Multi-channel change-point malware detection

Raymond Canzanese, Moshe Kam, Spiros Mancoridis

Research output: Contribution to conferencePaperpeer-review

6 Scopus citations

Abstract

The complex computing systems employed by governments, corporations, and other institutions are frequently targeted by cyber-attacks designed for espionage and sabotage. The malicious software used in such attacks are typically custom-designed or obfuscated to avoid detection by traditional antivirus software. Our goal is to create a malware detection system that can quickly and accurately detect such otherwise difficult-to-detect malware. We pose the problem of malware detection as a multi-channel change-point detection problem, wherein the goal is to identify the point in time when a system changes from a known clean state to an infected state. We present a host-based malware detection system designed to run at the hyper visor level, monitoring hyper visor and guest operating system sensors and sequentially determining whether the host is infected. We present a case study wherein the detection system is used to detect various types of malware on an active web server under heavy computational load.

Original languageEnglish (US)
Pages70-79
Number of pages10
DOIs
StatePublished - 2013
Externally publishedYes
Event7th International Conference on Software Security and Reliability, SERE 2013 - Gaithersburg, MD, United States
Duration: Jun 18 2013Jun 20 2013

Other

Other7th International Conference on Software Security and Reliability, SERE 2013
Country/TerritoryUnited States
CityGaithersburg, MD
Period6/18/136/20/13

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality

Keywords

  • behavioral detection
  • change detection
  • change-point detection
  • malware
  • multi-channel
  • quickest detection

Fingerprint

Dive into the research topics of 'Multi-channel change-point malware detection'. Together they form a unique fingerprint.

Cite this