Investigation of the Diverse Sleep Behavior of Malware

Oyama Yoshihiro

doi:10.2197/ipsjjip.26.461

Description

<p>Once malware has infected a system, it may lie dormant (or asleep) to control resource consumption speeds, remain undetected until the time of an attack, and thwart dynamic analysis. Because of their aggressive and abnormal use of sleep behavior, malware programs are expected to exhibit traits that distinguish them from other programs. However, the details of the sleep behavior of real malware are not sufficiently understood, and the diversity of sleep behavior among different malware samples or families is also unclear. In this paper, we discuss the characteristic sleep behavior of recent malware and explore the potential for applying the features of sleep behavior to malware classification. Specifically, we demonstrate that a wide variety of sleeps are executed by a set of malware samples and that sleeps are a promising source of features for distinguishing between different malware samples. Furthermore, we show that applying a learning algorithm to sleep behavior information can result in high classification accuracy and present several examples of typical and rare sleep behaviors observed in the execution of real malware.</p>

Journal

Journal of Information Processing

Journal of Information Processing 26 (0), 461-476, 2018

Information Processing Society of Japan

Keywords

Details 詳細情報について

CRID: 1390564237991510400

NII Article ID: 130007397244

NII Book ID: AA00700121

DOI: 10.2197/ipsjjip.26.461

ISSN: 18826652; 03876101

HANDLE: 2241/00154647

Web Site: https://tsukuba.repo.nii.ac.jp/records/49173; https://www.jstage.jst.go.jp/article/ipsjjip/26/0/26_461/_pdf

Text Lang: en

Article Type: journal article

Data Source

JaLC
IRDB
Crossref
CiNii Articles
KAKEN
OpenAIRE

Abstract License Flag: Disallowed

Export

Report a problem