Forgot your password?
typodupeerror

Researchers Use Machines To Analyze Malware 55

Posted by Zonk
from the bugs-under-glass dept.
Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."
This discussion has been archived. No new comments can be posted.

Researchers Use Machines To Analyze Malware

Comments Filter:
  • The future is now (Score:5, Insightful)

    by Umbral Blot (737704) on Sunday June 11, 2006 @07:26AM (#15512410) Homepage
    Obviously solutions like this will be the way of the future, combined with a finer grained permission system. I just hope you can manually exempt programs. For example bittorrent opens a lot of network connections, and copies a lot of data around; I could see a tool such as this reasonably coming to the conclusion that it was malware. I am also curious if their system could defeat a rootkit, which will do its best to hide its activity and existence almost completely from the system.
    • New classification system eh? Sounds good to me...

      "Pandavirus/2006Tokyo is in Domain Malware, Kingdom Microsoft, Phylum Spyus Maximus, Class Claria, Order Adicus Wearicus, Family Panda."
    • Obviously solutions like this will be the way of the future

      Mechanical? Why mechanical? I thought we had left the Babbage era approach behind when they invented the transistor.

      Whats wrong with electricity?

    • I just hope you can manually exempt programs.


      "Attention! Program X requires blah bla blah. To do that blah blah blah. Do you really want to blah blah blah?"

      *90% of users click yes* There, malware exempted. Those people who get malware[1] in the first place won't be helped by this at all.

      [1] The open-this-attachment-to-get-owned type, not the Windows-is-a-piece-of-shit-automatically-owned type.
    • by TeamSPAM (166583)

      Back in the days when Macs had viruses (yes they do exist or existed), I was using a program called Gatekeeper [utexas.edu]. Instead of knowing about certain virus it monitored system activity and alerted you when virus type activity was happening. You the user would either deny or grant the action.

      So given my experience with GateKeeper, the ideas of this malware detection seem obvious. Why did it take this long to apply these ideas to windows malware? Is the problem commerical anti-virus software? They prefer you to k

    • For example bittorrent opens a lot of network connections, and copies a lot of data around; I could see a tool such as this reasonably coming to the conclusion that it was malware.

      The RIAA and MPAA would agree with that conclusion.

  • Advantages? (Score:4, Insightful)

    by bsdluvr (932942) on Sunday June 11, 2006 @07:27AM (#15512412) Homepage
    Does this new classification method really have any advantages for the average user? I'm sure most people just want to keep their systems malware-free, and could care less about the names of the individual threats.
    • Re:Advantages? (Score:4, Insightful)

      by Aneurysm (680045) on Sunday June 11, 2006 @07:33AM (#15512420)
      If you can group malware threats together it may be easier/quicker to come up with methods to remove them. Common system actions probably means common steps to get rid of the malware. Also, having a database of actions that a piece of malware takes when infecting a system could help identify an infection sooner. If you had an anti-malware package running on your computer and intercepting reg key changes, directory creations etc. before they happened, it could step in to alert the user and eradicate the threat before it had even finished installing itself. Admittedly many people wouldn't want an anti-malware system constantly monitoring every API access, but if it was made transparent this is the sort of thing that would greatly benefit the less technically minded user.
      • So, basically, we'll have another anti-virus-like program monitoring our systems.

        Yay for the multi-core CPUs!

        • by ozmanjusri (601766) <aussie_bob@NospAm.hotmail.com> on Sunday June 11, 2006 @08:15AM (#15512481) Journal
          So, basically, we'll have another anti-virus-like program monitoring our systems.

          That's the most attractive option for the big malware prevention/removal companies, and is the most likely scenario in the near future.

          The opportunity this type of forensic analysis creates though, is that it exposes and classifies the methods the malware uses to insinuate itself into the host operating system. That means OS vendors can analyse the failure points of their products and harden them against the malware. At the moment, the two key problems with malware removal are

          1. Recognising its presence
          2. Removing the malware and returning the computer to a safe state
          If you minimise the number of places where programs can start at boot time and make any auto-starting program clearly visible and easily removable, for example, you will have made it easier for users to block or remove an infection and have reduced the motive for crackers to write the malware in the first place.

          It's also an example of why an OS vendor who also sells malware tools has such a dangerous conflict of interests.

