A semantics-based approach to malware detection

Preda, Mila Dalla; Christodorescu, Mihai; Jha, Somesh; Debray, Saumya

doi:10.1145/1190216.1190270

Cited by 61 publications

(17 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus a metamorphic virus cannot utilize [...] techniques that make it harder or impossible for its code to be disassembled or reverse engineered by itself." In agreement with this point of view, many static detection approaches based on de-obfuscation techniques (such as data flow analysis [1] and slicing [25]) were developed [6,22,28]. However, more complex obfuscation schemes based on control flow modifications such as [5], could thwart these static detection techniques.…”

Section: Metamorphism and Obfuscationmentioning

confidence: 99%

From the design of a generic metamorphic engine to a black-box classification of antivirus detection techniques

Borello¹,

Filiol

Mé

2009

J Comput Virol

View full text Add to dashboard Cite

In this paper, we propose an original black-box approach concerning antivirus products evaluation. Contrary to classical tests focusing on detection rates concerning a specific malware sample, we use a generic metamorphic engine to observe the detection products behaviors. We believe that this point of view presents a double interest: First, it offers an original way of evaluating current antivirus products focusing on the observed detection technique. More precisely, the use of metamorphic malware guarantees the difficulty of static signature based detection techniques to focus only on heuristic and behavioral detection approaches. Second, by pointing out current detection capabilities, we practically evaluate the danger that complex metamorphic malware could represent. To achieve this goal, we start with the description of a generic metamorphic engine acting in two steps: obfuscation and modeling. Then, we apply this engine to a real mass-mailing worm and propose the resulting metamorphic malware samples to current antivirus products. The observed results lead to a classification of detection techniques in two main categories: the first one, relying on static detection techniques, presents low detection rates obtained by heuristic analysis. The second one, composed of behavioral detection programs, mainly focuses on elementary suspicious actions. In all cases, no product was able to detect a global malware behavior. Consequently, we consider J.-M. Borello (B) CELAR,

show abstract

Section: Metamorphism and Obfuscationmentioning

confidence: 99%

From the design of a generic metamorphic engine to a black-box classification of antivirus detection techniques

Borello¹,

Filiol

Mé

2009

J Comput Virol

View full text Add to dashboard Cite

show abstract

“…Indeed, we extend his result over metamorphic code. Even if this formal result seems far from detection in reality where false positives are acceptable, we believe that it could give birth to complex viruses able to thwart recent detection strategies like [4,20]. We will illustrate our metamorphic code obfuscator approach in Sect.…”

Section: Definition 3 Let Us Consider a Metamorphic Virusmentioning

confidence: 99%

Code obfuscation techniques for metamorphic viruses

Borello¹,

2008

View full text Add to dashboard Cite

This paper deals with metamorphic viruses. More precisely, it examines the use of advanced code obfuscation techniques with respect to metamorphic viruses. Our objective is to evaluate the difficulty of a reliable static detection of viruses that use such obfuscation techniques. Here we extend Spinellis' result (IEEE Trans. Inform. Theory, 49(1), [280][281][282][283][284] 2003) on the detection complexity of bounded-length polymorphic viruses to metamorphic viruses. In particular, we prove that reliable static detection of a particular category of metamorphic viruses is an N P-complete problem. Then we empirically illustrate our result by constructing a practical obfuscator which could be used by metamorphic viruses in the future to evade detection.

show abstract

“…Anyhow, static extraction remains possible as long as disassembly can be performed, which is a quite strong hypothesis because of the protection techniques mentioned previously. Theoretical works to assess the resistance of static semantic analyzers to obfuscation transformations have already been addressed by Preda et al [45].…”

Section: Data Collection and Interpretation: Static Extractionmentioning

confidence: 99%

“…The instructions stored in the nodes of the extracted graphs are often replaced by an associated label to reach a higher level of abstraction than simple assembly code. The labelling procedure may follow two approaches: either the instructions are translated into an intermediate representation carrying a semantic value [45,46] or instructions are reduced to their basic class of operation (arithmetic, logic, function call. .…”

Section: Matching Algorithms and Models: Annoted Graph Isomorphismmentioning

confidence: 99%

Behavioral detection of malware: from a survey towards an established taxonomy

Jacob

Debar

Filiol³

2008

J Comput Virol

178

View full text Add to dashboard Cite

Behavioral detection differs from appearance detection in that it identifies the actions performed by the malware rather than syntactic markers. Identifying these malicious actions and interpreting their final purpose is a complex reasoning process. This paper draws up a survey of the different reasoning techniques deployed among the behavioral detectors. These detectors have been classified according to a new taxonomy introduced inside the paper. Strongly inspired from the domain of program testing, this taxonomy divides the behavioral detectors into two main families: simulation-based and formal detectors. Inside these families, ramifications are then derived according to the data collection mechanisms, the data interpretation, the adopted model and its generation, and the decision support.

show abstract

A semantics-based approach to malware detection

Cited by 61 publications

References 18 publications

From the design of a generic metamorphic engine to a black-box classification of antivirus detection techniques

From the design of a generic metamorphic engine to a black-box classification of antivirus detection techniques

Code obfuscation techniques for metamorphic viruses

Behavioral detection of malware: from a survey towards an established taxonomy

Contact Info

Product

Resources

About