Special Issue Paper
MalPEFinder: fast and retrospective assessment of data breaches in malware attacks
Version of Record online: 4 NOV 2011
Copyright © 2011 John Wiley & Sons, Ltd.
Security and Communication Networks
Special Issue: Defending Against Insider Threats and Internal Data Leakage
Volume 5, Issue 8, pages 899–915, August 2012
How to Cite
Liu, S.-T. and Chen, Y.-M. (2012), MalPEFinder: fast and retrospective assessment of data breaches in malware attacks. Security Comm. Networks, 5: 899–915. doi: 10.1002/sec.390
- Issue online: 25 JUL 2012
- Version of Record online: 4 NOV 2011
- Manuscript Accepted: 28 AUG 2011
- Manuscript Revised: 13 JUN 2011
- Manuscript Received: 31 AUG 2010
- data breach assessment;
- malware detection;
- retrospective detection
A successful data breach is often caused by malware installed by attackers. In a large-scale computer environment, it is difficult and costly for information technology managers to identify the victims and to assess the scope of the data breach when a malware attack occurs. Therefore, a quick and retrospective mechanism that can find victims is required. One such technology is Search. However, most search techniques are not designed for searching executable files; indeed, they become worse in identifying malware files because of polymorphism and/or metamorphism.
In this paper, we propose a portable executable format file search mechanism, called MalPEFinder. Instead of searching malware files, this mechanism searches the malware-related files retrospectively. Based on these files and their ownership, MalPEFinder can locate malware files on a large scale quickly. Furthermore, the possibly breached files also can be identified. A MalPEFinder prototype has been implemented on the hadoop platform in order to perform three functions: (i) searching retrospectively; (ii) protecting evidence against tampering; and (iii) dealing with future data growth. We used 72 malware to evaluate the accuracy and efficiency of our system. The experimental results show that MalPEFinder has a higher detection rate as well as a lower false positive rate than the famous splunk tool. Copyright © 2011 John Wiley & Sons, Ltd.