Avatar is a new architecture devised to perform on-the-ﬂy malware analysis and containment on ordinary hosts; that is, on hosts with no special setup.
The idea behind Avatar is to inject the suspected malware with a specially crafted piece of software at the moment that it tries to download an executable.
The special software can cooperate with a remote analysis engine to determine the main characteristics of the suspected malware, and choose an appropriate containment strategy, which may include process termination, in case the process under analysis turns out to be malicious, or let it continue otherwise. Augmented with additional detection heuristics we present in the paper, Avatar can also perform
signature-less malware detection and containment.
|Publisher||The USENIX Association|
|Conference||25th Large Installation System Administration Conference, LISA 2011|
|Period||4/12/11 → 9/12/11|
|Other||4-9 December 2011|