Malrec: Compact full-trace malware recording for retrospective deep analysis

Giorgio Severi, Tim Leek, Brendan Dolan-Gavitt

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Malware sandbox systems have become a critical part of the Internet’s defensive infrastructure. These systems allow malware researchers to quickly understand a sample’s behavior and effect on a system. However, current systems face two limitations: first, for performance reasons, the amount of data they can collect is limited (typically to system call traces and memory snapshots). Second, they lack the ability to perform retrospective analysis—that is, to later extract features of the malware’s execution that were not considered relevant when the sample was originally executed. In this paper, we introduce a new malware sandbox system, Malrec, which uses whole-system deterministic record and replay to capture high-fidelity, whole-system traces of malware executions with low time and space overheads. We demonstrate the usefulness of this system by presenting a new dataset of 66,301 malware recordings collected over a two-year period, along with two preliminary analyses that would not be possible without full traces: an analysis of kernel mode malware and exploits, and a fine-grained malware family classification based on textual memory access contents. The Malrec system and dataset can help provide a standardized benchmark for evaluating the performance of future dynamic analyses.

    Original languageEnglish (US)
    Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings
    PublisherSpringer-Verlag
    Pages3-23
    Number of pages21
    ISBN (Print)9783319934105
    DOIs
    StatePublished - Jan 1 2018
    Event15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 - Saclay, France
    Duration: Jun 28 2018Jun 29 2018

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume10885 LNCS
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Other

    Other15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018
    CountryFrance
    CitySaclay
    Period6/28/186/29/18

    Fingerprint

    Malware
    Trace
    Computer systems
    Trace analysis
    Data storage equipment
    Snapshot
    Fidelity
    Internet
    Infrastructure
    Benchmark
    kernel

    Keywords

    • Malware analysis
    • Malware classification
    • Record and replay

    ASJC Scopus subject areas

    • Theoretical Computer Science
    • Computer Science(all)

    Cite this

    Severi, G., Leek, T., & Dolan-Gavitt, B. (2018). Malrec: Compact full-trace malware recording for retrospective deep analysis. In Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings (pp. 3-23). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10885 LNCS). Springer-Verlag. https://doi.org/10.1007/978-3-319-93411-2_1

    Malrec : Compact full-trace malware recording for retrospective deep analysis. / Severi, Giorgio; Leek, Tim; Dolan-Gavitt, Brendan.

    Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer-Verlag, 2018. p. 3-23 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10885 LNCS).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Severi, G, Leek, T & Dolan-Gavitt, B 2018, Malrec: Compact full-trace malware recording for retrospective deep analysis. in Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10885 LNCS, Springer-Verlag, pp. 3-23, 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018, Saclay, France, 6/28/18. https://doi.org/10.1007/978-3-319-93411-2_1
    Severi G, Leek T, Dolan-Gavitt B. Malrec: Compact full-trace malware recording for retrospective deep analysis. In Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer-Verlag. 2018. p. 3-23. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-93411-2_1
    Severi, Giorgio ; Leek, Tim ; Dolan-Gavitt, Brendan. / Malrec : Compact full-trace malware recording for retrospective deep analysis. Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer-Verlag, 2018. pp. 3-23 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
    @inproceedings{8c161d3c7a8046cfa41cdc90dd4b2feb,
    title = "Malrec: Compact full-trace malware recording for retrospective deep analysis",
    abstract = "Malware sandbox systems have become a critical part of the Internet’s defensive infrastructure. These systems allow malware researchers to quickly understand a sample’s behavior and effect on a system. However, current systems face two limitations: first, for performance reasons, the amount of data they can collect is limited (typically to system call traces and memory snapshots). Second, they lack the ability to perform retrospective analysis—that is, to later extract features of the malware’s execution that were not considered relevant when the sample was originally executed. In this paper, we introduce a new malware sandbox system, Malrec, which uses whole-system deterministic record and replay to capture high-fidelity, whole-system traces of malware executions with low time and space overheads. We demonstrate the usefulness of this system by presenting a new dataset of 66,301 malware recordings collected over a two-year period, along with two preliminary analyses that would not be possible without full traces: an analysis of kernel mode malware and exploits, and a fine-grained malware family classification based on textual memory access contents. The Malrec system and dataset can help provide a standardized benchmark for evaluating the performance of future dynamic analyses.",
    keywords = "Malware analysis, Malware classification, Record and replay",
    author = "Giorgio Severi and Tim Leek and Brendan Dolan-Gavitt",
    year = "2018",
    month = "1",
    day = "1",
    doi = "10.1007/978-3-319-93411-2_1",
    language = "English (US)",
    isbn = "9783319934105",
    series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
    publisher = "Springer-Verlag",
    pages = "3--23",
    booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings",

    }

    TY - GEN

    T1 - Malrec

    T2 - Compact full-trace malware recording for retrospective deep analysis

    AU - Severi, Giorgio

    AU - Leek, Tim

    AU - Dolan-Gavitt, Brendan

    PY - 2018/1/1

    Y1 - 2018/1/1

    N2 - Malware sandbox systems have become a critical part of the Internet’s defensive infrastructure. These systems allow malware researchers to quickly understand a sample’s behavior and effect on a system. However, current systems face two limitations: first, for performance reasons, the amount of data they can collect is limited (typically to system call traces and memory snapshots). Second, they lack the ability to perform retrospective analysis—that is, to later extract features of the malware’s execution that were not considered relevant when the sample was originally executed. In this paper, we introduce a new malware sandbox system, Malrec, which uses whole-system deterministic record and replay to capture high-fidelity, whole-system traces of malware executions with low time and space overheads. We demonstrate the usefulness of this system by presenting a new dataset of 66,301 malware recordings collected over a two-year period, along with two preliminary analyses that would not be possible without full traces: an analysis of kernel mode malware and exploits, and a fine-grained malware family classification based on textual memory access contents. The Malrec system and dataset can help provide a standardized benchmark for evaluating the performance of future dynamic analyses.

    AB - Malware sandbox systems have become a critical part of the Internet’s defensive infrastructure. These systems allow malware researchers to quickly understand a sample’s behavior and effect on a system. However, current systems face two limitations: first, for performance reasons, the amount of data they can collect is limited (typically to system call traces and memory snapshots). Second, they lack the ability to perform retrospective analysis—that is, to later extract features of the malware’s execution that were not considered relevant when the sample was originally executed. In this paper, we introduce a new malware sandbox system, Malrec, which uses whole-system deterministic record and replay to capture high-fidelity, whole-system traces of malware executions with low time and space overheads. We demonstrate the usefulness of this system by presenting a new dataset of 66,301 malware recordings collected over a two-year period, along with two preliminary analyses that would not be possible without full traces: an analysis of kernel mode malware and exploits, and a fine-grained malware family classification based on textual memory access contents. The Malrec system and dataset can help provide a standardized benchmark for evaluating the performance of future dynamic analyses.

    KW - Malware analysis

    KW - Malware classification

    KW - Record and replay

    UR - http://www.scopus.com/inward/record.url?scp=85049345814&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85049345814&partnerID=8YFLogxK

    U2 - 10.1007/978-3-319-93411-2_1

    DO - 10.1007/978-3-319-93411-2_1

    M3 - Conference contribution

    AN - SCOPUS:85049345814

    SN - 9783319934105

    T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

    SP - 3

    EP - 23

    BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings

    PB - Springer-Verlag

    ER -