Advanced

Classifying evasive malware

Norrestam, David LU and Ekenstein, Gustaf (2017) EITM01 20171
Department of Electrical and Information Technology
Abstract
Malware are become increasingly aware of their execution environment. In order
to avoid detection by automated analysis solutions and to obstruct manual analysis,
malware authors are coming up with new ways for their malware to decide
whether it should express its malicious behavior or not.
Previous solutions to this problem focus on for example improving the stealth
of analysis environments (to avoid detection by malware), or analyzing differences
in malware behavior when analyzed in different environments.
This thesis proposes an alternative approach to the problem. We perform
automatic dynamic analysis on two sets of malware, containing samples known
to be evasive and non-evasive respectively. The dynamic analysis produces logs... (More)
Malware are become increasingly aware of their execution environment. In order
to avoid detection by automated analysis solutions and to obstruct manual analysis,
malware authors are coming up with new ways for their malware to decide
whether it should express its malicious behavior or not.
Previous solutions to this problem focus on for example improving the stealth
of analysis environments (to avoid detection by malware), or analyzing differences
in malware behavior when analyzed in different environments.
This thesis proposes an alternative approach to the problem. We perform
automatic dynamic analysis on two sets of malware, containing samples known
to be evasive and non-evasive respectively. The dynamic analysis produces logs
of system calls, which are used to train a machine learning model, capable of
detecting evasive behavior. This resulting model is a proof of concept that evasive
behaviour can be detected. A possible use case for the model, is as part of a
pipelined solution for malware detection. When testing the developed model, it
was shown that it could correctly label 75% of all samples, with an equal success
rate when considering only the labeling of evasive samples. (Less)
Please use this url to cite or link to this publication:
author
Norrestam, David LU and Ekenstein, Gustaf
supervisor
organization
course
EITM01 20171
year
type
H2 - Master's Degree (Two Years)
subject
keywords
machine learning, malware, evasive malware
report number
LU/LTH-EIT 2017-584
language
English
id
8919255
date added to LUP
2017-06-28 10:53:38
date last changed
2017-06-28 10:53:38
@misc{8919255,
  abstract     = {Malware are become increasingly aware of their execution environment. In order
to avoid detection by automated analysis solutions and to obstruct manual analysis,
malware authors are coming up with new ways for their malware to decide
whether it should express its malicious behavior or not.
Previous solutions to this problem focus on for example improving the stealth
of analysis environments (to avoid detection by malware), or analyzing differences
in malware behavior when analyzed in different environments.
This thesis proposes an alternative approach to the problem. We perform
automatic dynamic analysis on two sets of malware, containing samples known
to be evasive and non-evasive respectively. The dynamic analysis produces logs
of system calls, which are used to train a machine learning model, capable of
detecting evasive behavior. This resulting model is a proof of concept that evasive
behaviour can be detected. A possible use case for the model, is as part of a
pipelined solution for malware detection. When testing the developed model, it
was shown that it could correctly label 75% of all samples, with an equal success
rate when considering only the labeling of evasive samples.},
  author       = {Norrestam, David and Ekenstein, Gustaf},
  keyword      = {machine learning,malware,evasive malware},
  language     = {eng},
  note         = {Student Paper},
  title        = {Classifying evasive malware},
  year         = {2017},
}