Hybrid Real-time Zero-day Malware Analysis and Reporting System

Full Text (PDF, 428KB), PP.63-73

Views: 0 Downloads: 0


Ratinder Kaur 1,* Maninder Singh 1

1. Computer Science and Engineering Department, Thapar University, Patiala-147004, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijitcs.2016.04.08

Received: 1 Jul. 2015 / Revised: 13 Nov. 2015 / Accepted: 12 Jan. 2016 / Published: 8 Apr. 2016

Index Terms

Zero-day Attacks, Unknown Attacks, Static Analysis, Dynamic Analysis, Malware Reporting


To understand completely the malicious intents of a zero-day malware there is really no automated way. There is no single best approach for malware analysis so it demands to combine existing static, dynamic and manual malware analysis techniques in a single unit. In this paper a hybrid real-time analysis and reporting system is presented. The proposed system integrates various malware analysis tools and utilities in a component-based architecture. The system automatically provides detail result about zero-day malware's behavior. The ultimate goal of this analysis and reporting is to gain a quick and brief understanding of the malicious activity performed by a zero-day malware while minimizing the time frame between the detection of zero-day attack and generation of a security solution. The results are paramount valuable for a malware analyst to perform zero-day malware detection and containment.

Cite This Paper

Ratinder Kaur, Maninder Singh, "Hybrid Real-time Zero-day Malware Analysis and Reporting System", International Journal of Information Technology and Computer Science(IJITCS), Vol.8, No.4, pp.63-73, 2016. DOI:10.5815/ijitcs.2016.04.08


[1]R. Kaur and M. Singh, “A Survey on Zero-Day Polymorphic Worm Detection Techniques”, in IEEE Communications Surveys & Tutorials, vol. 16, no. 3, pp. 1520-1549, March 2014.

[2]McAfee Labs, “McAfee threat report”. [Online] Available: http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2014.pdf. [Accessed: May 2015].

[3]Panda Labs, “Panda Labs Threats Report”. [Online] Available: http://press.pandasecurity.com/wpcontent/uplo- ads/2014/05/Quaterly-PandaLabsreportQ1.pdf. [Accessed: May 2015]. 

[4]F. Y. Rashid, “How to detect zero-day malware and limit its impact”. [Online]. Available: http://www.darkreading.com- /attacksbreaches/how-to-detect-zero-day-malware-and-limit/240062798. [Accessed: May 2015]

[5]S. Kaur and M. Singh, “Automatic attack signature generation systems: A review”, vol. 11, no. 6, pp. 54-61, December 2013.

[6]J. Newsome and D. Song, “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, 12th Annual Network and Distributed System Security Symposium (NDSS'05), February 2005.

[7]R. Perdiscia, W. Leea and N. Feamster, “Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces”, 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI'10), pp. 1-14, April 2010. 

[8]M. Zubair Rafique and J. Caballero, "FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors", 16th International Symposium, RAID 2013, LNCS vol. 8145, pp. 144-163, October 2013.

[9]C. Azad, V.K. Jha, “Data Mining in Intrusion Detection: A Comparative Study of Methods, Types and Data Sets”, International Journal of Information Technology and Computer Science (IJITCS), vol.5, no.8, pp.75-90, 2013.

[10]M. Polychronakis, K. G. Anagnostakis and E. P. Markatos, “Network-level Polymorphic Shellcode Detection using Emulation”, in Journal in Computer Virology, vol. 2, no. 4, pp. 257-274, July 2006.

[11]M. Polychronakis, K. G. Anagnostakis and E. P. Markatos, “Emulation-based Detection of Non-self-contained Polymorphic Shellcode”, Proc. of the LNCS Springer 10th International Conference on Recent Advances in Intrusion Detection (RAID’07), Gold Goast, Australia, 2007, pp. 87-106.

[12]A. Abbasi, J. Wetzels, W. Bokslag, E. Zambon and S. Etalle, “On Emulation-Based Network Intrusion Detection Systems”, Proc. of the LNCS, Springer 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’14), Gothenburg, Sweden, 2014, pp. 384-404.

[13]I. Santos, F. Brezo, X. Ugarte-Pedrero and P. G. Bringas, “Opcode sequences as representation of executables for data-mining-based unknown malware detection”, in Information Sciences, vol. 231, pp. 64–82, May 2013.

[14]H. Lu, X. Wang, B. Zhao, F. Wang and J. Su, “ENDMal: An anti-obfuscation and collaborative malware detection system using syscall sequences”, in Mathematical and Computer Modelling, vol. 58, no. 5, pp. 1140–1154, September 2013

[15]Y. Hou, J.W. Zhuge, D. Xin and W. Feng, “SBE - A Precise Shellcode Detection Engine Based on Emulation and Support Vector Machine”, Proc. of the LNCS, Springer 10th International Conference on Information Security Practice and Experience (ISPEC’14), Fuzhou, China, 2014, pp. 159-171.

