research-article

A survey on automated dynamic malware-analysis techniques and tools

Authors:
Manuel Egele

Vienna University of Technology, Vienna, Austria

Vienna University of Technology, Vienna, Austria
View Profile

,
Theodoor Scholte

SAP Research, Sophia Antipolis

SAP Research, Sophia Antipolis
View Profile

,
Engin Kirda

Institute Eurecom, Sophia Antipolis

Institute Eurecom, Sophia Antipolis
View Profile

,
Christopher Kruegel

University of California, Santa Barbara

University of California, Santa Barbara
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 44 Issue 2Article No.: 6pp 1–42https://doi.org/10.1145/2089125.2089126

Published:05 March 2008Publication History

ACM Computing Surveys

Abstract

Anti-virus vendors are confronted with a multitude of potentially malicious samples today. Receiving thousands of new samples every day is not uncommon. The signatures that detect confirmed malicious threats are mainly still created manually, so it is important to discriminate between samples that pose a new unknown threat and those that are mere variants of known malware.

This survey article provides an overview of techniques based on dynamic analysis that are used to analyze potentially malicious samples. It also covers analysis programs that leverage these It also covers analysis programs that employ these techniques to assist human analysts in assessing, in a timely and appropriate manner, whether a given sample deserves closer manual inspection due to its unknown malicious behavior.

