| Summary: | 博士 === 國立臺灣大學 === 電機工程學研究所 === 99 === Behavior-based detection and signature-based detection are two popular approaches in malware (malicious software) analysis. The security industry, especially anti-virus vendors, has been using signature-based technologies for years; however this approach can hardly identify unknown malware. On the other hand, behavior-based malware detection has the potential to identify unknown malware and its accuracy relies on a sound behavior model; otherwise it would lead to high occurrences of false positives (malware is identified when in truth there is none) and/or false negatives (failing to observe a malware when in truth there is one). Unfortunately, with the increasing complexity of malware techniques and limitations of existing automatic tools, the built behavior models are generally not sufficient in defeating modern malware. In this paper, we implement a behavior-based profiler on top of a virtual machine emulator (qemu) that captures all system processes and analyzes their CPU instructions, CPU registers and utilized memories. The captured information is stored in a relational database and data mining techniques are used. We demonstrate the breadth of Holography platform application by conducting several experimental test cases: a packed binary behavior analysis and a malvertising (malicious advertising) incident tracing. Both of these tasks are known to be difficult to analyze and investigate using existing methods. We demonstrate that precise behavior information could be easily obtained through Holography platform. We feel confident that Holography can provide security researchers and automated systems with a reliable malicious software behavior analysis platform.
|
|---|
