When Malware Changed Its Mind: How "Split Personalities" Affect Malware Analysis and Detection

Note: Presentation times are in Pacific Standard Time (PST).

Tuesday, January 24, 2023 - 4:40 pm5:10 pm

Tudor Dumitras, University of Maryland, College Park


We are presenting the first large-scale study of malware samples that change their behavior when executed on different hosts or at different times, using data from 5.6 million hosts from around the world. Researchers and practitioners have been aware of this problem for over a decade, but prior to our work the behavior variability had not been measured at scale. We demonstrate how malware with such "split personalities" may confound the current techniques for malware analysis and detection. More importantly, we illustrate the unique insights that the security industry can gain by monitoring malware behavior ethically and at scale, on real hosts.

Tudor Dumitras, University of Maryland, College Park

Tudor Dumitraș is an Associate Professor in the Electrical & Computer Engineering Department at the University of Maryland, College Park. His research focuses on data-driven security: he studies real-world adversaries empirically, he builds machine learning systems for detecting attacks and predicting security incidents, and he investigates the security of machine learning in adversarial environments. In his previous role at Symantec Research Labs he built the Worldwide Intelligence Network Environment (WINE) - a data analytics platform for security research. His work on the effectiveness of certificate revocations in the Web PKI was featured in the Research Highlights of the Communications of the ACM in 2018, and his measurement of the duration and prevalence of zero-day attacks received an Honorable Mention in the NSA competition for the Best Scientific Cybersecurity Paper of 2012. Dumitraș frequently collaborates with the security industry, to help them incorporate cutting-edge research into their products. As the Program Committee Chair for RAID 2022, he helped introduce the Best Practical Paper award, which aims raise awareness of research advances among security professionals.
@conference {285611,
author = {Tudor Dumitras},
title = {When Malware Changed Its Mind: How "Split Personalities" Affect Malware Analysis and Detection},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jan

Presentation Video