Skip to main content

Behavior-Based Malware Email Filtering

Researchers: Jason Hong, James Hoe

Research Area: Trustworthy Computing Platforms and Devices

Cross Cutting Thrusts: Software Security

Abstract

Malwares as email attachments pose a significant threat to everyday desktop computing end-users. To facilitate the delivery of risk-free emails, we have been developing a Behavior-based Email Filtering System (BEEFS) to be integrated in a mail server or deployed as a mail proxy. BEEFS monitors the execution of email attachments---ones that could not be rejected outright by byte-signature scans---in a clean virtual machine (VM). BEEFS identifies suspect executable by looking for automatically learnt behavioral signatures. This work is based on the observation that most malwares can be categorized into known families where malwares in the same family share similar behavioral patterns. In the current BEEFS prototype, the malware detector recognizes malware behaviors by simple patterns in the sequence of system calls and the associated arguments. Such a behavioral signature can be extracted automatically by training against known malwares and later be used to identify suspicious activities of unknown executables.