Malrec: Compact Full-Trace Malware Recording for Retrospective Deep Analysis

Published in DIMVA 2018, 2018

Recommended citation: Severi, Giorgio, Tim Leek, and Brendan Dolan-Gavitt. "Malrec: Compact Full-Trace Malware Recording for Retrospective Deep Analysis." International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Cham, 2018. http://severi.xyz/files/malrec_paper.pdf

Paper and dataset website

Abstract - Malware sandbox systems have become a critical part ofthe Internet’s defensive infrastructure. These systems allow malwareresearchers to quickly understand a sample’s behavior and effect on asystem. However, current systems face two limitations: first, for perfor-mance reasons, the amount of data they can collect is limited (typicallyto system call traces and memory snapshots). Second, they lack the abil-ity to performretrospective analysis—that is, to later extract featuresof the malware’s execution that were not considered relevant when thesample was originally executed. In this paper, we introduce a new mal-ware sandbox system,Malrec, which uses whole-system deterministicrecord and replay to capture high-fidelity, whole-system traces of mal-ware executions with low time and space overheads. We demonstrate theusefulness of this system by presenting a new dataset of 66,301 malwarerecordings collected over a two-year period, along with two preliminaryanalyses that would not be possible without full traces: an analysis ofkernel mode malware and exploits, and a fine-grained malware familyclassification based on textual memory access contents. TheMalrecsystem and dataset can help provide a standardized benchmark for eval-uating the performance of future dynamic analyses.

Download paper here

@inproceedings{severi2018m,
  title={M alrec: Compact Full-Trace Malware Recording for Retrospective Deep Analysis},
  author={Severi, Giorgio and Leek, Tim and Dolan-Gavitt, Brendan},
  booktitle={International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},
  pages={3--23},
  year={2018},
  organization={Springer}
}