微信服务号

微信订阅号

2025-4-24- 18
Home > Archive>Volume 23, Issue 2, 2012 >378-393. DOI:10.3724/SP.J.1001.2012.03953
PDF HTML XML Export Cite reminder
Semantics-Based Malware Behavior Signature Extraction and Detection Method
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [28]
    • |
  • Related [20]
    • |
  • Cited by [5]
    • | |
  • Comments
    Abstract:

    This paper proposes a semantic-based approach to malware behavioral signature extraction and detection. This approach extracts critical malware behaviors as well as dependencies among these behaviors, integrating instruction-level taint analysis and behavior-level semantics analysis. Then, it acquires anti-interference malware behavior signatures using anti-obfuscation engine to identify semantic irrelevance and semantically equivalence. Further, a prototype system based on this signature extraction and detection approach is developed and evaluated by multiple malware samples. Experimental results have demonstrated that the malware signatures extracted show good ability to anti obfuscation and the detection based on theses signatures could recognize malware variants effectively.

    Reference
    [1] Symantec global Internet security threat report, trends for 2008. Vol.14, 2009. http://www.symantec.com/business/theme.jsp?themeid=threatreport
    [2] Li Y, Zuo ZH. An overview of object-code obfuscation technologies. Journal of Computer Technology and Development, 2007, 17(4):125-127 (in Chinese with English abstract).
    [3] Yin H, Song D, Egele M, Kruegel C, Kirda E. Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proc. of the 14th ACM Conf. on Computer and Communications Security. Alexandria, 2007. [doi: 10.1145/1315245. 1315261]
    [4] Christodorescu M, Jha S. Testing malware detectors. In: Proc. of the 2004 ACM SIGSOFT Int’l Symp. on Software Testing and Analysis (ISSTA 2004). Boston, 2004. 34-44. [doi: 10.1145/1007512.1007518]
    [5] Jacob G, Debar H, Fillol E. Behavioral detection of malware: From a survey towards an established taxonomy. Journal in Computer Virology, 2008,4(3):251-266. [doi: 10.1007/s11416-008-0086-0]
    [6] Parampalli C, Sekar R, Johnson R. A practical mimicry attack against powerful system-call monitors. In: Proc. of the 2008 ACM Symp. on Information, Computer and Communications Security. New York, 2008. 156-167. [doi: 10.1145/1368310.1368334]
    [7] Sathyanarayan VS, Kohli P, Bruhadeshwar B. Signature generation and detection of malware families. In: Proc. of the 13th Austalasian Conf. on Information Security and Privacy. Wollongong, 2008. 336-349. [doi: 10.1007/978-3-540-70500-0_25]
    [8] Christodorescu M, Jha S, Seshia SA, Song DX, Bryant RE. Semantics-Aware malware detection. In: Proc. of the 2005 IEEE Symp. on Security and Privacy. 2005. 32-46. [doi: 10.1109/SP.2005.20]
    [9] Preda MD, Christodorescu M, Jha S, Debray S. A semantics-based approach to malware detection. In: Proc. of the Symp. on Principles of Programming Languages. New York: ACM Press, 2007. 377-388. [doi: 10.1145/1190216.1190270]
    [10] Kinder J, Katzenbeisser S, Schallhart C, Veith H. Detecting malicious code by model checking. In: Proc. of the 2nd Int’l Conf. on Intrusion and Malware Detection and Vulnerability Assessment (DIMVA 2005). LNCS 3548, Vienna: Springer-Verlag, 2005. 174-187. [doi: 10.1007/11506881_11]
    [11] Christodorescu M, Kinder J, Jha S, Katzenbeisser S, Veith H. Malware normalization. Technical Report, #1539, Madison: University of Wisconsin, 2005.
    [12] Moser A, Kruegel C, Kirda E. Exploring multiple execution paths for malware analysis. In: Proc. of the 2007 IEEE Symp. on Security and Privacy. 2007. 231-245. [doi: 10.1109/SP.2007.17]
    [13] Willems C, Holz T, Freiling F. Toward automated dynamic malware analysis using CWSandbox. IEEE Security and Privacy, 2007, 5(2):32-39. [doi: 10.1109/MSP.2007.45]
    [14] Bayer U, Kruegel C, Kirda E. TTAnalyze: A tool for analyzing malware. In: Proc. of the EICAR 2006. 2006. 180-192.
    [15] Bellard F. Qemu, A fast and portable dynamic translator. In: Proc. of the USENIX 2005 Annual Technical Conf. on FREENIX Track. 2005. 41-46.
    [16] Kirda E, Kruegel C, Banks G, Vigna G, Kemmerer RA. Behavior-Based spyware detection. In: Proc. of the 15th Conf. on USENIX Security Symp. Springer-Verlag, 2006. 273-288.
    [17] Bailey M, Oberheide J, Andersen J, Mao ZM, Jahanian F, Nazario J. Automated classification and analysis of Internet malware. In: Proc. of the 10th Symp. on Recent Advances in Intrusion Detection (RAID 2007). 2007. 178-197.
    [18] Bergeron J, Debbabi M, Desharnais J, Erhioui MM, Lavoie Y, Tawbi N. Static detection of malicious code in executable programs. In: Proc. of the Symp. on Requirements Engineering for Information Security. 2001.
    [19] Christodorescu M, Jha S. Static analysis of executables to detect malicious patterns. In: Proc. of the 12th USENIX Security Symp. 2003.
    [20] Bilar D. Statistical Structures: Tolerant fingerprinting for classification and analysis. In: Proc. of the Black Hat USA 2006. Las Vegas, 2006.
    [21] Christodorescu M, Jha S, Kruegel C. Mining specifications of malicious behavior. In: Proc. of the 6th Joint Meeting of the European Software Engineering Conf. and the ACM SIGSOFT Symp. on the Foundations of Software Engineering (ESEC/FSE). 2007. [doi: 10.1145/1287624.1287628]
    [22] Cogswell B, Russinovich M. Rootkit revealer. 2006. http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx
    [23] Wang YM, Roussev R, Verbowski C, Johnson A, Wu MW, Huang YN, Kuo SY. Gatekeeper: Monitoring auto-start extensibility points (ASEPs) for spyware management. In: Proc. of the 18th Systems Administration Conf. (LISA 2004). 2004. 33-46.
    [24] Butler J, Hoglund G. VICE—Catch the hookers! In: Proc. of the Black Hat USA 2004. 2004. http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf
    [25] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proc. of the 12th Annual Network and Distributed System Security Symp. (NDSS). 2005.
    [26] Sreedhar VC, Gao GR, Lee YF. Identifying loops using DJ graphs. ACM Trans. on Programming Languages and Systems (TOPLAS), 1996,18(6):649-658. [doi: 10.1145/236114.236115]
    [27] Hex-Rays. http://www.hex-rays.com
    [28] VX heavens. http://vx.netlux.org/
    Comments
    Comments
    分享到微博
    Submit
Get Citation

王蕊,冯登国,杨轶,苏璞睿.基于语义的恶意代码行为特征提取及检测方法.软件学报,2012,23(2):378-393

Copy
Share
Article Metrics
  • Abstract:6721
  • PDF: 16143
  • HTML: 0
  • Cited by: 0
History
  • Received:April 12,2010
  • Revised:September 10,2010
  • Online: February 07,2012
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2038195Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063