Proactive Detection of Computer Worms Using Model Checking

Kinder, Johannes; Katzenbeisser, Stefan; Schallhart, Christian; Veith, Helmut

doi:10.1109/tdsc.2008.74

Cited by 40 publications

(21 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A number of techniques [12]- [16] have been presented for detecting polymorphic worms. Again, the technique used is highlighted, the worm characteristic leverage is indicated and the limitations of the technique are pointed out in the synthesis in Table 3.…”

Section: Polymorphic-signature Generation Schemesmentioning

confidence: 99%

A Tour of the Computer Worm Detection Space

Ochieng¹,

Mwangi²,

Ateya³

2014

IJCA

View full text Add to dashboard Cite

Computer worm detection has been a challenging and often elusive task. This is partly because of the difficulty of accurately modeling either the normal behavior of computer networks or the malicious actions of computer worms. This paper presents a literature review on the worm detection techniques, highlighting the worm characteristics leveraged for detection and the limitations of the various detection techniques. The paper broadly categorizes the worm detection approaches into content signature based detection, polymorphic worm detection, anomaly based detection, and behavioral signature based detection. The gap in the literature in the techniques is indicated and is the main contribution of the paper.

show abstract

Section: Polymorphic-signature Generation Schemesmentioning

confidence: 99%

A Tour of the Computer Worm Detection Space

Ochieng¹,

Mwangi²,

Ateya³

2014

IJCA

View full text Add to dashboard Cite

show abstract

“…To evaluate the precision of the analysis, we count the number of distinct possible arguments that the analysis can detect for the final external call to printf, before invariably widening the values (since the Fibonacci sequence grows to infinity, an exhaustive presentation of all values is impossible). This metric is representative for an application in malware detection, for example, where possible arguments to external system calls are evaluated against a malware specification [7]. In fact, most reverse engineering applications will have similar precision requirements, since at the very least they require a precise set of possible VPC values for each location.…”

Section: Obfuscation and Analysis Targetsmentioning

confidence: 99%

“…In earlier work, we have argued for applying static analysis to x86 binaries, both for verifying specifications of API contracts [5] and to detect malware [7]. Static analysis can aid reverse engineering by extracting data flow information (invariants) about the program behavior.…”

Section: Introductionmentioning

confidence: 99%

Towards Static Analysis of Virtualization-Obfuscated Binaries

Kinder

2012

2012 19th Working Conference on Reverse Engineering

Self Cite

View full text Add to dashboard Cite

Virtualization-obfuscation protects a program from manual or automated analysis by compiling it into bytecode for a randomized virtual architecture and attaching a corresponding interpreter. Static analysis appears to be helpless on such programs, where only the code of the interpreter is directly visible.In this paper, we explain the particular challenges for statically analyzing the combination of interpreter and bytecode. Static analysis for computing possible variable values is commonly precise only to the program location. In the interpreter loop, however, this combines unrelated data flow information from different locations of the bytecode program.To avoid this loss of information, we show how to lift an existing static analysis to an additional dimension of location, to become sensitive to the value of the virtual program counter. Thus, the static analysis merges data flow from equal bytecode locations only. We lift an existing analysis implemented in the JAKSTAB static analyzer and present preliminary results for processing a virtualization-obfuscated binary.

show abstract

“…Towards this aim, we propose in this paper to use modelchecking for virus detection. Model-checking has already been used for virus detection in [6,20,9,11,16,15,17]. However, these works model the program as a finite state graph (automaton).…”

Section: Introductionmentioning

confidence: 99%

“…CTPL was introduced in [16,15,17]. It can be seen as an extension of CTL with variables and quantifiers.…”

Section: Introductionmentioning

confidence: 99%