Panorama: Capturing system-wide information flow for malware detection and analysis

Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, Engin Kirda

Research output: Chapter in Book/Entry/PoemConference contribution

579 Scopus citations

Abstract

Malicious programs spy on users' behavior and compromise their privacy. Even software from reputable vendors, such as Google Desktop and Sony DRM media player, may perform undesirable actions. Unfortunately, existing techniques for detecting malware and analyzing unknown code samples are insufficient and have significant shortcomings. We observe that malicious information access and processing behavior is the fundamental trait of numerous malware categories breaching users' privacy (including keyloggers, password thieves, network sniffers, stealth backdoors, spyware and rootkits), which separates these malicious applications from benign software. We propose a system, Panorama, to detect and analyze malware by capturing this fundamental trait. In our extensive experiments, Panorama successfully detected all the malware samples and had very few false positives. Furthermore, by using Google Desktop as a case study, we show that our system can accurately capture its information access and processing behavior, and we can confirm that it does send back sensitive information to remote servers in certain settings. We believe that a system such as Panorama will offer indispensable assistance to code analysts and malware researchers by enabling them to quickly comprehend the behavior and innerworkings of an unknown sample.

Original languageEnglish (US)
Title of host publicationCCS'07 - Proceedings of the 14th ACM Conference on Computer and Communications Security
Pages116-127
Number of pages12
DOIs
StatePublished - 2007
Event14th ACM Conference on Computer and Communications Security, CCS'07 - Alexandria, VA, United States
Duration: Oct 29 2007Nov 2 2007

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other14th ACM Conference on Computer and Communications Security, CCS'07
Country/TerritoryUnited States
CityAlexandria, VA
Period10/29/0711/2/07

Keywords

  • Dynamic taint analysis
  • Malware analysis
  • Malware detection
  • Spyware

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Panorama: Capturing system-wide information flow for malware detection and analysis'. Together they form a unique fingerprint.

Cite this