Godkända
Classifying evasive malware
David Norrestam (2014) och Gustaf Ekenstein (2011)
Start
2017-01-23
Presentation
2017-06-12 09:15
Plats:
E:3139
Avslutat:
2017-06-27
Examensrapport:
Sammanfattning
Malware are become increasingly aware of their execution environment. In order to avoid detection by automated analysis solutions and to obstruct manual analysis, malware authors are coming up with new ways for their malware to decide whether it should express its malicious behavior or not. Previous solutions to this problem focus on, for example, improving the stealth of analysis environments (to avoid detection by malware), or analyzing differences in malware behavior when analyzed in different environments. This thesis proposes an alternative approach to the problem; We perform automatic dynamic analysis on two sets of malware, containing samples known to be evasive and non-evasive, respectively. The dynamic analysis produces logs of system calls, which are used to train a machine learning model, capable of detecting evasive behavior. This resulting model is a proof of concept that evasive behaviour can be detected; with a possible use-case being a component in a pipelined solution for malware detection.
Handledare: David Olander (SecureLink) och Paul Stankovski Wagner (EIT)
Examinator: Thomas Johansson (EIT)