A framework for behavior-based malware analysis in the cloud Lorenzo Martignoni † , Roberto Paleari ‡ , and Danilo Bruschi ‡ Dipartimento di Fisica † Dipartimento di Informatica e Comunicazione ‡ Universit` a degli Studi di Udine Universit` a degli Studi di Milano lorenzo.martignoni@uniud.it {roberto,bruschi}@security.dico.unimi.it Abstract. To ease the analysis of potentially malicious programs, dy- namic behavior-based techniques have been proposed in the literature. Unfortunately, these techniques often give incomplete results because the execution environments in which they are performed are synthetic and do not faithfully resemble the environments of end-users, the intended targets of the malicious activities. In this paper, we present a new frame- work for improving behavior-based analysis of suspicious programs. Our framework allows an end-user to delegate security labs, the cloud, the execution and the analysis of a program and to force the program to behave as if it were executed directly in the environment of the former. The evaluation demonstrated that the proposed framework allows se- curity labs to improve the completeness of the analysis, by analyzing a piece of malware on behalf of multiple end-users simultaneously, while performing a fine-grained analysis of the behavior of the program with no computational cost for end-users. 1 Introduction With the development of the underground economy, malicious programs are becoming very profitable products; they are used to spam, to perpetrate web frauds, to steal personal information, and for many other nefarious tasks. An important consequence of this lucrative motivation behind malware development is that these programs are becoming increasingly specialized and difficult to analyze: more and more often they attack very specific classes of users and systems and their code is continuosly updated to introduce additional features and specific modifications to thwart the analysis and eventually evade detection. To counteract these new threats and to overcome the limitations of tradi- tional malware analysis and detection techniques, security vendors and the re- search community are moving towards dynamic behavior-based solutions. This approach is becoming the primary method for security labs to automatically understand the behaviors that characterize each new piece of malware and to develop the appropriate countermeasures [1–3]. This technology is also used on end-users’ hosts, to monitor the execution of suspicious programs and try to detect and block malicious behaviors in real-time [4–6]. Dynamic behavior-based analysis has two major disadvantages: incomplete- ness and non-negligible run-time overhead. Security labs analyze new malicious