Static Analysis of Executables to Detect Malicious Patterns

Christodorescu, Mihai; Jha, Somesh

doi:10.21236/ada449067

Cited by 338 publications

(289 citation statements)

References 38 publications

Supporting

Mentioning

288

Contrasting

Unclassified

Order By: Relevance

“…Traditional static analysis approaches such as [38], [46], which focus on comparing programs with known malware based on the program code, looking for signatures using other heuristics. Other approaches [47], [48], [49] focus on using machine learning and data mining approaches for malware detection.…”

Section: Detection Approachesmentioning

confidence: 99%

Android Mobile Platform Security and Malware Survey

.¹

2013

IJRET

View full text Add to dashboard Cite

show abstract

Section: Detection Approachesmentioning

confidence: 99%

Android Mobile Platform Security and Malware Survey

.¹

2013

IJRET

View full text Add to dashboard Cite

show abstract

“…Christodorescu et al reported that even basic obfuscation techniques [11] can cause anti-virus scanners to miss malicious code. They go on to describe a technique to counter these code transformation using general representations of commonly occurring virus patterns.…”

Section: Related Workmentioning

confidence: 99%

“…Origins of a vulnerability can be traced back to bugs in software, which programming language security approaches attempt to detect automatically. [37,10]. However, due to technical difficulties involved in static analysis of programs [25,32], not all bugs can be found and eliminated.…”

Section: Introductionmentioning

confidence: 99%

A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

Chinchani

Berg²

2006

Lecture Notes in Computer Science

103

View full text Add to dashboard Cite

Abstract.A common way by which attackers gain control of hosts is through remote exploits. A new dimension to the problem is added by worms which use exploit code to self-propagate, and are becoming a commonplace occurrence. Defense mechanisms exist but popular ones are signature-based techniques which use known byte patterns, and they can be thwarted using polymorphism, metamorphism and other obfuscations. In this paper, we argue that exploit code is characterized by more than just a byte pattern because, in addition, there is a definite control and data flow. We propose a fast static analysis based approach which is essentially a litmus test and operates by making a distinction between data, programs and program-like exploit code. We have implemented a prototype called styx and evaluated it against real data collected at our organizational network. Results show that it is able to detect a variety of exploit code and can also generate very specific signatures. Moreover, it shows initial promise against polymorphism and metamorphism.

show abstract

“…Thus, robust NID systems should handle rule updates (including additions) without taking them off-line. Signature/pattern matching is also relevant to virus detection based on the presence of specific command sequences in a program [21]; new signatures are added almost daily. The majority of deep packet inspection systems that try to identify malicious signatures employ pattern matching software running on general-purpose processors.…”

Section: Introductionmentioning

confidence: 99%

Novel FPGA-Based Signature Matching for Deep Packet Inspection

Guinde

Ziavras

2010

Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices

View full text Add to dashboard Cite

Abstract. Deep packet inspection forms the backbone of any Network Intrusion Detection (NID) system. It involves matching known malicious patterns against the incoming traffic payload. Pattern matching in software is prohibitively slow in comparison to current network speeds. Thus, only FPGA (Field-Programmable Gate Array) or ASIC (ApplicationSpecific Integrated Circuit) solutions could be efficient for this problem. Our FPGA-based solution performs high-speed matching while permitting pattern updates without resource reconfiguration. An off-line optimization method first finds sub-pattern similarities across all the patterns in the SNORT database of signatures [17]. A novel technique then compresses each pattern into a bit vector where each bit represents such a sub-pattern. Our approach reduces drastically the required on-chip storage as well as the complexity of matching, utilizing just 0.05 logic cells for processing and 17.74 bits for storage per character in the current SNORT database of 6456 patterns.

show abstract

Static Analysis of Executables to Detect Malicious Patterns

Cited by 338 publications

References 38 publications

Android Mobile Platform Security and Malware Survey

Android Mobile Platform Security and Malware Survey

A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

Novel FPGA-Based Signature Matching for Deep Packet Inspection

Contact Info

Product

Resources

About