Malware Analysis Through High-level Behavior


Xiyue Deng and Jelena Mirkovic, Information Sciences Institute, University of Southern California


Malware is becoming more and more stealthy to evade detection and analysis. Stealth techniques often involve code transformation, ranging from equivalent code substitution and junk code injection, to continuously transforming code using a polymorphic or a metamorphic engine. Evasion techniques have a great impact on signature-based malware detection, making it very costly and often unsuccessful.

We propose to study a malware’s network behavior during its execution. While malware may transform its code to evade analysis, we contend that its behavior must mostly remain the same to achieve the malware’s ultimate purpose, such as sending spam, scanning for vulnerable hosts, etc. While live malware analysis is hard, we leverage our Fantasm platform on the Deterlab testbed to perform it safely and effectively. Based on ob- served network traffic we propose a behavior classification approach, which can help us interpret at a high level the malware’s actions and its ultimate purpose. We then apply our approach on 999 diverse samples from Georgia Tech Apiary project to understand current trends in malware behaviors.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {220231,
author = {Xiyue Deng and Jelena Mirkovic},
title = {Malware Analysis Through High-level Behavior},
booktitle = {11th USENIX Workshop on Cyber Security Experimentation and Test (CSET 18)},
year = {2018},
address = {Baltimore, MD},
url = {},
publisher = {USENIX Association},
month = aug