          • by cp.tar (871488)

            The point is, however, that malware mostly (ab)uses perfectly legal system instructions.

            Therefore, whatever it is that will be running in people's backgrounds, it will have to have a heuristic algorithm and monitor every single system activity.

            To abuse the good old car analogy, it's as if more and more safety measures were introduced in cars instead of teaching people to drive safely.
            Wait, where was I going with that one?

            Anyway, I do not want (at the times when I'm using Windows) another program which w

            • The point is, however, that malware mostly (ab)uses perfectly legal system instructions.

              Yes, that IS the point. And what that means is that by analysing which of those system instructions are being abused and how, you can redesign the system to resist the attacks better. In Windows, for example, the \HKLM\...\Run: registry entries, WINDOWS\Prefetch, etc are the most common points for malware to hook into to ensure they are loaded at starup. Make it easier to protect and clean those areas and you'll elimin

              • If OS vendors make their products easy to clean, there's less profit, and therefore less motive.

                Not exactly.

                As in medicine, a bit of prevention is worth more than a... megabyte of repair.

                If OS vendors make their products more difficult to infect, now there we may see some improvement... for users, it seems, are not getting educated any better.

        • by jacksonj04 (800021) <nick@nickjackson.me> on Sunday June 11, 2006 @08:20AM (#15512489) Homepage
          Is it worth having a core just to do background tasks like this?

          Since multicore systems are starting to take off, perhaps there should be a method for applications to flag themselves as 'supporting', and then have a seperate lower power core dedicated to 'supporting' applications such as AV, system monitors etc?
          • Do you not see that as a huge admission of defeat? That you are _seriously_ suggesting a anti-virus/spyware CO-PROCESSOR?!?
            • No, although AV/Spyware would be ones that use it. I was thinking more a co-processor for those things which sit around doing nothing but waste cycles, but which actually have a use. Update daemons, sync tools for PDAs, network monitors, backup and encryption tools etc.
        • Only if you need it... Sensible users usually avoid malware infections, because they know the dos and don'ts of using the internet. Do use a firewall, don't run any screensavers you get by email. Do run regular security updates, etc.. These users won't need to use a resource sapping system monitor, it is the casual internet users who don't know about basic security that will. These users are also the type of users who won't mind running the program, because they don't need a 3gHz processor to run outlook
    • This could be very useful.
      The thing is that the perception of human researchers is always skewed by assumptions and the human tendency to generalize any problem, based on incomplete data. (Useful in survival-of-the fittest scenarios, but potentially counterproductive when doing research.)
      Machines deal with facts, period.
      They may expose things we previously ignored or crammed into categories that don't really fit the bill.
      (Of course, if the data fed to the machine is presented in a form which has already bee
    • the distructive payload makes this malware a virus. Most malware simply has code to 'self destruct' the system if tampered with, disabled, or made unable to think it's able to access the internet.

      Afterall most malware are exploits meant to make money off peoples computers. either through ad revenues, bulk mail sending, or formation of a 'botnet' which can be used for a whole slew of possiblities. a few pieces of malware try to steal data so that you can become a 'victim' of internet crime, which is why cer
      • i've always believed that poverty is just a state of mind.

        It's usually a state of not having enough resources to feed, clothe and house yourself (and your family if you have one). Now if you know a way for a person to think themselves out of that, you'll be the most revered man on the planet when you share it with the rest of us.
        • That is the materialistic view. In the material sense, one can eat bugs and roots, drink stagnant water, sleep in a pile of filth... and no one could doubt that that is 'poverty' in the material sense. But I've seen some good documentaries of tribes in africa, and south america who were living that way. And while those films were heavily edited, but I didn't see people who were really 'living in poverty' so much as leading the happiest best lives they could given the available resource.

