Skip to main content

Interactive, Visual-Aided Tools to Analyze Malware Behavior

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 7336)

Abstract

Malicious software attacks can disrupt information systems, violating security principles of availability, confidentiality and integrity. Attackers use malware to gain control, steal data, keep access and cover traces left on the compromised systems. The dynamic analysis of malware is useful to obtain an execution trace that can be used to assess the extent of an attack, to do incident response and to point to adequate counter-measures. An analysis of the captured malware can provide analysts with information about its behavior, allowing them to review the malicious actions performed during its execution on the target. The behavioral data gathered during the analysis consists of filesystem and network activity traces; a security analyst would have a hard time sieving through a maze of textual event data in search of relevant information. We present a behavioral event visualization framework that allows for an easier realization of the malicious chain of events and for quickly spotting interesting actions performed during a security compromise. Also, we analyzed more than 400 malware samples from different families and showed that they can be classified based on their visual signature. Finally, we distribute one of our tools to be freely used by the community.

Keywords

  • Security data visualization
  • malware analysis

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-31128-4_22
  • Chapter length: 12 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   99.00
Price excludes VAT (USA)
  • ISBN: 978-3-642-31128-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   129.00
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Buehlmann, S., Liebchen, C.: Joebox: a secure sandbox application for windows to analyse the behaviour of malware, http://www.joebox.org

  2. Clam antivirus, http://www.clamav.net

  3. Conti, G., Dean, E., Sinda, M., Sangster, B.: Visual Reverse Engineering of Binary and Data Files. In: Goodall, J.R., Conti, G., Ma, K.-L. (eds.) VizSec 2008. LNCS, vol. 5210, pp. 1–17. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  4. Eick, S.G., Steffen, J.L., Sumner Jr., E.E.: Seesoft—A Tool for Visualizing Line Oriented Software Statistics. IEEE Transactions on Software Engineering 18(11), 957–968 (1992)

    CrossRef  Google Scholar 

  5. Grégio, A.R.A., Oliveira, I.L., dos Santos, R.D.C., Cansian, A.M., de Geus, P.L.: Malware distributed collection and pre-classification system using honeypot technology. In: Proceedings of SPIE, vol. 7344, pp. 73440B–73440B-10 (2009)

    Google Scholar 

  6. Grégio, A.R.A., Fernandes Filho, D.S., Afonso, V.M., dos Santos, R.D.C., Jino, M., de Geus, P.L.: Behavioral analysis of malicious code through network traffic and system call monitoring. In: Proceedings of SPIE, vol. 8059, pp. 80590O–80590O-10 (2011)

    Google Scholar 

  7. The Honeynet Project. Dionaea, http://dionaea.carnivore.it

  8. Kruegel, C., Kirda, E., Bayer, U.: Ttanalyze: A tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference (2006)

    Google Scholar 

  9. MBS Tool. Malicious Behavior’s Spiral - Beta version, http://www.las.ic.unicamp.br/~gregio/mbs

  10. Provos, N., Holz, T.: Virtual Honeypots: from botnet tracking to intrusion detection. Addison-Wesley Professional (2007)

    Google Scholar 

  11. Provos, N.: Honeyd - A Virtual Honeypot Daemon. In: 10th DFNCERT Workshop (2003)

    Google Scholar 

  12. Quist, D., Liebrock, L.: Visualizing Compiled Executables for Malware Analysis. In: Proceedings of the Workshop on Visualization for Cyber Security, pp. 27–32 (2009)

    Google Scholar 

  13. Read, H., Xynos, K., Blyth, A.: Presenting DEViSE: Data Exchange for Visualizing Security Events. IEEE Computer Graphics and Applications 29, 6–11 (2009)

    CrossRef  Google Scholar 

  14. ThreatExpert, http://www.threatexpert.com

  15. Trinius, P., Holz, T., Gobel, J., Freiling, F.C.: Visual analysis of malware behavior using treemaps and thread graphs. In: International Workshop on Visualization for Cyber Security(VizSec), pp. 33–38 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Grégio, A.R.A. et al. (2012). Interactive, Visual-Aided Tools to Analyze Malware Behavior. In: , et al. Computational Science and Its Applications – ICCSA 2012. ICCSA 2012. Lecture Notes in Computer Science, vol 7336. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31128-4_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31128-4_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31127-7

  • Online ISBN: 978-3-642-31128-4

  • eBook Packages: Computer ScienceComputer Science (R0)