Presentation is loading. Please wait.

Presentation is loading. Please wait.

A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.

Published byHenry Phillips Modified over 9 years ago

Similar presentations

Presentation on theme: "A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te."— Presentation transcript:

1 A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te Liu *, Hui-ching Huang* Information & Communication Security Lab TL, Chunghwa Telecom Co., Ltd. Yi-Ming Chen Department of Information Management National Central University 102062602 黃建忠 1/22

2 outline  Introduction  Detect malware behavior  Evaluation  Conclution 2/22

3 Malware by categories 3 / 22

4 How to detect malware  Signature-based approach  Behavior-based approach 4 / 22

5 Behavior-based approach  Detect malware by real-time monitoring mechanisms  Ex: system call monitoring (procMon) 5 /22

6 Malicious behavior patterns  Privacy invasion  Self-replication  Persistent behavior 6 / 22

7 Mordern malware  Discrete behavior download malicious module  Module-base malware driver or DLL 7 / 22

8 requirements  the collected and analyzed data is much richer (system calls)  module dependency 8 /22

9 Client–server model 9 /22

10 MapReduce  A programming model for processing large data sets with a parallel, distributed algorithm on a cluster  Apache Hadoop 10/22

11 Persistent behavior  Malware ASEP ( auto-start extensibility point) Remain alive after system reboot 11/22

12 ASEP(1)  Can be a file or registry keys  Ex: autorun.ini 12/22

13 ASEP(2)  HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run  HKLM\SOFTWARE\Microsoft\ Windows NT\ CurrentVersion\Winlogon\Notify (dll)  HKLM\System\CurrentControlSet\ (driver) 13 /22

14 Persistent behavior module(1) 14 /22

15 Persistent behavior module(2) 15 / 22

16 Dependency Relationship(1)  ASEP is seen as a part of module  white list filter 16 / 22

17 Dependency Relationship(2)  M i M j 17 / 22

18 Dependency structure matrix  Check diagonal cells  A B, B C, C A 18 / 22

19 Accuracy 19/22

20 Performance 20 / 22

21 contribution  Propose a relation-based method to correlate the discrete behavior of malware.  Implement a prototype of Maltrix on the Hadoop platform. 21 / 22

22 challenges  Some malwares don’t require ASEP  The cost of data transmission hasn't been measured.  Anti-api hooking  Without using system calls 22/22

Download ppt "A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te."

Similar presentations

Suggested Course Outline Cloud Computing Bahga & Madisetti, © 2014Book website: www.cloudcomputingbook.info.

Suggested Course Outline Cloud Computing Bahga & Madisetti, © 2014Book website:
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
SecureMR: A Service Integrity Assurance Framework for MapReduce Wei Wei, Juan Du, Ting Yu, Xiaohui Gu North Carolina State University, United States Annual.

SecureMR: A Service Integrity Assurance Framework for MapReduce Wei Wei, Juan Du, Ting Yu, Xiaohui Gu North Carolina State University, United States Annual.
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.

KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
Web-based Distributed Flexible Manufacturing System (FMS) Monitoring and Control Student: Wei Liu Instructor: Dr. Chang Apr. 23, 2003.

Web-based Distributed Flexible Manufacturing System (FMS) Monitoring and Control Student: Wei Liu Instructor: Dr. Chang Apr. 23, 2003.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
Midterm Presentation Undergraduate Researchers: Graduate Student Mentor: Faculty Mentor: Jordan Cowart, Katie Allmeroth Krist Culmer Dr. Wenjun (Kevin)

Midterm Presentation Undergraduate Researchers: Graduate Student Mentor: Faculty Mentor: Jordan Cowart, Katie Allmeroth Krist Culmer Dr. Wenjun (Kevin)
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
Advanced Phasor Measurement Units for the Real-Time Monitoring

Advanced Phasor Measurement Units for the Real-Time Monitoring
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Cloud Computing Introduction to China-cloud Project and Related Works in JSI Yi Liu Sino-German Joint Software Institute, Beihang Univ. May 2011.

Cloud Computing Introduction to China-cloud Project and Related Works in JSI Yi Liu Sino-German Joint Software Institute, Beihang Univ. May 2011.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Cloud MapReduce : a MapReduce Implementation on top of a Cloud Operating System Speaker : 童耀民 MA1G0222 2013.06.11 Authors: Huan Liu, Dan Orban Accenture.

Cloud MapReduce : a MapReduce Implementation on top of a Cloud Operating System Speaker : 童耀民 MA1G Authors: Huan Liu, Dan Orban Accenture.
1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.

1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.

Similar presentations

Ads by Google