hsiao, Yi-Ning Chen, Yeali S. Sun, and Meng Chang Chen, “A Cooperative Botnet Profiling and Detection in Virtualized Environment,” in Proc. IEEE Conference on Communications and Network Security (IEEE CNS 2013), Washington, D.C., Oct. 2013. (EI)
  • Shun-Wen Hsiao, Yi-Ning Chen, Yeali S. Sun, and Meng Chang Chen, “Combining Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments,” in Proc. 7th International Conference on Network and System Security (NSS 2013), Madrid, Spain, Jun. 2013, LNCS vol. 7873, pp. 699-706. (EI)
Undefined
Copyright 2013 © Advanced Networking Technologies and Services Group, ALL RIGHT RESERVED.