Personal tools

Enabling Efficient Detection and Forensic Investigation of Malicious Software Downloads

Phani Vadrevu, University of Georgia

  • Computer Science Seminar
  • Colloquium
When Tue, Jan 30, 2018
from 11:00 AM to 11:50 AM
Where Ritter Hall 229
Add event to calendar vCal
Malware infections have been on a steady rise recently causing increasing amounts of financial damage and data loss. The advent of techniques like code polymorphism has resulted in a huge proliferation of new malware. Traditional malware detection and analysis methods have lagged behind in grappling with this problem. In this research work, we developed novel malware detection and analysis systems to help alleviate this problem.
Firstly, we developed a system called AMICO that can detect malicious software downloads in live web traffic. Using supervised learning techniques, AMICO learns a provenance classifier that takes into consideration the network user behavior and can differentiate between malware and benign software downloads. Pilot tests showed that AMICO can detect up to 90% of the malware downloads at less than 0.1% false positive rate.  Next, to make the analysis of all downloaded malware more scalable, we developed a system called MAXS. It is a novel probabilistic framework for scaling execution of malware in analysis environments. A prototype implementation and evaluation with large real-world datasets showed that MAXS can reduce up to 50% of malware execution time with less than 0.3% information loss. Finally, to aid in the forensic investigation of how malware downloads happen in the first place, we developed ChromePic, a web browser with an embedded forensic engine. ChromePic is a light-weight, portable, efficient and always-on solution that records fine-grained browser logs including screenshots and state of the DOM during user interactions. Experimental evaluation on Android and Linux showed that ChromePic is useful in deconstructing various real world web attacks. Also, it has an overhead of less than 150 ms thus making the recording practically imperceptible to the end user.
« June 2018 »