          Poverty is a state o
    • Re:Advantages? (Score:3, Interesting)

      by happyemoticon (543015)

      Any mechanized approach to classifying malware is a good thing. I've heard anecdotally that the process of getting a program declared as a virus or malware is (or has been) as follows at major security firms:

      • Client gets infected with virus.
      • Client calls vendor when vendor's app refuses to clean it off.
      • Vendor's tech support gradually escalates the ticket until somebody with half a brain gets ahold of the problem.
      • Non-clueless support person dissects the malware and commits it to the week's definitions.
  • by mrogers (85392) on Sunday June 11, 2006 @07:45AM (#15512440)
    Now instead of obscure names like W32/worm.169/06A they can give them meaningful names like W32/fucks.your.harddrive.and.emails.itself.to.all. your.friends.169/06A.
  • Bugged? (Score:2, Funny)

    by Anonymous Coward
    I think the program is bugged, it keeps telling me that something called Windows is malware.
  • Hmm... (Score:3, Funny)

    by Ichigo Kurosaki (886802) on Sunday June 11, 2006 @08:26AM (#15512496)
    Researchers Use Machines To Analyze Malware

    as opposed to punch cards?
  • by m874t232 (973431) on Sunday June 11, 2006 @08:27AM (#15512498)
    Attempts at classifying malware automatically have been around for a number of years. Trouble is: 90% isn't good enough--it's too many false alarms. You need something that works almost perfectly in order to deploy it on real machines.
  • Wow (Score:2, Insightful)

    by ms1234 (211056)
    Maybe it could be trained to categorize my socks?
  • by gbjbaanb (229885) on Sunday June 11, 2006 @08:35AM (#15512511)
    and classified a previously unseen subset of malware using the trained system

    automated systems determined that the new worm, W32.setup/install.exe is the most prevalent ever, due to the success of its social-engineering attack vector.

  • "us" ???? (Score:4, Funny)

    by Wingsy (761354) on Sunday June 11, 2006 @09:32AM (#15512614)
    "...bots and viruses that plague us" What's this "us" shit Kemosabe? I've never experienced any bots and/or viruses in the past 5 years or more. What kinda system are you running that has this affliction?
  • by packetmon (977047) on Sunday June 11, 2006 @10:44AM (#15512761) Homepage
    After reading 12 of the 17 page MS document I shake my head... Some malware do not run properly in VM. Some packers are known to detect VM environment and prevent the file from normal execution. What about smarter polymorphs which change and adapt not to mention their analysis', tests, etc., did not include a full scope of what malware targets: "Runtime environment simulation is still primitive. For example, we have not implemented Instant Messaging or P2P applications/servers." Couple this with: "The biggest benefit is more rapid response to complex threats. As the synergy between viruses, Trojans, worms, rootkits and exploits grows, waiting for a solution becomes more dangerous." And lest I forget "This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. (source [securityfocus.com]). So what happens when malware writers get a clue and start creating their own forms of crypto to hide their actions. For any company to create a product whether its hardware or software based, they'd only be lying to a degree about their ability to detect complex threats no matter what engine their malware snoopers were using.
  • If you think about it, this is more to do with how folks that are paid to give us those fancy virus definition libraries than the average user, but end benefit is that all users at all levels will be able to handle these malware threats more specifically than just using random deletion methods. For example, I was an idiot got a keylogger onto my system [which isn't hard to do since it's a Bloze box...], but I haven't noticed any of my accounts being accessed as of yet, which of course I did change the passw
  • by Anonymous Coward on Sunday June 11, 2006 @11:44AM (#15512908)
    Internet Security Systems already provides a product that does this called "Proventia Desktop". Whenever the user tries to run a program, it first boots a virtual machine, runs the program, looks at all these behaviors (opening connections, setting itself as the Run entry in the registry, etc.). When the right combination of behaviors are detected, it marks it as malware and refuses to run it in the real machine. The entire process takes as much time as it would for anti-virus to scan it. It's about 99% effective, which means that it catches almost all 0-day viruses, but it will occasionally let something through (which is why you should probably also have traditional anti-virus as well).
  • Computer security is not easy for businesses and more difficult for the average home user .... But it seems to me that as the price of hardware drops and home networks become more plentiful, we will see more 'appliances' that come described as routers/firewalls/proxies that run the appropriate software so that such programs can be detected by signiature before they get to your desktop. Though that would or might be another level of possible infection to home networks, it is still much stronger than a deskto
  • by Anonymous Coward
    >a mechanical process for analyzing malware.

    Do you mean it is steam or internal combustion powered? Based on a huge Babbage differential engine, programmed with cards in Lady Ada language? It must be since it is mechanical! The MODUS, a stack of most advanced cards for automated malware analysis is the subject of an international conspiracy. And the London smog gets denser every day.

If bankers can count, how come they have eight windows and only four tellers?

Working...