References

Anubis. Analysis of unknown binaries. http://anubis.iseclab.org. (Last accessed, 5/10.)Google Scholar
Avira Press Center. 2007. Avira warns: targeted malware attacks increasingly also threatening German companies. http://www.avira.com/en/security_news/targeted_attacks_threatening_companies.html. (Last accessed, 5/10.)Google Scholar
Backes, M., Kopf, B., and Rybalchenko, A. 2009. Automatic discovery and quantification of information leaks. In Proceedings of the 30th IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 141--153. Google ScholarDigital Library
Baecher, P. and Koetter, M. x86 shellcode detection and emulation. http://libemu.mwcollect.org/. (Last accessed, 5/10.)Google Scholar
Bayer, U., Milani Comparetti, P., Hlauschek, C., Krügel, C., and Kirda, E. 2009. Scalable, Behavior-Based Malware Clustering. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS'09).Google Scholar
Bayer, U., Moser, A., Krügel, C., and Kirda, E. 2006. Dynamic analysis of malicious code. J. Comput. Virology 2, 1, 67--77.Google ScholarCross Ref
Bellard, F. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the FREENIX Track of the USENIX Annual Technical Conference. Google ScholarDigital Library
Bennett, J. AutoIt Script Home Page. http://www.autoitscript.com/. (Last accessed, 5/10.)Google Scholar
Bochs. Bochs: The open source IA-32 emulation project. http://bochs.sourceforge.net/. (Last accessed, 5/10.)Google Scholar
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Poosankam, P., Song, D., and Yin, H. 2007. Automatically identifying trigger-based behavior in malware. In Botnet Analysis and Defense, W. Lee et. al. Eds.Google Scholar
Buehlmann, S. and Liebchen, C. Joebox: a secure sandbox application for Windows to analyse the behaviour of malware. http://www.joebox.org/. (Last accessed, 5/10.)Google Scholar
Cacheda, F. and Viña, Á. 2001. Experiencies retrieving information in the World Wide Web. In Proceedings of the 6th IEEE Symposium on Computers and Communications (ISCC'01). IEEE Computer Society, 72--79. Google ScholarDigital Library
Carrier, B. The sleuth kit. http://www.sleuthkit.org/sleuthkit/. (Last accessed, 5/10.)Google Scholar
Cavallaro, L., Saxena, P., and Sekar, R. 2008. On the limits of information flow techniques for malware analysis and containment. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 143--163. Google ScholarDigital Library
Chen, H., Dean, D., and Wagner, D. 2004. Model Checking One Million Lines of C Code. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS'04).Google Scholar
Chen, H. and Wagner, D. 2002. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). 235--244. Google ScholarDigital Library
Chen, X., Andersen, J., Mao, Z., Bailey, M., and Nazario, J. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Proceedings of the IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN'08). 177--186.Google Scholar
Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., and Rosenblum, M. 2004. Understanding data lifetime via whole system simulation. In Proceedings of the 13th USENIX Security Symposium. Google ScholarDigital Library
Christodorescu, M., Jha, S., and Kruegel, C. 2007. Mining specifications of malicious behavior. In Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering. 5--14. Google ScholarDigital Library
Crandall, J. R. and Chong, F. T. 2004. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture. Google ScholarDigital Library
Dan Goodin (The Register). 2008. SQL injection taints BusinessWeek.com. http://www.theregister.co.uk/2008/09/16/businessweek_hacked/. (Last accessed, 5/10.)Google Scholar
Daniel, M., Honoroff, J., and Miller, C. 2008. Engineering heap overflow exploits with javascript. In Proceedings of the 2nd USENIX Workshop on Offensive Technologies (WOOT'08). Google ScholarDigital Library
Daniloff, I. 1997. Virus analysis 3, fighting talk. Virus Bull. J. 10--12.Google Scholar
Dinaburg, A., Royal, P., Sharif, M. I., and Lee, W. 2008. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 51--62. Google ScholarDigital Library
Egele, M., Kruegel, C., Kirda, E., Yin, H., and Song, D. X. 2007. Dynamic spyware analysis. In Proceedings of the USENIX Annual Technical Conference. 233--246. Google ScholarDigital Library
Egele, M., Szydlowski, M., Kirda, E., and Krügel, C. 2006. Using static program analysis to aid intrusion detection. In Proceedings of the 3rd International Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). 17--36. Google ScholarDigital Library
Falliere, N. 2007. Windows anti-debug reference. http://www.symantec.com/connect/es/articles/windows-anti-debug-reference. (Last accessed, 5/10.)Google Scholar
Feng, H. H., Giffin, J. T., Huang, Y., Jha, S., Lee, W., and Miller, B. P. 2004. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy. 194--208.Google Scholar
Ferrie, P. 2007. Attacks on virtual machine emulators. www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf. (Last accessed, 5/10.)Google Scholar
