Shadow Attacks: Automatically Evading System-Call-Behavior Based Malware Detection
Contemporary malware makes extensive use of different techniques such as packing, code obfuscation, polymorphism, and metamorphism, to evade signature-based detection. Traditional signature-based detection technique is hard to catch up with latest malware or unknown malware. Behavior-based detection models are being investigated as a new methodology to defeat malware. This kind of approaches typically relies on system call sequences/graphs to model a malicious specification/pattern. In this paper, the authors present a new class of attacks, namely "Shadow attacks", to evade current behavior-based malware detectors by partitioning one piece of malware into multiple "Shadow processes".