PyTrigger: A System to Trigger & Extract User-Activated Malware Behavior

2013 International Conference on Availability, Reliability and Security Pub Date : 2013-09-02 DOI:10.1109/ARES.2013.16

D. Fleck, A. Tokhtabayev, Alex Alarif, A. Stavrou, Tomas Nykodym

{"title":"PyTrigger: A System to Trigger & Extract User-Activated Malware Behavior","authors":"D. Fleck, A. Tokhtabayev, Alex Alarif, A. Stavrou, Tomas Nykodym","doi":"10.1109/ARES.2013.16","DOIUrl":null,"url":null,"abstract":"We introduce PyTrigger, a dynamic malware analysis system that automatically exercises a malware binary extracting its behavioral profile even when specific user activity or input is required. To accomplish this, we developed a novel user activity record and playback framework and a new behavior extraction approach. Unlike existing research, the activity recording and playback includes the context of every object in addition to traditional keyboard and mouse actions. The addition of the context makes the playback more accurate and avoids dependencies and pitfalls that come with pure mouse and keyboard replay. Moreover, playback can become more efficient by condensing common activities into a single action. After playback, PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples.","PeriodicalId":302747,"journal":{"name":"2013 International Conference on Availability, Reliability and Security","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-09-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"17","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2013.16","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 17

Abstract

We introduce PyTrigger, a dynamic malware analysis system that automatically exercises a malware binary extracting its behavioral profile even when specific user activity or input is required. To accomplish this, we developed a novel user activity record and playback framework and a new behavior extraction approach. Unlike existing research, the activity recording and playback includes the context of every object in addition to traditional keyboard and mouse actions. The addition of the context makes the playback more accurate and avoids dependencies and pitfalls that come with pure mouse and keyboard replay. Moreover, playback can become more efficient by condensing common activities into a single action. After playback, PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples.

查看原文本刊更多论文

PyTrigger:触发&提取用户激活的恶意软件行为

我们介绍PyTrigger，这是一个动态恶意软件分析系统，即使需要特定的用户活动或输入，也可以自动执行恶意软件二进制文件提取其行为配置文件。为了实现这一目标，我们开发了一种新的用户活动记录和回放框架以及一种新的行为提取方法。与现有研究不同的是，除了传统的键盘和鼠标动作外，活动记录和回放还包括每个对象的上下文。上下文的添加使回放更加准确，并避免了纯鼠标和键盘回放带来的依赖关系和陷阱。此外，通过将常见活动压缩到单个操作中，回放可以变得更加高效。回放后，PyTrigger使用多种状态和行为差异的组合分析系统跟踪，从完整的系统跟踪日志中准确提取恶意软件行为和用户触发行为。我们介绍了算法、架构，并使用3994个真实恶意软件样本对PyTrigger原型进行了评估。结果和分析显示PyTrigger在21%的样品中提取了额外的行为。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 International Conference on Availability, Reliability and Security

自引率

0.00%

发文量