Measuring How Malware Behaves in the Real World

Measuring How Malware Behaves in the Real World

Measuring How Malware Behaves in the Real World

Researchers in the Maryland Cybersecurity Center (MC2) have been recognized for their analysis of malware behavior in the first large-scale study of its kind.

“It has been known for over a decade that malware samples can change their behavior on different hosts and at different points in time, but this is the first study to measure this variability in the real world,” says Tudor Dumitraș, an associate professor of electrical and computer engineering.

The consequences of malware can vary drastically depending on the host and device, with such intensity that researchers sometimes call it “split personalities.” Yet malware is typically studied in a controlled lab environment that does not account for this broad range of behaviors—an approach that’s ineffective because it can provide a false sense of security, say the researchers.

To truly study these varied behaviors, they analyzed a novel dataset of 7.6 million execution traces, recorded in 5.4 million real hosts across 113 countries.

“This is research I’ve been wanting to address for a long time, and only recently did we begin collaborating with an industry partner to access and analyze such a large data set,” says Dumitraș, who has an appointment in the University of Maryland Institute for Advanced Computer Studies.

His team analyzed program behaviors at multiple granularities, and showed how they change across hosts and time. Then they analyzed the invariant parts of the malware behaviors, and showed how this affects the ability to detect malware.

“Our findings have important implications for malware analysts and sandbox operators, and emphasize the unique insights that can be gained by monitoring malware behavior at scale on real hosts,” says Erin Avllazagaj, a third-year Ph.D. student and the paper’s lead author.

In November, he presented “When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World” at the most comprehensive student-run cybersecurity event in the world—the CSAW Cybersecurity Games and Conference—where it won first place in the applied research competition.

The paper was also presented at the 30th USENIX Security Symposium earlier this year, and Dumitraș was interviewed about the study for Cyberwire’s podcast “Research Saturday.”

Story by Maria Herd

Related Articles:
UMD Joins U.S. Cyber Command’s Academic Engagement Network
UMIACS Faculty Adapting to Online-Only Research Activities
UMD Cybersecurity Club Wins National Competition
Mazurek, Hicks Receive Google Faculty Research Award

January 5, 2022

Prev   Next

Current Headlines

Revolutionizing Water Access: Aquair Wins 2023 R&D 100 Award

Barg honored with 2024 IEEE Richard W. Hamming Medal

UMD Hosts Industrial AI Forum

UMD Start-Up Ionic Devices Wins Microbattery Design Prize

Diving Deeper into Competition, and Recruitment

Meet the A. James Clark Scholars Class of '27

Stoliarov’s Research Recognized at Premier International Fire Science Symposium

“The Legend of Zelda” Inspires New UMD Engineering Course

News Resources

Return to Newsroom

Search News

Archived News

Events Resources

Events Calendar