Learning Malware Using Generalized Graph Kernels

Dam, Khanh Huu The; Touili, Tayssir

doi:10.1145/3230833.3230840

Cited by 8 publications

(3 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…POMMADE [13,14] is a malware detector based on LTL and CTL model-checking of pushdown systems. STAMAD [24][25][26] is a malware detector based on PDSs and machine learning. However, all these tools cannot handle self-modifying code.…”

Section: Related Workmentioning

confidence: 99%

SMODIC: A Model Checker for Self-modifying Code

Touili

2022

Proceedings of the 17th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

In this paper, we present SMODIC, a model checker for selfmodifying binary codes. SMODIC uses Self Modifying Pushdown Systems (SM-PDS) to model self-modifying binary code. This allows to faithfully represent the program's stack as well as the self-modifying instructions of the program. SMODIC takes a selfmodifying binary code or a self modifying pushdown system as input. It can then perform reachability analysis and LTL/CTL modelchecking for these models. We successfully used SMODIC to modelcheck more than 900 self-modifying binary codes. In particular, we applied SMODIC for malware detection, since malwares usually use self-modifying instructions, and since malicious behaviors can be described by LTL or CTL formulas. In our experiments, SMODIC was able to detect 895 malwares and to prove that 200 benign programs were benign. SMODIC was also able to detect several malwares that well-known antiviruses such as Bit-Defender, Kinsoft, Avira, eScan, Kaspersky, Baidu, Avast, and Symantec failed to detect. SMODIC can be found in https://lipn.univ-paris13.fr/~touili/smodic CCS CONCEPTS• Theory of computation → Verification by model checking;• Security and privacy → Logic and verification.

show abstract

Section: Related Workmentioning

confidence: 99%

SMODIC: A Model Checker for Self-modifying Code

Touili

2022

Proceedings of the 17th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…POMMADE [3,4] is a malware detector based on LTL and CTL modelchecking of PDSs. STAMAD [15,16,14] is a malware detector based on PDSs and machine learning. However, POMMADE and STAMAD cannot deal with self-modifying code.…”

Section: Related Work Model Checking and Static Analysis Approaches H...mentioning

confidence: 99%

LTL Model Checking of Self Modifying Code

Touili¹,

Ye²

2019

2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS)

Self Cite

View full text Add to dashboard Cite

Self modifying code is code that can modify its own instructions during the execution of the program. It is extensively used by malware writers to obfuscate their malicious code. Thus, analysing self modifying code is nowadays a big challenge. In this paper, we consider the LTL model-checking problem of self modifying code. We model such programs using self-modifying pushdown systems (SM-PDS), an extension of pushdown systems that can modify its own set of transitions during execution. We reduce the LTL model-checking problem to the emptiness problem of self-modifying Büchi pushdown systems (SM-BPDS). We implemented our techniques in a tool that we successfully applied for the detection of several self-modifying malware. Our tool was also able to detect several malwares that well-known antiviruses such as Bit-Defender, Kinsoft, Avira, eScan, Kaspersky, Qihoo-360, Baidu, Avast, and Symantec failed to detect. arXiv:1909.12635v1 [cs.LO]

show abstract

“…In STAMAD, we use a variant of the random walk graph kernel that measures graph similarity as the number of common paths of increasing lengths [21]. More details about our learning approach can be found in [10,13].…”

Section: Learning Malicious Behaviorsmentioning

confidence: 99%

Stamad

Dam

Touili

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

One of the main challenges in malware detection is the discovery of malicious behaviors. This task requires a huge amount of engineering and manual study of the code. To avoid this tedious manual task, we propose in this paper a tool, called STAMAD, that, given a training set of known malwares and benign programs, (1) either automatically extracts malicious behaviors using Information Retrieval techniques, or (2) applies machine learning techniques to automatically learn malwares. Then, in both cases, STAMAD can classify a new given unseen program as malicious or benign.

show abstract

Learning Malware Using Generalized Graph Kernels

Cited by 8 publications

References 20 publications

SMODIC: A Model Checker for Self-modifying Code

SMODIC: A Model Checker for Self-modifying Code

LTL Model Checking of Self Modifying Code

Stamad

Contact Info

Product

Resources

About