Avatar is a new architecture devised to perform on-the-ﬂy malware analysis and containment on ordinary hosts; that is, on hosts with no special setup. The idea behind Avatar is to inject the suspected malware with a specially crafted piece of software at the moment that it tries to download an executable. The special software can cooperate with a remote analysis engine to determine the main characteristics of the suspected malware, and choose an appropriate containment strategy, which may include process termination, in case the process under analysis turns out to be malicious, or let it continue otherwise. Augmented with additional detection heuristics we present in the paper, Avatar can also perform signature-less malware detection and containment.
|Title of host publication||Proceedings of the 25th Large Installation System Administration Conference (LISA 2011)|
|Place of Publication||Berkeley, CA, USA|
|Number of pages||16|
|Publication status||Published - Dec 2011|
|Publisher||The USENIX Association|
Bolzoni, D., Schade, C., & Etalle, S. (2011). A Cuckoo's Egg in the Malware Nest: On-the-fly Signature-less Malware Analysis, Detection, and Containment for Large Networks. In Proceedings of the 25th Large Installation System Administration Conference (LISA 2011) (pp. 201-216). Berkeley, CA, USA: USENIX Association.