A Cuckoo's Egg in the Malware Nest: On-the-fly Signature-less Malware Analysis, Detection, and Containment for Large Networks

D. Bolzoni, Christiaan Schade, Sandro Etalle

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    1 Citation (Scopus)
    27 Downloads (Pure)


    Avatar is a new architecture devised to perform on-the-fly malware analysis and containment on ordinary hosts; that is, on hosts with no special setup. The idea behind Avatar is to inject the suspected malware with a specially crafted piece of software at the moment that it tries to download an executable. The special software can cooperate with a remote analysis engine to determine the main characteristics of the suspected malware, and choose an appropriate containment strategy, which may include process termination, in case the process under analysis turns out to be malicious, or let it continue otherwise. Augmented with additional detection heuristics we present in the paper, Avatar can also perform signature-less malware detection and containment.
    Original languageUndefined
    Title of host publicationProceedings of the 25th Large Installation System Administration Conference (LISA 2011)
    Place of PublicationBerkeley, CA, USA
    PublisherUSENIX Association
    Number of pages16
    ISBN (Print)978-931971-881-3
    Publication statusPublished - Dec 2011
    Event25th Large Installation System Administration Conference, LISA 2011 - Boston, MA, USA
    Duration: 4 Dec 20119 Dec 2011

    Publication series

    PublisherThe USENIX Association


    Conference25th Large Installation System Administration Conference, LISA 2011
    Other4-9 December 2011


    • IR-79455
    • EWI-21232
    • SCS-Cybersecurity
    • METIS-284987

    Cite this