A Framework for Understanding Dynamic Anti-Analysis Defenses

Qiu, Jing Hui; Yadegari, Babak; Johannesmeyer, Brian; Debray, Saumya; Su, Xin

doi:10.1145/2689702.2689704

Cited by 12 publications

(7 citation statements)

References 35 publications

(44 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the guard is protected with interleaved self-checksumming code [5], a successful tampering requires removing all the selfchecksumming code at the same time, of which the chance is very low without sophisticated analysis. Existing approaches on identifying such code generally require using dynamic analysis and taint analysis together [23]. Empirically, the time required to tamper each guard is not negligible.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

N-Version Obfuscation: Impeding Software Tampering Replication with Program Diversity

Xu,

Zhou,

Lyu

2015

Preprint

View full text Add to dashboard Cite

Tamper-resistance is a fundamental software security research area. Many approaches have been proposed to thwart specific procedures of tampering, e.g., obfuscation and self-checksumming. However, to our best knowledge, none of them can achieve theoretically tamper-resistance. Our idea is to impede the replication of tampering via program diversification, and thus increasing the complexity to break the whole software system. To this end, we propose to deliver same featured, but functionally nonequivalent software copies to different machines. We formally define the problem as N-version obfuscation, and provide a viable means to solve the problem. Our evaluation result shows that the time required for breaking a software system is linearly increased with the number of software versions, which is O(n) complexity.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Using overlapped self-checksumming code can further increase the strength of protection. However, it can be defeated by carefully detecting and removing them [23] or exploring the vulnerabilities [29] of execution environment.…”

Section: B Limitation Of Anti-reverse Engineeringmentioning

confidence: 99%

N-Version Obfuscation: Impeding Software Tampering Replication with Program Diversity

Xu,

Zhou,

Lyu

2015

Preprint

View full text Add to dashboard Cite

show abstract

“…A recent survey on 36 research papers on dynamic analysis techniques [38] pointed out that the common shortcomings of dynamic analysis techniques are the problematic and somewhat obscure assumptions regarding the use of execution-driven datasets, and the lack of details and motivation on the security precautions that have been taken during the experimental phase. Moreover, recent malware is shipped with dynamic anti-analysis defenses that hide the malicious behaviour in the case a dynamic analysis environment is detected [36] and the lack of code coverage, as dynamic analysis is not designed to explore all or, at least, multiple execution paths of an executable [32]. Static analysis.…”

Section: Related Workmentioning

confidence: 99%

Novel Feature Extraction, Selection and Fusion for Effective Malware Family Classification

Ahmadi

Ulyanov

Semenov

et al. 2016

Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

275

198

View full text Add to dashboard Cite

Modern malware is designed with mutation characteristics, namely polymorphism and metamorphism, which causes an enormous growth in the number of variants of malware samples. Categorization of malware samples on the basis of their behaviors is essential for the computer security community, because they receive huge number of malware everyday, and the signature extraction process is usually based on malicious parts characterizing malware families. Microsoft released a malware classification challenge in 2015 with a huge dataset of near 0.5 terabytes of data, containing more than 20K malware samples. The analysis of this dataset inspired the development of a novel paradigm that is effective in categorizing malware variants into their actual family groups. This paradigm is presented and discussed in the present paper, where emphasis has been given to the phases related to the extraction, and selection of a set of novel features for the effective representation of malware samples. Features can be grouped according to different characteristics of malware behavior, and their fusion is performed according to a per-class weighting paradigm. The proposed method achieved a very high accuracy ($\approx$ 0.998) on the Microsoft Malware Challenge dataset

show abstract

“…Since the provided test cases are likely to be incomplete, parts of the app's behavior are not discovered. These approaches are susceptible to a variety of anti-debugging and anti-monitoring defenses [190,172,176,210,178,64,136,114,97,90] as well as time bombs or logic bombs [95], which further decrease their efficacy. Furthermore, dynamic approaches are tedious and time consuming, as exhaustive execution of apps can take a substantial amount of time.…”

Section: Research Gapmentioning

confidence: 99%