Davide Balzarotti

AccessMiner: Using System-Centric Models for Malware Protection

Models based on system calls are a popular and common approach to characterize the run-time behavior of programs. For example, system calls are used by intrusion detection systems to detect software exploits and policies based on system calls are used to sandbox applications or to enforce access control.
Most proposed malware detectors that use system calls follow a program-centric analysis approach. That is, they build models based on specific behaviors of individual applications. Unfortunately, it is not clear how well these models generalize, especially when exposed to a diverse set of previously-unseen, real-world applications that operate on realistic inputs. This is particularly problematic as most previous work has used only a small set of programs to measure their technique's false positive rate. Moreover, these programs were run for a short time, often by the authors themselves.
In this paper, we study the diversity of system calls by performing a large-scale collection of system calls on hosts that run applications for regular users on actual inputs. Our analysis of the data demonstrates that simple malware detectors, such as those based on system call sequences, face significant challenges in such environments. To address the limitations of program-centric approaches, we propose an alternative detection model that characterizes the general interactions between benign programs and the operating system (OS). More precisely, our system-centric approach models the way in which benign programs access OS resources (such as files and registry entries). Our experiments demonstrate that this approach captures well the behavior of benign programs and raises very few (even zero) false positives while being able to detect a significant fraction of today's malware.


Davide Balzarotti is currently an Assistant Professor at Institut Eurecom in the south of France. His research interests include most aspects of system security and in particular the areas of intrusion detection and prevention, binary and malware analysis, reverse engineering, and web security.
Before joining Eurecom, Davide spent two years in Santa Barbara as a postdoctoral researcher in the Department of Computer Science at UCSB. In 2007 he participated in the red team involved in testing the capability and security of the voting machines certified for use in the State of Ohio (Project Everest) and in the top-to-bottom review of the electronic voting machines certified for use in California.
He received his PhD in Computer Engineering from Politecnico di Milano in 2006.