MalPEFinder: Fast and retrospective assessment of data breaches in malware attacks

Shun Te Liu, Yi Ming Chen

研究成果: 雜誌貢獻期刊論文同行評審

1 引文 斯高帕斯(Scopus)


A successful data breach is often caused by malware installed by attackers. In a large-scale computer environment, it is difficult and costly for information technology managers to identify the victims and to assess the scope of the data breach when a malware attack occurs. Therefore, a quick and retrospective mechanism that can find victims is required. One such technology is Search. However, most search techniques are not designed for searching executable files; indeed, they become worse in identifying malware files because of polymorphism and/or metamorphism. In this paper, we propose a portable executable format file search mechanism, called MalPEFinder. Instead of searching malware files, this mechanism searches the malware-related files retrospectively. Based on these files and their ownership, MalPEFinder can locate malware files on a large scale quickly. Furthermore, the possibly breached files also can be identified. A MalPEFinder prototype has been implemented on the hadoop platform in order to perform three functions: (i) searching retrospectively; (ii) protecting evidence against tampering; and (iii) dealing with future data growth. We used 72 malware to evaluate the accuracy and efficiency of our system. The experimental results show that MalPEFinder has a higher detection rate as well as a lower false positive rate than the famous splunk tool.

頁(從 - 到)899-915
期刊Security and Communication Networks
出版狀態已出版 - 8月 2012


深入研究「MalPEFinder: Fast and retrospective assessment of data breaches in malware attacks」主題。共同形成了獨特的指紋。