MapReduce Method for Malware Detection in Parallel Systems

This paper presents a system call analysis method using MapReduce for malware detection at the IEEE 17th International Conference on Parallel and Distributed Systems. It discusses detecting malware behavior, evaluation techniques, categories of malware, and approaches like signature-based and behavior-based methods. Real-time monitoring mechanisms and malicious behavior patterns are explored, along with modern malware characteristics and the requirements for data analysis. The use of MapReduce in processing large datasets and examples of persistent malware behavior are also covered.

• Malware Detection
• MapReduce Method
• Parallel Systems
• Behavior-Based Approach
• IEEE Conference

zaer318 Follow

Uploaded on Oct 05, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te Liu *, Hui-ching Huang* Yi-Ming Chen Information & Communication Security Lab TL, Chunghwa Telecom Co., Ltd. Department of Information Management National Central University 102062602 1/22

2. outline Introduction Detect malware behavior Evaluation Conclution 2/22

3. Malware by categories 3/22

4. How to detect malware Signature-based approach Behavior-based approach 4/22

5. Behavior-based approach Detect malware by real-time monitoring mechanisms Ex: system call monitoring (procMon) 5/22

6. Malicious behavior patterns Privacy invasion Self-replication Persistent behavior 6/22

7. Mordern malware Discrete behavior download malicious module Module-base malware driver or DLL 7/22

8. requirements the collected and analyzed data is much richer (system calls) module dependency 8/22

9. Clientserver model 9/22

10. MapReduce A programming model for processing large data sets with a parallel, distributed algorithm on a cluster Apache Hadoop 10/22

11. Persistent behavior Malware ASEP ( auto-start extensibility point) Remain alive after system reboot 11/22

12. ASEP(1) Can be a file or registry keys Ex: autorun.ini 12/22

13. ASEP(2) HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\ Windows NT\ CurrentVersion\Winlogon\Notify (dll) (driver) HKLM\System\CurrentControlSet\ 13/22

14. Persistent behavior module(1) 14/22

15. Persistent behavior module(2) 15/22

16. Dependency Relationship(1) ASEP is seen as a part of module white list filter 16/22

17. Dependency Relationship(2) Mi Mj 17/22

18. Dependency structure matrix Check diagonal cells A B , B C , C A 18/22

19. Accuracy 19/22

20. Performance 20/22

21. contribution Propose a relation-based method to correlate the discrete behavior of malware. Implement a prototype of Maltrix on the Hadoop platform. 21/22

22. challenges Some malwares don t require ASEP The cost of data transmission hasn't been measured. Anti-api hooking Without using system calls 22/22