Precise Extraction of Malicious Behaviors

Dam, Khanh Huu The; Touili, Tayssir

doi:10.1109/compsac.2018.00036

Cited by 7 publications

(7 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…STAMAD implements the techniques described in [11,12]: Given a set of extended API call graphs that correspond to malwares and a set of extended API call graphs corresponding to benign programs, we want to extract in a completely automatic way a malicious extended API graph that corresponds to the malicious behaviors of the malwares. This malicious extended API graph should represent the parts of the extended API call graphs of the malwares that correspond to the malicious behaviors.…”

Section: Extraction Of Malicious Behaviorsmentioning

confidence: 99%

“…One of the most popular techniques that was shown to be very efficient in the IR community is the TFIDF scheme that computes the relevance of each item in the collection using the TFIDF weight that is computed from the occurrences of terms in a document and their appearances in other documents. We showed in [11,12] how to adapt this technique that was mainly applied for text and image retrieval for malicious extended API graph extraction. For that, we associate to each node and each edge in the extended API call graphs of the programs of the collection a weight.…”

Section: Extraction Of Malicious Behaviorsmentioning

confidence: 99%

“…Then, the malicious extended API call graph is computed by considering the nodes and edges which are highly relevant (have a high relevance) for the set M of malwares and not highly relevant (have a low relevance) for the set B of benwares . More details about our approach can be found in [11,12].…”

Section: Extraction Of Malicious Behaviorsmentioning

confidence: 99%

“…Indeed, PDSs allow to keep track of the program's stack, and thus, of API function arguments since in assembly, parameter passing is done via the stack. The algorithm that we use to derive a PDS from a binary code is described in [11]. Then, we apply on this PDS the static analysis saturation procedure of [11] that allows to derive the relations between the API function's parameters, and hence, to compute the extended API call graph as described in [11].…”

Section: Stamad Descriptionmentioning

confidence: 99%

“…After applying the Extended API Call Graph Module, to extract their corresponding extended API call graphs, these graphs are fed to the Malicious Graph Computation component to compute the malicious extended API graph. This component implements the TFIDF weighting term scheme to compute the malicious behaviors as described in [11,12]. It outputs a malicious API graph representing the malicious behaviors.…”

Section: Stamad Descriptionmentioning

confidence: 99%

See 4 more Smart Citations

Stamad

Dam

Touili

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

One of the main challenges in malware detection is the discovery of malicious behaviors. This task requires a huge amount of engineering and manual study of the code. To avoid this tedious manual task, we propose in this paper a tool, called STAMAD, that, given a training set of known malwares and benign programs, (1) either automatically extracts malicious behaviors using Information Retrieval techniques, or (2) applies machine learning techniques to automatically learn malwares. Then, in both cases, STAMAD can classify a new given unseen program as malicious or benign.

show abstract

Section: Extraction Of Malicious Behaviorsmentioning

confidence: 99%

Section: Extraction Of Malicious Behaviorsmentioning

confidence: 99%

Section: Extraction Of Malicious Behaviorsmentioning

confidence: 99%

Section: Stamad Descriptionmentioning

confidence: 99%

Section: Stamad Descriptionmentioning

confidence: 99%

See 3 more Smart Citations

Stamad

Dam

Touili

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

show abstract

LTL model checking of self modifying code

Touili

2022

Form Methods Syst Des

View full text Add to dashboard Cite

LTL Model Checking of Self Modifying Code

Touili¹,

Ye²

2019

2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS)

Self Cite

View full text Add to dashboard Cite

Self modifying code is code that can modify its own instructions during the execution of the program. It is extensively used by malware writers to obfuscate their malicious code. Thus, analysing self modifying code is nowadays a big challenge. In this paper, we consider the LTL model-checking problem of self modifying code. We model such programs using self-modifying pushdown systems (SM-PDS), an extension of pushdown systems that can modify its own set of transitions during execution. We reduce the LTL model-checking problem to the emptiness problem of self-modifying Büchi pushdown systems (SM-BPDS). We implemented our techniques in a tool that we successfully applied for the detection of several self-modifying malware. Our tool was also able to detect several malwares that well-known antiviruses such as Bit-Defender, Kinsoft, Avira, eScan, Kaspersky, Qihoo-360, Baidu, Avast, and Symantec failed to detect. arXiv:1909.12635v1 [cs.LO]

show abstract

Precise Extraction of Malicious Behaviors

Cited by 7 publications

References 7 publications

Stamad

Stamad

LTL model checking of self modifying code

LTL Model Checking of Self Modifying Code

Contact Info

Product

Resources

About