Fossi, M., Johnson, E., Mack, T., Turner, D., Blackbird, J., Low, M. K., Adams, T., McKinney, D., Entwisle, S., Laucht, M. P., Wueest, C., Wood, P., Bleaken, D., Ahmad, G., Kemp, D., and Samnani, A. 2009. Symantec global Internet security threat report trends for 2008. http://www4.symantec.com/Vrt/wl?tu_id=gCGG123913789453640802. (Last accessed, 5/10.)Google Scholar
Free Software Foundation. Code Gen Options - Using the GNU Compiler Collection (GCC). http://gcc.gnu.org/onlinedocs/gcc-4.3.2/gcc/Code-Gen-Options.html&num;Code-Gen-Options. (Last accessed, 1/10.)Google Scholar
FRISK Software International. 2003. F-prot virus signature updates cause false alarm in Windows 98. http://www.f-prot.com/news/vir_alert/falsepos_invictus.html. (Last accessed, 5/10.)Google Scholar
Garfinkel, T., Adams, K., Warfield, A., and Franklin, J. 2007. Compatibility is Not Transparency: VMM Detection Myths and Realities. In Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI). Google ScholarDigital Library
Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS'03).Google Scholar
Goldberg, R. P. 1974. Survey of virtual machine research. IEEE Comput. Mag. June, 34--45.Google Scholar
Guo, F., Ferrie, P., and Tzi-cker Chiueh. 2008. A Study of the Packer Problem and Its Solutions. In Proceedings of the 11th International Symposium On Recent Advances In Intrusion Detection (RAID). Google ScholarDigital Library
Haldar, V., Chandra, D., and Franz, M. 2005. Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC). 303--311. Google ScholarDigital Library
Hunt, G. and Brubacher, D. 1999. Detours: binary interception of Win32 functions. In Proceedings of the 3rd USENIX Windows NT Symposium. USENIX Association, Berkeley, CA, 135--143. Google ScholarDigital Library
Inoue, D., Yoshioka, K., Eto, M., Hoshizawa, Y., and Nakao, K. 2008. Malware behavior analysis in isolated miniature network for revealing malware's network activity. In Proceedings of the IEEE International Conference on Communications (ICC).Google Scholar
Jansen, B. J. and Spink, A. 2005. An analysis of web searching by european AlltheWeb.com users. Info. Process. Manag. 41, 2, 361--381. Google ScholarDigital Library
John Leyden (The Register). 2007. Kaspersky false alarm quarantines Windows Explorer. http://www. channelregister.co.uk/2007/12/20/kaspersky_false_alarm/. (Last accessed, 5/10.)Google Scholar
Juzt-Reboot Technology. Juzt-reboot, intelligent back-up technology, instant recovery. http://www.juzt-reboot.com/. (Last accessed, 5/10.)Google Scholar
Kang, M. G., Poosankam, P., and Yin, H. 2007. Renovo: a hidden code extractor for packed executables. In Proceedings of the ACM Workshop on Recurring Malcode. ACM Press, New York, NY, 46--53. Google ScholarDigital Library
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2008. Spamalytics: an empirical analysis of spam marketing conversion. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS). 3--14. Google ScholarDigital Library
Kim, H. C., Keromytis, A. D., Covington, M., and Sahita, R. 2009. Capturing information flow with concatenated dynamic taint analysis. In Proceedings of the 1st International Conference on Availability, Reliability and Security. 355--362.Google Scholar
King, S. T., Chen, P. M., Wang, Y.-M., Verbowski, C., Wang, H. J., and Lorch, J. R. 2006. Subvirt: Implementing malware with virtual machines. In Proceedings of the IEEE Symposium on Security and Privacy. 314--327. Google ScholarDigital Library
Kirda, E., Kruegel, C., Banks, G., Vigna, G., and Kemmerer, R. A. 2006. Behavior-based spyware detection. In Proceedings of the 15th USENIX Security Symposium. Google ScholarDigital Library
Labir, E. 2005. Vx reversing III yellow fever (Griyo 29a). CodeBreakers J. 2, 1.Google Scholar
Lau, B. and Svajcer, V. 2008. Measuring virtual machine detection in malware using DSD tracer. J. Comput. Virology.Google Scholar
Lee, T. and Mody, J. J. 2006. Behavioral classification. In Proceedings of the European Institute for Computer Antivirus Research Conference (EICAR'06).Google Scholar
Liguori, A. 2010. Qemu snapshot mode. http://wiki.qemu.org/Manual. (Last accessed, 5/10.)Google Scholar
Marcus, D., Greve, P., Masiello, S., and Scharoun, D. 2009. Mcafee threats report: Third quarter 2009. http://www.mcafee.com/us/local_content/reports/7315rpt_threat_1009.pdf. (Last accessed, 5/10.)Google Scholar
Martignoni, L., Christodorescu, M., and Jha, S. 2007. Omniunpack: fast, generic, and safe unpacking of malware. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC'07). IEEE Computer Society, Los Alamitos, CA, 431--441.Google Scholar
Mehta, N. and Clowes, S. 2003. Shiva. advances in ELF binary runtime encryption. http://www. securereality.com.au/. (Last accessed, 5/10.)Google Scholar
Microsoft Corporation. 2006. Microsoft security bulletin MS06-014—Vulnerability in the microsoft data access components (MDAC) function could allow code execution. http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx. (Last accessed, May 2010.)Google Scholar
