Ulrich Bayer

E-Mail
Phone: +43 (1) 505 36 88
Fax: +43 (1) 505 88 88

Publications

Corrado Leita and Ulrich Bayer and Engin Kirda, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks DSN, 2010. BibTeX

@INPROCEEDINGS{Leita_Exploiting_diverse_observation_2010, Author = {Corrado Leita and Ulrich Bayer and Engin Kirda}, sbahotlist = {true}, title = {Exploiting diverse observation perspectives to get insights on the malware landscape}, booktitle = {Dependable Systems and Networks DSN}, year = {2010}, month = {1}, abstract = {We are witnessing an increasing complexity in the malware analysis scenario. The usage of polymorphic techniques generates a new challenge: it is often difficult to discern the instance of a known polymorphic malware from that of a newly encountered malware family, and to evaluate the impact of patching and code sharing among malware writers in order to prioritize analysis efforts. This paper offers an empirical study on the value of exploiting the complementarity of different information sources in studying malware relationships. By leveraging real-world data generated by a distributed honeypot deployment, we combine clustering techniques based on static and behavioral characteristics of the samples, and we show how this combination helps in detecting clustering anomalies. We also show how the different characteristics of the approaches can help, once combined, to underline relationships among different code variants. Finally, we highlight the importance of contextual information on malware propagation for getting a deeper understanding of the evolution and the economy of the different threats.}, }
Ulrich Bayer and Engin Kirda and Christopher Kruegel, "Improving the Efficiency of Dynamic Malware Analysis," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications, 2010. BibTeX | PDF

@INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010, Author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel}, title = {Improving the Efficiency of Dynamic Malware Analysis}, booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications}, year = {2010}, month = {3}, pdf = {Bayer_ImprovingEfficiencyof_2010.pdf}, note = {Lusanne, Switzerland}, }
Engin Kirda and Ulrich Bayer and Corrado Leita, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on, 2010, pp. 393-402. BibTeX | PDF

@INPROCEEDINGS{leita2010exploiting, Author = {Engin Kirda and Ulrich Bayer and Corrado Leita}, sbahotlist = {true}, title = {Exploiting diverse observation perspectives to get insights on the malware landscape}, booktitle = {Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on}, year = {2010}, month = {1}, pdf = {dsn2010.pdf}, pages = {393--402}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi, "Insights Into Current Malware Behavior," in 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi}, title = {Insights Into Current Malware Behavior}, booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston}, year = {2009}, month = {4}, pdf = {Bayer_InsightsIntoCurrent_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek, "Scalable, Behavior-Based Malware Clustering," in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek}, sbahotlist = {true}, title = {Scalable, Behavior-Based Malware Clustering}, booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)}, year = {2009}, month = {1}, pdf = {Bayer_ScalableBehaviorBasedMalware_2009.pdf}, }

View all publications

Matthias Neugschwandtner and Christian Platzer and Paolo Milani Comparetti and Ulrich Bayer, "DAnubis (Dynamic Device Driver Analysis Based on Virtual Machine Introspection)," in Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA, 2010. BibTeX | PDF

@INPROCEEDINGS{Neugschwandtner_dAnubis_Dynamic_Device_Driver__null, Author = {Matthias Neugschwandtner and Christian Platzer and Paolo Milani Comparetti and Ulrich Bayer}, title = {dAnubis (Dynamic Device Driver Analysis Based on Virtual Machine Introspection)}, booktitle = {Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA}, year = {2010}, month = {7}, abstract = {In the escalating arms race between malicious code and secu- rity tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding fies, processes or other resources and in general tamper with operating system code and data in arbitrary ways. Under Windows, kernel-level malicious code typically takes the form of a device driver. In this work, we present dAnubis, a system for the real- time, dynamic analysis of malicious Windows device drivers. dAnubis can automatically provide a high-level, human-readable report of a driver's behavior on the system. We applied our system to a dataset of over 400 malware samples. The results of this analysis shed some light on the behavior of kernel-level malicious code that is in the wild today.}, pdf = {dimva2010-dAnubis.pdf}, }
Corrado Leita and Ulrich Bayer and Engin Kirda, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks DSN, 2010. BibTeX

@INPROCEEDINGS{Leita_Exploiting_diverse_observation_2010, Author = {Corrado Leita and Ulrich Bayer and Engin Kirda}, sbahotlist = {true}, title = {Exploiting diverse observation perspectives to get insights on the malware landscape}, booktitle = {Dependable Systems and Networks DSN}, year = {2010}, month = {1}, abstract = {We are witnessing an increasing complexity in the malware analysis scenario. The usage of polymorphic techniques generates a new challenge: it is often difficult to discern the instance of a known polymorphic malware from that of a newly encountered malware family, and to evaluate the impact of patching and code sharing among malware writers in order to prioritize analysis efforts. This paper offers an empirical study on the value of exploiting the complementarity of different information sources in studying malware relationships. By leveraging real-world data generated by a distributed honeypot deployment, we combine clustering techniques based on static and behavioral characteristics of the samples, and we show how this combination helps in detecting clustering anomalies. We also show how the different characteristics of the approaches can help, once combined, to underline relationships among different code variants. Finally, we highlight the importance of contextual information on malware propagation for getting a deeper understanding of the evolution and the economy of the different threats.}, }
Ulrich Bayer and Engin Kirda and Christopher Kruegel, "Improving the Efficiency of Dynamic Malware Analysis," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications, 2010. BibTeX | PDF

@INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010, Author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel}, title = {Improving the Efficiency of Dynamic Malware Analysis}, booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications}, year = {2010}, month = {3}, pdf = {Bayer_ImprovingEfficiencyof_2010.pdf}, note = {Lusanne, Switzerland}, }
Engin Kirda and Ulrich Bayer and Corrado Leita, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on, 2010, pp. 393-402. BibTeX | PDF

@INPROCEEDINGS{leita2010exploiting, Author = {Engin Kirda and Ulrich Bayer and Corrado Leita}, sbahotlist = {true}, title = {Exploiting diverse observation perspectives to get insights on the malware landscape}, booktitle = {Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on}, year = {2010}, month = {1}, pdf = {dsn2010.pdf}, pages = {393--402}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek, "Scalable, Behavior-Based Malware Clustering," in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek}, sbahotlist = {true}, title = {Scalable, Behavior-Based Malware Clustering}, booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)}, year = {2009}, month = {1}, pdf = {Bayer_ScalableBehaviorBasedMalware_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi, "Insights Into Current Malware Behavior," in 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi}, title = {Insights Into Current Malware Behavior}, booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston}, year = {2009}, month = {4}, pdf = {Bayer_InsightsIntoCurrent_2009.pdf}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser, "Dynamic Analysis of Malicious Code," Journal in Computer Virology, 2006. BibTeX

@ARTICLE{Bayer_DynamicAnalysisof_2006, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser}, title = {Dynamic Analysis of Malicious Code}, journal = {Journal in Computer Virology}, year = {2006}, month = {1}, abstract = {Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.}, publisher = {Springer Computer Science}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer, "TTAnalyze: A Tool for Analyzing Malware," in Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, 2006. BibTeX

@INPROCEEDINGS{Bayer_TTAnalyzeToolAnalyzing_2006, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer}, title = {TTAnalyze: A Tool for Analyzing Malware}, booktitle = {Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference}, year = {2006}, month = {4}, note = {Best Paper Award}, }