Inlämning av Examensarbete / Submission of Thesis

Muhammad Shahid Iqbal; Muhammad Sohail MCS-2011-07, pp. 81. COM/School of Computing, 2011.

The work

Författare / Author: Muhammad Shahid Iqbal, Muhammad Sohail
shahid.online@yahoo.com, mhsohail40@gmail.com
Titel / Title: Runtime Analysis of Malware
Abstrakt Abstract:

Context: Every day increasing number of malwares are spreading around the world and infecting not only end users but also large organizations. This results in massive security threat for private data and expensive computer resources. There is lot of research going on to cope up with this large amount of malicious software. Researchers and practitioners developed many new methods to deal with them. One of the most effective methods used to capture malicious software is dynamic malware analysis. Dynamic analysis methods used today are very time consuming and resource greedy. Normally it could take days or at least some hours to analyze a single instance of suspected software. This is not good enough especially if we look at amount of attacks occurring every day.
Objective: To save time and expensive resources used to perform these analyses, AMA: an automated malware analysis system is developed to analyze large number of suspected software. Analysis of any software inside AMA, results in a detailed report of its behavior, which includes changes made to file system, registry, processes and network traffic consumed. Main focus of this study is to develop a model to automate the runtime analysis of software which provide detailed analysis report and evaluation of its effectiveness.
Methods: A thorough background study is conducted to gain the knowledge about malicious software and their behavior. Further software analysis techniques are studied to come up with a model that will automate the runtime analysis of software. A prototype system is developed and quasi experiment performed on malicious and benign software to evaluate the accuracy of the newly developed system and generated reports are compared with Norman and Anubis.
Results: Based on thorough background study an automated runtime analysis model is developed and quasi experiment performed using implemented prototype system on selected legitimate and benign software. The experiment results show AMA has captured more detailed software behavior then Norman and Anubis and it could be used to better classify software.
Conclusions: We concluded that AMA could capture more detailed behavior of the software analyzed and it will give more accurate classification of the software. We also can see from experiment results that there is no concrete distinguishing factors between general behaviors of both types of software. However, by digging a bit deep into analysis report one could understand the intensions of the software. That means reports generated by AMA provide enough information about software behavior and can be used to draw correct conclusions.

Ämnesord / Subject: Datavetenskap - Computer Science\Electronic Security
Datavetenskap - Computer Science\Artificial Intelligence
Datavetenskap - Computer Science\Computersystems
Nyckelord / Keywords: Malware, Automated analysis, Runtime analysis, Dynamic analysis, Malicious, behaviour, Characteristics, Detection

Publication info

Dokument id / Document id: houn-8flkc4
Program:/ Programme Magisterprogram i Datavetenskap/MSC in Computer science
Registreringsdatum / Date of registration: 04/04/2011
Uppsatstyp / Type of thesis: Masterarbete/Master's Thesis (120 credits)

Context

Handledare / Supervisor: Bengt Carlsson
bengt.carlsson@bth.se
Examinator / Examiner: Niklas Lavesson
Organisation / Organisation: Blekinge Institute of Technology
Institution / School: COM/School of Computing

+46 455 38 50 00
Anmärkningar / Comments:

+46 736 51 83 01

Files & Access

Bifogad uppsats fil(er) / Files attached: mcs-2011-07.pdf (1739 kB, öppnas i nytt fönster)