Metodologia de Detecção de Malware por Heurísticas Comportamentais
Resumo
Programas maliciosos têm evoluído em sofisticação e complexidade, aumentando a incidência de ataques bem sucedidos contra sistemas computacionais e seus usuários. Como qualquer programa benigno, os programas maliciosos precisam interagir com o sistema operacional de forma a realizar as atividades pretendidas. Assim, faz-se necessário compreender quais das ações efetuadas estão envolvidas em processos de infecção. Tais ações "suspeitas" compõem o comportamento de execução do malware e sua identificação é crucial na detecção desses programas. Neste artigo, propõe-se uma metodologia para detecção de malware baseada em heurísticas comportamentais e apresenta-se os testes e resultados obtidos de sua aplicação em exemplares reais.
Referências
Ahmadi, M., Sami, A., Rahimi, H., and Yadegari, B. (2013). Feature. Computer Fraud & Security, 2013(8):11–19.
Alazab, M. (2015). Profiling and classifying the behavior of malicious codes. J. Syst. Softw., 100(C):91–102.
Bazrafshan, Z., Hashemi, H., Fard, S. M. H., and Hamzeh, A. (2013). A survey on heuristic malware detection techniques. In Information and Knowledge Technology (IKT), 2013 5th Conference on, pages 113–120.
Bellard, F. (2005). Qemu, a fast and portable dynamic translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, pages 41–41, Berkeley, CA, USA. USENIX Association.
Christodorescu, M., Jha, S., Seshia, S. A., Song, D., and Bryant, R. E. (2005). Semantics-aware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, SP ’05, pages 32–46, Washington, DC, USA. IEEE Computer Society.
Downey, A. B. (2012). Think Bayes: Bayesian Statistics Made Simple. Green Tea Press.
Fan, Y., Ye, Y., and Chen, L. (2016). Malicious sequential pattern mining for automatic malware detection. Expert Syst. Appl., 52(C):16–25.
Feng, Z., Xiong, S., Cao, D., Deng, X., Wang, X., Yang, Y., Zhou, X., Huang, Y., and Wu, G. (2015). Hrs: A hybrid framework for malware detection. In Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, IWSPA ’15, pages 19–26, New York, NY, USA. ACM.
Grégio, A., Bonacin, R., de Marchi, A. C., Nabuco, O. F., and de Geus, P. L. (2016). An ontology of suspicious software behavior. Applied Ontology, 11(1):29–49.
Griffin, K., Schneider, S., Hu, X., and Chiueh, T.-C. (2009). Automatic generation of string signatures for malware detection. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID ’09, pages 101–120, Berlin, Heidelberg. Springer-Verlag.
Grégio, A. R. A., Afonso, V. M., Filho, D. S. F., Geus, P. L. d., and Jino, M. (2015). Toward a taxonomy of malware behaviors. The Computer Journal, 58(10):2758–2777.
Guarnieri, C. (2013). Cuckoo sandbox. http://www.cuckoosandbox.org/. Acesso em junho/2016.
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. (2009). The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10–18.
Jacob, G., Debar, H., and Filiol, E. (2008). Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, 4(3):251– 266.
John, G. H. and Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In 11th Conference on Uncertainty in Artificial Intelligence, pages 338–345.
Khodamoradi, P., Fazlali, M., Mardukhi, F., and Nosrati, M. (2015). Heuristic metamorphic malware detection based on statistics of assembly instructions using classification algorithms. In Computer Architecture and Digital Systems (CADS), 2015 18th CSI International Symposium on, pages 1–6.
Prelipcean, D. B., Popescu, A. S., and Gavrilut, D. T. (2015). Improving malware detection response time with behavior-based statistical analysis techniques. In 2015 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pages 232–239.
Treadwell, S. and Zhou, M. (2009). A heuristic approach for detection of obfuscated malware. In Proceedings of the 2009 IEEE International Conference on Intelligence and Security Informatics, ISI’09, pages 291–299, Piscataway, NJ, USA. IEEE Press.
Ye, Y., Wang, D., Li, T., and Ye, D. (2007). Imds: Intelligent malware detection system. In Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’07, pages 1043–1047, New York, NY, USA. ACM.
Yin, H., Song, D., Egele, M., Kruegel, C., and Kirda, E. (2007). Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pages 116–127, New York, NY, USA. ACM.