Measuring How Malware Behaves in the Real World

Researchers in the Maryland Cybersecurity Center (MC2) have been recognized for their analysis of malware behavior in the first large-scale study of its kind.

“It has been known for over a decade that malware samples can change their behavior on different hosts and at different points in time, but this is the first study to measure this variability in the real world,” says Tudor Dumitraș, an associate professor of electrical and computer engineering.

The consequences of malware can vary drastically depending on the host and device, with such intensity that researchers sometimes call it “split personalities.” Yet malware is typically studied in a controlled lab environment that does not account for this broad range of behaviors—an approach that’s ineffective because it can provide a false sense of security, say the researchers.

To truly study these varied behaviors, they analyzed a novel dataset of 7.6 million execution traces, recorded in 5.4 million real hosts across 113 countries.

“This is research I’ve been wanting to address for a long time, and only recently did we begin collaborating with an industry partner to access and analyze such a large data set,” says Dumitraș, who has an appointment in the University of Maryland Institute for Advanced Computer Studies.

His team analyzed program behaviors at multiple granularities, and showed how they change across hosts and time. Then they analyzed the invariant parts of the malware behaviors, and showed how this affects the ability to detect malware.

“Our findings have important implications for malware analysts and sandbox operators, and emphasize the unique insights that can be gained by monitoring malware behavior at scale on real hosts,” says Erin Avllazagaj, a third-year Ph.D. student and the paper’s lead author.

In November, he presented “When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World” at the most comprehensive student-run cybersecurity event in the world—the CSAW Cybersecurity Games and Conference—where it won first place in the applied research competition.

The paper was also presented at the 30th USENIX Security Symposium earlier this year, and Dumitraș was interviewed about the study for Cyberwire’s podcast “Research Saturday.”

Story by Maria Herd

Published January 5, 2022