Inoculation against malware infection using kernel-level software sensors

Raymond Canzanese, Moshe Kam, Spiros Mancoridis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

We present a technique for dynamic malware detection that relies on a set of sensors that monitor the interaction of applications with the underlying operating system. By monitoring the requests that each process makes to kernel-level operating system functions, we build a statistical model that describes both clean and infected systems in terms of the distribution of data collected from each sensor. The model parameters are learned from labeled training data gathered from machines infected with canonical samples of malware. We present a technique for detecting malware using the Neyman-Pearson test from classical detection theory. This technique classifies a system as either clean or infected at runtime as measurements are collected from the sensors. We provide experimental results that illustrate the effectiveness of this technique for a selection of malware samples. Additionally, we provide a performance analysis of our sensing and detection techniques in terms of the overhead they introduce to the system. Finally, we show this method to be effective in detecting previously unknown malware when trained to detect similar malware under similar load conditions.

Original languageEnglish (US)
Title of host publicationProceedings of the 8th ACM International Conference on Autonomic Computing, ICAC 2011 and Co-located Workshops
Pages101-110
Number of pages10
DOIs
StatePublished - 2011
Externally publishedYes
Event8th ACM International Conference on Autonomic Computing, ICAC 2011 and Co-located Workshops - Karlsruhe, Germany
Duration: Jun 14 2011Jun 18 2011

Publication series

NameProceedings of the 8th ACM International Conference on Autonomic Computing, ICAC 2011 and Co-located Workshops

Other

Other8th ACM International Conference on Autonomic Computing, ICAC 2011 and Co-located Workshops
Country/TerritoryGermany
CityKarlsruhe
Period6/14/116/18/11

All Science Journal Classification (ASJC) codes

  • Computational Theory and Mathematics
  • Applied Mathematics

Keywords

  • fault tolerance
  • malware detection
  • system monitoring

Fingerprint

Dive into the research topics of 'Inoculation against malware infection using kernel-level software sensors'. Together they form a unique fingerprint.

Cite this