Investigation of the Diverse Sleep Behavior of Malware

Once malware has infected a system, it may lie dormant (or asleep) to control resource consumption speeds, remain undetected until the time of an attack, and thwart dynamic analysis. Because of their aggressive and abnormal use of sleep behavior, malware programs are expected to exhibit traits that...

Full description

Saved in:
Bibliographic Details
Published inJournal of Information Processing Vol. 26; pp. 461 - 476
Main Author Oyama, Yoshihiro
Format Journal Article
LanguageEnglish
Published Information Processing Society of Japan 2018
Subjects
anti-analysis
dynamic analysis
malware
malware classification
sleeps
Online AccessGet full text

Cover

More Information
Summary:Once malware has infected a system, it may lie dormant (or asleep) to control resource consumption speeds, remain undetected until the time of an attack, and thwart dynamic analysis. Because of their aggressive and abnormal use of sleep behavior, malware programs are expected to exhibit traits that distinguish them from other programs. However, the details of the sleep behavior of real malware are not sufficiently understood, and the diversity of sleep behavior among different malware samples or families is also unclear. In this paper, we discuss the characteristic sleep behavior of recent malware and explore the potential for applying the features of sleep behavior to malware classification. Specifically, we demonstrate that a wide variety of sleeps are executed by a set of malware samples and that sleeps are a promising source of features for distinguishing between different malware samples. Furthermore, we show that applying a learning algorithm to sleep behavior information can result in high classification accuracy and present several examples of typical and rare sleep behaviors observed in the execution of real malware.
ISSN:1882-6652
1882-6652
DOI:10.2197/ipsjjip.26.461