Abstract

This paper presents an overview of the findings on trigger-based malware behavior elicitation, classification, modeling, and behavioral signature generation. Considering reactions to environmental conditions, we suggest a new classification of trigger-based malware behavior as evasive and elicited behaviors. Both these behaviors are concerned with the elaboration of environmental conditions. However, evasive behaviors are targeted at self-defense while elicited behaviors manifest malware opportunism for malicious acts. Therefore, appropriate models, representing such behaviors are expected to provide indications of the conditions conducting different sub-behaviors. To this aim, we propose a new behavioral model based on a conditioned graph structure. To elicit trigger-based behaviors, we offer a greedy approach to gradual collection and feeding of environmental conditions in successive runs of a malware sample. To this aim, we have supplied our analysis environment, Parsa sandbox, with a new component, VECG, to analyze and record relevant API calls. VECG uses these API calls for supplying different environmental conditions and resources, expected by a trigger-based malware while analyzing the malware behavior. We introduce a new algorithm, Htest, to select the most discriminative sub-graphs of conditioned behavioral models as the unique signature for the malware family. The resultant behavioral models, applied as malware signatures, are evaluated using 1700 malicious programs belonging to 16 families. The signatures are evaluated, once without and then under different environmental conditions. It is observed that our signatures could segregate malware family samples with an accuracy of 97.1% while the accuracy will drop to about 22.91% if the environmental conditions are neglected.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.