A semantics-based approach to malware detection

Preda, Mila Dalla; Christodorescu, Mihai; Jha, Somesh; Debray, Saumya

doi:10.1145/1387673.1387674

Cited by 77 publications

(31 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In [13] the authors use trace semantics to characterize the behaviours of both the malware and the potentially infected program, and use abstract interpretation to "hide" their irrelevant behaviours. A program is infected by a malware if their behaviours are indistinguishable up to a certain abstraction, which corresponds to some obfuscations.…”

Section: Related Work and Discussionmentioning

confidence: 99%

“…The key for identifying metamorphic malware lies, instead, in a deeper understanding of their semantics. Still a major drawback of existing semantics-based methods (e.g., see [13,19]) relies upon the a priori knowledge of the obfuscations used to implement the metamorphic engine. Because of this, it is always possible for any expert malware writer to develop alternative metamorphic strategies, even by simple modification of existing ones, able to foil any given detection scheme.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Modelling Metamorphism by Abstract Interpretation

Preda¹,

Giacobazzi²,

Debray³

et al. 2010

Static Analysis

Self Cite

View full text Add to dashboard Cite

Abstract. Metamorphic malware apply semantics-preserving transformations to their own code in order to foil detection systems based on signature matching. In this paper we consider the problem of automatically extract metamorphic signatures from these malware. We introduce a semantics for self-modifying code, later called phase semantics, and prove its correctness by showing that it is an abstract interpretation of the standard trace semantics. Phase semantics precisely models the metamorphic code behavior by providing a set of traces of programs which correspond to the possible evolutions of the metamorphic code during execution. We show that metamorphic signatures can be automatically extracted by abstract interpretation of the phase semantics, and that regular metamorphism can be modelled as finite state automata abstraction of the phase semantics.

show abstract

Section: Related Work and Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Modelling Metamorphism by Abstract Interpretation

Preda¹,

Giacobazzi²,

Debray³

et al. 2010

Static Analysis

Self Cite

View full text Add to dashboard Cite

show abstract

“…Program transformation has been proposed for deobfuscating binary programs [5], by unpacking and removing superfluous jumps and junk, again with the aim of improving AV scanning. This suggest that partial evaluation also has a role in binary analysis, where the aim is to make malware detection more semantic [7].…”

Section: Related Workmentioning

confidence: 99%

Partial Evaluation for Java Malware Detection

Singh

King

2015

Logic-Based Program Synthesis and Transformation

View full text Add to dashboard Cite

Abstract. The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. To circumvent detection by anti virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include string obfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is a typed three-address code suitable for optimisation and program analysis, and also demonstrates how the residual Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products.

show abstract

“…Christodorescu et al [30] present a dependency-graph based approach to mining the malicious behaviors present in a known malware that are not present in a set of benign programs, which can be used by malware detectors to detect malware variants. Also, Christodorescu et al [31] use a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and use abstract interpretation to "hide" irrelevant aspects of these behaviors for malware detection/classification. The motivation of our work is very similar to these works, but ours is specific to exploit code category analysis, and more importantly, we present a novel approach for attribution analysis which combines the semantic analysis with statistical analysis.…”

Section: Related Workmentioning

confidence: 99%

SA3: Automatic Semantic Aware Attribution Analysis of Remote Exploits

Kong

Tian

Liu

et al. 2012

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis, i.e., to automatically categorize exploits or to determine whether an exploit is a variant of an attack from the past, is also very important. In this paper, we present SA 3 , an exploit code attribution analysis which combines semantic analysis and statistical analysis to automatically categorize a given exploit code. SA 3 extracts semantic features from an exploit code through data anomaly analysis, and then attributes the exploit to an appropriate class based on our statistical model derived from a Markov model. We evaluate SA 3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA 3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. To our knowledge, SA 3 is the first work combining semantic analysis with statistical analysis for exploit code attribution analysis.

show abstract

A semantics-based approach to malware detection

Cited by 77 publications

References 22 publications

Modelling Metamorphism by Abstract Interpretation

Modelling Metamorphism by Abstract Interpretation

Partial Evaluation for Java Malware Detection

SA3: Automatic Semantic Aware Attribution Analysis of Remote Exploits

Contact Info

Product

Resources

About