Towards Automated Characterization of Malware’s High-level Mechanism using Virtual Machine Introspection

Shun Yonamine, Youki Kadobayashi, Daisuke Miyamoto, Yuzo Taenaka

2019

Abstract

One of the goals of malware analysis is to figure out the intention of an attacker, namely high-level mechanism. Since malicious activities are typically performed by combining multiple APIs, to identify the malicious intention, it is needed to inspect the series of APIs to analyze its semantics. In traditional malware analysis, this task generally relies on manual efforts of experts. There is no methodology for associating multiple APIs and identifying the malicious intention in an automated manner. In this paper, we propose a virtual machine introspection-based method for automatically identifying high-level mechanisms. We developed Spaniel, a prototype system, which uses taint analysis to track malicious processing that derives from the data read from a specified file and collects the traces of malicious activities. For evaluation, we used adversary behavior models defined in ATT&CK and Spaniel identified key indicators that cover 26% of those models.

Download


Paper Citation


in Harvard Style

Yonamine S., Kadobayashi Y., Miyamoto D. and Taenaka Y. (2019). Towards Automated Characterization of Malware’s High-level Mechanism using Virtual Machine Introspection.In Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-359-9, pages 471-478. DOI: 10.5220/0007405504710478


in Bibtex Style

@conference{icissp19,
author={Shun Yonamine and Youki Kadobayashi and Daisuke Miyamoto and Yuzo Taenaka},
title={Towards Automated Characterization of Malware’s High-level Mechanism using Virtual Machine Introspection},
booktitle={Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2019},
pages={471-478},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0007405504710478},
isbn={978-989-758-359-9},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Towards Automated Characterization of Malware’s High-level Mechanism using Virtual Machine Introspection
SN - 978-989-758-359-9
AU - Yonamine S.
AU - Kadobayashi Y.
AU - Miyamoto D.
AU - Taenaka Y.
PY - 2019
SP - 471
EP - 478
DO - 10.5220/0007405504710478