Semantics-aware malware detection

Christodorescu, Mihai; Jha, Somesh; Seshia, Sanjit A.; Song, Dawn; Bryant, Randal E.

doi:10.1109/sp.2005.20

Cited by 557 publications

(364 citation statements)

References 20 publications

Supporting

Mentioning

351

Contrasting

Unclassified

Order By: Relevance

“…Zero-day exploits also defy signature based static analysis since their signatures have not been yet encountered in the wild. This necessitates the use of dynamic detection techniques [9] that can detect the malicious behavior during execution, often based on the detection of anomalies, rather than signatures [4,16]. However, the complexity and difficulty of continuous dynamic monitoring have traditionally limited its use.…”

Section: Introductionmentioning

confidence: 99%

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Khasawneh

Özsoy

Donovick

et al. 2015

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning techniques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal.

show abstract

Section: Introductionmentioning

confidence: 99%

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Khasawneh

Özsoy

Donovick

et al. 2015

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

show abstract

“…In this paper graph queries processing (graph query as a subgraph) was performed on a transactional graph database .That is because the database is used in different areas; for instance, in the case of -malware detection‖ [23,24,25] avoid damages to the system) after retrieval, the APIs of the malware's codes as -control flow graph‖ is extracted. Then, according to graph mining algorithms such as gspan [18] frequent subgraphs are mined and indexed [4,19,14].…”

Section: Experiments and Evaluationmentioning

confidence: 99%

A New Method for Graph Queries Processing without Index Reconstruction on Dynamic Graph Databases

Dinari¹

2017

IJMECS

View full text Add to dashboard Cite

Abstract-Graphs play notable role in daily life. For instance, they are used in variety fields such as social networks, malware detection, and biological networks. Graph data processing performed to extract useful information is known as graph mining. A critical field of graph mining is graph containment problem, in which all graphs containing the query are returned by a graph query q. Scanning the whole database (graph query as a subgraph) for a query is a time consuming process. To improve query performance, an inverted index is constructed on the graph database and then the query is performed based on the query. The problem in this process is that when a graph is added to or removed from a database, the inverted index must be reconstructed. The present study proposes a method in which index updating is not needed upon a change in the database. This feature enables simultaneous inverted index updating and querying. The assessment results showed optimum and satisfactory performance of the proposed method.

show abstract

“…While classical malware detection relied on searching executables for binary strings (signatures) of known viruses, more recent advanced techniques focus on detecting patterns of malicious behavior by means of static analysis and model checking [18,19]. In this application domain, independence of the analysis from symbol information and compiler idioms is imperative, since malicious code is especially likely to have its symbols removed or to even be specially protected from analysis.…”

Section: Related Workmentioning

confidence: 99%

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

Kinder

Zuleger

Veith

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Due to indirect branch instructions, analyses on executables commonly suffer from the problem that a complete control flow graph of the program is not available. Data flow analysis has been proposed before to statically determine branch targets in many cases, yet a generic strategy without assumptions on compiler idioms or debug information is lacking. We have devised an abstract interpretation-based framework for generic low level programs with indirect jumps which safely combines a pluggable abstract domain with the notion of partial control flow graphs. Using our framework, we are able to show that the control flow reconstruction algorithm of our disassembly tool Jakstab produces the most precise overapproximation of the control flow graph with respect to the used abstract domain.

show abstract

Semantics-aware malware detection

Cited by 557 publications

References 20 publications

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

A New Method for Graph Queries Processing without Index Reconstruction on Dynamic Graph Databases

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

Contact Info

Product

Resources

About