A Cuckoo's Egg in the Malware Nest: On-the-fly Signature-less Malware Analysis, Detection, and Containment for Large Networks

D. Bolzoni, Christiaan Schade, Sandro Etalle

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    19 Downloads (Pure)

    Abstract

    Avatar is a new architecture devised to perform on-the-fly malware analysis and containment on ordinary hosts; that is, on hosts with no special setup. The idea behind Avatar is to inject the suspected malware with a specially crafted piece of software at the moment that it tries to download an executable. The special software can cooperate with a remote analysis engine to determine the main characteristics of the suspected malware, and choose an appropriate containment strategy, which may include process termination, in case the process under analysis turns out to be malicious, or let it continue otherwise. Augmented with additional detection heuristics we present in the paper, Avatar can also perform signature-less malware detection and containment.
    Original languageUndefined
    Title of host publicationProceedings of the 25th Large Installation System Administration Conference (LISA 2011)
    Place of PublicationBerkeley, CA, USA
    PublisherUSENIX Association
    Pages201-216
    Number of pages16
    ISBN (Print)978-931971-881-3
    Publication statusPublished - Dec 2011

    Publication series

    Name
    PublisherThe USENIX Association

    Keywords

    • IR-79455
    • EWI-21232
    • SCS-Cybersecurity
    • METIS-284987

    Cite this

    Bolzoni, D., Schade, C., & Etalle, S. (2011). A Cuckoo's Egg in the Malware Nest: On-the-fly Signature-less Malware Analysis, Detection, and Containment for Large Networks. In Proceedings of the 25th Large Installation System Administration Conference (LISA 2011) (pp. 201-216). Berkeley, CA, USA: USENIX Association.