Microsoft Corporation. 2008. Microsoft security bulletin MS08-067 Critical; vulnerability in server service could allow remote code execution. http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx. (Last accessed, May 2010.)Google Scholar
Moore, D., Shannon, C., and Claffy, K. C. 2002. Code-red: a case study on the spread and victims of an Internet worm. In Proceedings of the Internet Measurement Workshop. 273--284. Google ScholarDigital Library
Moser, A., Kruegel, C., and Kirda, E. 2007a. Exploring multiple execution paths for malware analysis. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
Moser, A., Kruegel, C., and Kirda, E. 2007b. Limits of static analysis for malware detection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC'07). 421--430.Google Scholar
Nair, S. K., Simpson, P. N. D., Crispo, B., and Tanenbaum, A. S. 2008. A virtual machine-based information flow control system for policy enforcement. Electron. Notes Theor. Comput. Sci. 197, 1, 3--16. Google ScholarDigital Library
Nanda, S., Lam, L.-C., and Chiueh, T.-C. 2007. Dynamic multi-process information flow tracking for web application security. In Proceedings of the ACM/IFIP/USENIX International Conference on Middleware Companion. ACM Press, New York, NY, 1--20. Google ScholarDigital Library
Nebbett, G. 2000. Windows NT/2000 Native API Reference. New Riders Publishing, Thousand Oaks, CA. Google ScholarDigital Library
Newsome, J. and Song, D. X. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS'05).Google Scholar
Norman Sandbox. 2003. Norman SandBox Whitepaper. http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf. (Last accessed, 5/10.)Google Scholar
PEiD. PEiD: Packer Identification. http://www.peid.info/. (Last accessed, 5/10.)Google Scholar
Perl Taint. Perl security /taint mode. http://perldoc.perl.org/perlsec.html&num;Taint-mode. (Last accessed, 5/10.)Google Scholar
Portokalidis, G., Slowinska, A., and Bos, H. 2006. Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In Proceedings of the 1st EuroSys Conference. 15--27. Google ScholarDigital Library
Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your iFRAMEs point to us. In Proceedings of the 17th USENIX Security Symposium. Google ScholarDigital Library
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. 2007. The ghost in the browser: Analysis of web-based malware. In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots'07). Google ScholarDigital Library
Raffetseder, T., Krügel, C., and Kirda, E. 2007. Detecting system emulators. In Proceedings of the 10th International Conference on Information Security (ISC'07). 1--18. Google ScholarDigital Library
Rieck, K., Holz, T., Willems, C., Düssel, P., and Laskov, P. 2008. Learning and classification of malware behavior. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 108--125. Google ScholarDigital Library
Royal, P., Halpin, M., Dagon, D., Edmonds, R., and Lee, W. 2006. Polyunpack: automating the hidden-code extraction of unpack-executing malware. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC). 289--300. Google ScholarDigital Library
Rutkowska, J. 2004. Red Pill... or how to detect VMM using (almost) one CPU instruction. http://www.invisiblethings.org/papers/redpill.html. (Last accessed, 5/10.)Google Scholar
Rutkowska, J. 2006. Introducing Blue Pill. http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html. (Last accessed, 5/10.)Google Scholar
Sharif, M., Lanzi, A., Giffin, J., and Lee, W. 2008. Impeding malware analysis using conditional code obfuscation. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08).Google Scholar
Skoudis, E. and Zeltser, L. 2003. Malware: Fighting Malicious Code. Prentice Hall PTR, Upper Saddle River, NJ. Google ScholarDigital Library
Slowinska, A. and Bos, H. 2009. Pointless tainting&quest;: evaluating the practicality of pointer tainting. In Proceedings of the 4th ACM European Conference on Computer Systems (EuroSys). ACM Press, New York, NY, 61--74. Google ScholarDigital Library
Sotirov, A. Heap feng shui in javascript. http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html. (Last accessed, 5/10.)Google Scholar
Spafford, E. H. 1989. The Internet worm incident. In Proceedings of the 2nd European Software Engineering Conference. 446--468. Google ScholarDigital Library
Stasiukonis, S. 2007. Social engineering, the USB way. http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634. (Last accessed, 5/10.)Google Scholar
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R. A., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the ACM Conference on Computer and Communications Security (CCS'09). 635--647. Google ScholarDigital Library
Szor, P. 2005. The Art of Computer Virus Research and Defense. Addison-Wesley Professional. Google ScholarDigital Library
Taha, G. 2007. Counterattacking the packers. http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_counterattacking_packers.pdf. (Last accessed, 5/10.)Google Scholar
Tanachaiwiwat, S. and Helmy, A. 2006. Vaccine: War of the worms in wired and wireless networks. In Proceedings of the Annual Joint Conference of the IEEE Computer and Communication Societies (INFOCom).Google Scholar