[16]M. Zolotukhin and T. Hamalainen, “Detection of zero-day malware based on the analysis of opcode sequences”, Proc. of the IEEE 11th International Conference on Consumer Communications and Networking Conference (CCNC’14), Las Vegas, Nevada, USA, 2014, pp. 386-391.

[17]A. Lanzi and et. al., “AccessMiner: Using System-Centric Models for Malware Protection”, 17th ACM conference on Computer and communications security, pp. 399-412, October 2010. 

[18]D. Mutz and et. al, “Anomalous System Call Detection”, ACM Transactions on Information and System Security (TISSEC), vol. 9, no. 1, pp. 61-93, February 2006. 

[19]A. Reina, A. Fattori and L. Cavallaro, “A System Call-Centric Analysis and Stimulation Technique Automatically Reconstruct Android Malware Behaviors”, 6th European Workshop on System Security (EUROSEC 2013), April 2013

[20]M. Sikorski and A. Honig, “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software”, No Starch Press, February 2012.

[21]C. Eagle, “The IDA Pro Book, 2nd Edition- The Unofficial Guide to the World's Most Popular Disassembler”, pp. 672, June 2011.

[22]M. Christodorescu and S. Jha, “Static analysis of executables to detect malicious patterns”. 12th USENIX Security Symposium, pp. 1–12, August 2003.

[23]M. Christodorescu, S. Jha, S. A. Seshia, D. X. Song, and R. E. Bryant. “Semantics aware malware detection”. In IEEE Symposium on Security and Privacy, pp. 32–46, May 2005.

[24]H. Flake, “Structural comparison of executable objects”. In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’04), July 2004.

[25]A. Moser, C. Kruegel and E. Kirda, Limits of Static Analysis for Malware Detection, IEEE 23rd Annual Computer Security Applications Conference, Florida, pp. 421-430, December 2007.

[26]M. Sharif and et. al, Eureka: A Framework for Enabling Static Malware Analysis, 13th European Symposium on Research in Computer Security, Spain, pp. 481-500, October 2008.

[27]T. Dube and et. al, “Malware Target Recognition via Static Heuristics”, Computers & Security, vol. 31, no. 1, pp. 137-147, Feburary 2012.

[28]F. Zhu and J. Wei, “Static Analysis based Invariant Detection for Commodity Operating Systems”, Computers & Security, vol. 43, pp. 49-63, June 2014.

[29]M. Eskandari and S. Hashemi, “A Graph Mining Approach for Detecting Unknown Malware”, Journal of Visual Languages and Computing, vol. 23, pp. 154-162, March 2012.

[30]U. Bayer and et al, “Dynamic Analysis of Malicious Code”, Journal in Computer Virology, vol. 2, no. 1, pp. 66-77, May 2006.

[31]F. Bellard, “Qemu: A Fast and Portable Dynamic Translator”, in USENIX Annual Technical Conference, pp. 1-41, April 2005.

[32]Cuckoo Sandbox, “Open Source Automated Malware Analysis”, [Online] Available: https://media.blackhat.com/us-13/US-13-Bremer-Mo-Malware-Mo-Problems-Cuckoo-Sandbox-WP.pdf, August 2013. [Accessed, Jan 2015]

[33]C. Willems, T. Holz and F. Freiling, “Toward Automated Dynamic Malware Analysis Using CWSandbox”, IEEE Security and Privacy, vol. 5, no. 2, pp. 32-39, April 2007.

[34]Norman Sandbox, [Online] http://download01.norman.no-/product_sheets/eng/SandBox_analyzer.pdf. [Accessed, Jan 2015]

[35]Joe Sandbox Technology, [Online] http://www.joe-security.org/joe-sandbox-technology. [Accessed, Jan 2015]

[36]VirusTotal, “Public API v2.0”, [Online] https://www.vi-rustotal.com/en/documentation/public-api/. [Accessed, Jan 2015]

[37]M. Egele and et. al, “A Survey on Automated Dynamic Malware Analysis Techniques and Tools”, ACM Computing Surveys (CSUR), vol. 44, no. 2, pp. 1-49, February 2012.

[38]S. Sarkar, M. Brindha, “High Performance Network Security Using NIDS Approach”, International Journal of Information Technology and Computer Science (IJITCS), vol.6, no.7, pp.47-55, July 2014.

[39]R. Wason, A.K. Soni, M. Qasim Rafiq, “Estimating Software Reliability by Monitoring Software Execution through OpCode”, International Journal of Information Technology and Computer Science (IJITCS), vol.7, no.9, pp.23-30, April 2015.