Classifying evasive malware
(2017) EITM01 20171Department of Electrical and Information Technology
- Abstract
- Malware are become increasingly aware of their execution environment. In order
to avoid detection by automated analysis solutions and to obstruct manual analysis,
malware authors are coming up with new ways for their malware to decide
whether it should express its malicious behavior or not.
Previous solutions to this problem focus on for example improving the stealth
of analysis environments (to avoid detection by malware), or analyzing differences
in malware behavior when analyzed in different environments.
This thesis proposes an alternative approach to the problem. We perform
automatic dynamic analysis on two sets of malware, containing samples known
to be evasive and non-evasive respectively. The dynamic analysis produces logs... (More) - Malware are become increasingly aware of their execution environment. In order
to avoid detection by automated analysis solutions and to obstruct manual analysis,
malware authors are coming up with new ways for their malware to decide
whether it should express its malicious behavior or not.
Previous solutions to this problem focus on for example improving the stealth
of analysis environments (to avoid detection by malware), or analyzing differences
in malware behavior when analyzed in different environments.
This thesis proposes an alternative approach to the problem. We perform
automatic dynamic analysis on two sets of malware, containing samples known
to be evasive and non-evasive respectively. The dynamic analysis produces logs
of system calls, which are used to train a machine learning model, capable of
detecting evasive behavior. This resulting model is a proof of concept that evasive
behaviour can be detected. A possible use case for the model, is as part of a
pipelined solution for malware detection. When testing the developed model, it
was shown that it could correctly label 75% of all samples, with an equal success
rate when considering only the labeling of evasive samples. (Less)
Please use this url to cite or link to this publication:
http://lup.lub.lu.se/student-papers/record/8919255
- author
- Norrestam, David LU and Ekenstein, Gustaf
- supervisor
- organization
- course
- EITM01 20171
- year
- 2017
- type
- H2 - Master's Degree (Two Years)
- subject
- keywords
- machine learning, malware, evasive malware
- report number
- LU/LTH-EIT 2017-584
- language
- English
- id
- 8919255
- date added to LUP
- 2017-06-28 10:53:38
- date last changed
- 2017-06-28 10:53:38
@misc{8919255,
abstract = {{Malware are become increasingly aware of their execution environment. In order
to avoid detection by automated analysis solutions and to obstruct manual analysis,
malware authors are coming up with new ways for their malware to decide
whether it should express its malicious behavior or not.
Previous solutions to this problem focus on for example improving the stealth
of analysis environments (to avoid detection by malware), or analyzing differences
in malware behavior when analyzed in different environments.
This thesis proposes an alternative approach to the problem. We perform
automatic dynamic analysis on two sets of malware, containing samples known
to be evasive and non-evasive respectively. The dynamic analysis produces logs
of system calls, which are used to train a machine learning model, capable of
detecting evasive behavior. This resulting model is a proof of concept that evasive
behaviour can be detected. A possible use case for the model, is as part of a
pipelined solution for malware detection. When testing the developed model, it
was shown that it could correctly label 75% of all samples, with an equal success
rate when considering only the labeling of evasive samples.}},
author = {{Norrestam, David and Ekenstein, Gustaf}},
language = {{eng}},
note = {{Student Paper}},
title = {{Classifying evasive malware}},
year = {{2017}},
}