Vasudevan, A. and Yerraballi, R. 2004. Sakthi: A retargetable dynamic framework for binary instrumentation. In Proceedings of the Hawaii International Conference in Computer Sciences.Google Scholar
Vasudevan, A. and Yerraballi, R. 2005. Stealth breakpoints. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC'05). 381--392. Google ScholarDigital Library
Vasudevan, A. and Yerraballi, R. 2006a. Cobra: fine-grained malware analysis using stealth localized-executions. In Proceedings of the IEEE Symposium on Security and Privacy. 264--279. Google ScholarDigital Library
Vasudevan, A. and Yerraballi, R. 2006b. Spike: engineering malware analysis tools using unobtrusive binary-instrumentation. In Proceedings of the 29th Australasian Computer Science Conference. 311--320. Google ScholarDigital Library
Venkataramani, G., Doudalis, I., Solihin, Y., and Prvulovic, M. 2008. Flexitaint: A programmable accelerator for dynamic taint propagation. In Proceedings of the 14th IEEE International Symposium on High Performance Computer Architecture (HPCA'08.). 173--184.Google Scholar
VMWare snapshots. VMWare using snapshots. http://www.vmware.com/support/ws55/doc/ws_preserve_using_sshot.html. (Last accessed, 5/10.)Google Scholar
Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., and Vigna, G. 2007. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS'07).Google Scholar
Wang, Y.-M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.-W., Huang, Y., and Kuo, S.-Y. 2004. Gatekeeper: Monitoring auto-start extensibility points (ASEPs) for spyware management. In Proceedings of the 18th USENIX Conference on System Administration. USENIX Association, Berkeley, CA, 33--46. Google ScholarDigital Library
Willems, C., Holz, T., and Freiling, F. 2007. Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Privacy 5, 2, 32--39. Google ScholarDigital Library
Xu, J., Sung, A. H., Chavez, P., and Mukkamala, S. 2004. Polymorphic malicious executable scanner by api sequence analysis. In Proceedings of the 4th International Conference on Hybrid Intelligent Systems. 378--383. Google ScholarDigital Library
Yan, W., Zhang, Z., and Ansari, N. 2008. Revealing packed malware. IEEE Secur. Privacy 6, 5, 65--69. Google ScholarDigital Library
Yin, H., Song, D. X., Egele, M., Kruegel, C., and Kirda, E. 2007. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 116--127. Google ScholarDigital Library
Zeltser, L. 2006. Virtual machine detection in malware via commercial tools. http://isc.sans.org/diary.html?storyid=1871. (Last accessed, 5/10.)Google Scholar
Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., and Zou, W. 2008. Studying malicious websites and the underground economy on the Chinese web. In Proceedings of the 7th Workshop on Economics of Information Security.Google Scholar
Zovi, D. D. 2006. Hardware virtualization based rootkits. In Proceedings of the Black Hat Briefings and Training Conference.Google Scholar

Index Terms

A survey on automated dynamic malware-analysis techniques and tools
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Read More
Detecting environment-sensitive malware
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

The execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in ...
Read More
A robust dynamic analysis system preventing SandBox detection by Android malware
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

Due to an increase in the number of Android malware applications and their diversity, it has become necessary for the security community to develop automated dynamic analysis systems. Static analysis has its limitations that can be overcome by dynamic ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Computing Surveys Volume 44, Issue 2
February 2012
132 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2089125
Issue’s Table of Contents

Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Accepted: 1 May 2010
- Revised: 1 February 2010
- Received: 1 June 2009
- Published: 5 March 2008
Published in csur Volume 44, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Dynamic analysis
malware
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 485
  Total Citations
  View Citations
- 9,532
  Total Downloads
- Downloads (Last 12 months)494
- Downloads (Last 6 weeks)79
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A survey on automated dynamic malware-analysis techniques and tools

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

Detecting environment-sensitive malware

A robust dynamic analysis system preventing SandBox detection by Android malware

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

A survey on automated dynamic malware-analysis techniques and tools

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

Detecting environment-sensitive malware

A robust dynamic analysis system preventing SandBox detection by Android malware

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media