Malrec: Compact full-trace malware recording for retrospective deep analysis

Giorgio Severi, Tim Leek, Brendan Dolan-Gavitt

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Malware sandbox systems have become a critical part of the Internet’s defensive infrastructure. These systems allow malware researchers to quickly understand a sample’s behavior and effect on a system. However, current systems face two limitations: first, for performance reasons, the amount of data they can collect is limited (typically to system call traces and memory snapshots). Second, they lack the ability to perform retrospective analysis—that is, to later extract features of the malware’s execution that were not considered relevant when the sample was originally executed. In this paper, we introduce a new malware sandbox system, Malrec, which uses whole-system deterministic record and replay to capture high-fidelity, whole-system traces of malware executions with low time and space overheads. We demonstrate the usefulness of this system by presenting a new dataset of 66,301 malware recordings collected over a two-year period, along with two preliminary analyses that would not be possible without full traces: an analysis of kernel mode malware and exploits, and a fine-grained malware family classification based on textual memory access contents. The Malrec system and dataset can help provide a standardized benchmark for evaluating the performance of future dynamic analyses.

    Original languageEnglish (US)
    Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings
    EditorsCristiano Giuffrida, Sebastien Bardin, Gregory Blanc
    PublisherSpringer Verlag
    Pages3-23
    Number of pages21
    ISBN (Print)9783319934105
    DOIs
    StatePublished - 2018
    Event15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 - Saclay, France
    Duration: Jun 28 2018Jun 29 2018

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume10885 LNCS
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Other

    Other15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018
    CountryFrance
    CitySaclay
    Period6/28/186/29/18

    Keywords

    • Malware analysis
    • Malware classification
    • Record and replay

    ASJC Scopus subject areas

    • Theoretical Computer Science
    • Computer Science(all)

    Fingerprint Dive into the research topics of 'Malrec: Compact full-trace malware recording for retrospective deep analysis'. Together they form a unique fingerprint.

  • Cite this

    Severi, G., Leek, T., & Dolan-Gavitt, B. (2018). Malrec: Compact full-trace malware recording for retrospective deep analysis. In C. Giuffrida, S. Bardin, & G. Blanc (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings (pp. 3-23). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10885 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-93411-2_1