Measuring How Malware Behaves in the Real World

Measuring How Malware Behaves in the Real World

Measuring How Malware Behaves in the Real World

Researchers in the Maryland Cybersecurity Center (MC2) have been recognized for their analysis of malware behavior in the first large-scale study of its kind.

“It has been known for over a decade that malware samples can change their behavior on different hosts and at different points in time, but this is the first study to measure this variability in the real world,” says Tudor Dumitraș, an associate professor of electrical and computer engineering.

The consequences of malware can vary drastically depending on the host and device, with such intensity that researchers sometimes call it “split personalities.” Yet malware is typically studied in a controlled lab environment that does not account for this broad range of behaviors—an approach that’s ineffective because it can provide a false sense of security, say the researchers.

To truly study these varied behaviors, they analyzed a novel dataset of 7.6 million execution traces, recorded in 5.4 million real hosts across 113 countries.

“This is research I’ve been wanting to address for a long time, and only recently did we begin collaborating with an industry partner to access and analyze such a large data set,” says Dumitraș, who has an appointment in the University of Maryland Institute for Advanced Computer Studies.

His team analyzed program behaviors at multiple granularities, and showed how they change across hosts and time. Then they analyzed the invariant parts of the malware behaviors, and showed how this affects the ability to detect malware.

“Our findings have important implications for malware analysts and sandbox operators, and emphasize the unique insights that can be gained by monitoring malware behavior at scale on real hosts,” says Erin Avllazagaj, a third-year Ph.D. student and the paper’s lead author.

In November, he presented “When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World” at the most comprehensive student-run cybersecurity event in the world—the CSAW Cybersecurity Games and Conference—where it won first place in the applied research competition.

The paper was also presented at the 30th USENIX Security Symposium earlier this year, and Dumitraș was interviewed about the study for Cyberwire’s podcast “Research Saturday.”

Story by Maria Herd

Related Articles:
UMD Joins U.S. Cyber Command’s Academic Engagement Network
UMIACS Faculty Adapting to Online-Only Research Activities
UMD Cybersecurity Club Wins National Competition
Mazurek, Hicks Receive Google Faculty Research Award

January 5, 2022


Prev   Next

Current Headlines

UMD Joins $50M Sodium-Ion Battery Innovation Partnership

Celebrating Five Years of Innovation at CEEE’s Daikin Lab

Project Embraces Tribal History With Modern Technology

Former Chair of Materials Science and Engineering To Retire from the University

Sophomore in Chemical and Biomolecular Engineering Heads to NCAA Cross Country Championship

Eminent Scholar in Metallurgy To Join Clark School as Distinguished Chair

UMD Joins Sodium-Ion Battery Alliance for Renewable Grid Energy Storage

Biocomputational Engineering Program at UMD Earns ABET Accreditation

News Resources

Return to Newsroom

Search News

Archived News

Events Resources

Events Calendar