A Comparison of Dynamic Malware Analysis Systems and Security Information and Event Management Systems for Malware Analysis

Katsamakis, N. (2014). A Comparison of Dynamic Malware Analysis Systems and Security Information and Event Management Systems for Malware Analysis (MSc ASDF Dissertation). Edinburgh Napier University (Macfarlane, R., Buchanan, W.).


ISBN:
ISSN:

Abstract

Dynamic Malware Analysis systems are automated systems that can analyse malware and produce reports on their malicious activity based on their implemented monitoring mechanisms. The literature review carried out, has shown that these systems detection abilities are based on the analysis and monitoring techniques implemented in each system and they are prone to issues such as interpretation discrepancies in the reports (Massicotte, Couture, Normandin, & Michaud, 2012). SIEM systems show similarities with DMA systems since they employ monitoring mechanisms to analyze data and therefore could overcome the issues that DMA systems face (Gabriel, Hoppe, Pastwa, & Sowa, 2009). A comparison experiment of common DMA systems has been designed based on the literature to identify issues of DMA systems. A SIEM sandbox has also been designed for dynamic malware analysis. The SIEM sandbox was implemented with Splunk was able to detect malware activity by processing data from an IDS implementation for network activity and Splunk's security data collection mechanisms. The comparison between DMA systems highlighted issues regarding their implementations, discrepancies in their reports and detection issues through a quantitative approach on the findings categories of the reports to assess the effectiveness of the systems. Splunk's detection abilities were also compared to the to the findings of the DMA systems concluding that it introduced more comprehensive application monitoring by reporting on token elevation, which is connected to privilege escalation. Splunk's visualization abilities in reporting activity caused by the malware samples gave a more comprehensive view in understanding the true purpose of malware.
[Read More]

Authors

Areas of Expertise

Cyber-Security
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Associated Projects