Multi-Channel Change-Point Malware Detection
Overview
Malware authors are increasingly using specialized toolkits and obfuscation techniques to modify existing malware and avoid detection by traditional antivirus software. The resulting proliferation of obfuscated malware variants poses a challenge to antivirus vendors, who must create signatures to detect each new malware variant. Drexel researchers have developed a behavioral detection system that monitors behavioral features of a live computer host online. The system initially develops a model that characterizes normal behavior of the host, and then uses change-point detection algorithms to detect abrupt deviations from normal behavior characteristic of malware execution. The system can be trained to accurately identify new variants within known malware families, using observed similarities in behavioral features extracted from sensors monitoring live computers hosts. Whereas traditional malware defenses mechanisms primarily work by preventing potential malware from passing through a network or executing on a host computer, this system detects the execution of malware on a live host computer. It is designed to detect malware that evade traditional defenses, such as new and obfuscated malware variants, supplementing existing defenses and serving as an auxiliary safety net to detect if a host is infected.
Applications
- Malware detection, classification, and mitigation
Advantages
- Coverage: The system is designed to protect against entire families and classes of malware, even those that have not previously been discovered
- Ease of Use: The on-line detector that can be deployed on live hosts without using specialized sandbox environments or computationally expensive monitoring techniques
- Reaction Time: The change-point formulation is designed to detect malware as quickly as possible to mitigate its damaging effects
- Data Collection: the behavioral information collected when new malware samples are detected can be used to classify newly discovered malware and conduct other post-mortem analyses.
-
-
-
Intellectual Property and Development Status
United States Patent Pending- 14/686,420
Commercialization Opportunities