Malware programs differ in their objectives and threat levels, ranging from mere pop-ups to financial losses and fatal sabotages. Consequently, malware differ in their functionality, leaving varying footprints in different system components, namely Network, Operating System (OS), and Hardware. To detect malware, most contemporary run-time solutions use generic models that utilize the program behavior at one of these components, missing critical information that can be collected from other system components. Hence, malware detection can significantly benefit from a cross-dimensional analysis of malware behavior. However, there is a lack of such analysis as well as a holistic dataset that presents malware behavior across network, OS, and hardware. We bridge this gap by building a rich first-of-its-kind dataset and a comprehensive analysis to propose novel malware detection mechanisms.

In this seminar, we first present JUGAAD, a lightweight heterogeneous testbed framework to build holistic datasets for malware research. JUGAAD uses available low-cost single board computers and desktop systems to quickly build a private testbed with features facilitating large-scale malware analysis such as high-fidelity to real-world conditions; cross-dimensional view of malware behavior; isolation and containment of malicious activities while allowing internet connectivity; stateless evaluations; automation; and scaling up as per requirements.

Next, we present SUNDEW, a malware detection framework that takes a cross-dimensional view of malware behavior considering run-time traces in the network, OS, and hardware components. SUNDEW makes use of a bouquet of predictors, each tuned on data from a specific malware class in a particular system component. SUNDEW then uses a hierarchical strategy to aggregate the predictions considering the threat-level of a malware class and the dynamic noise behavior in the system components. We evaluate SUNDEW on a cross-dimensional behavioral dataset of more than 10,000 malware samples, from 8 malware classes, collected on JUGAAD. We achieve an F1-Score of 1 for most malware classes, an average F1-Score of 0.93 in detecting any malware class precisely, and 0.82 even under highly noisy conditions.