Abstract : This research aimed at developing a theoretical framework to predict the next obfuscation (or deobfuscation) move of the adversary, with the intent of making cyber defense proactive. The goal was to understand the relationship between obfuscation and deobfuscation techniques employed in malware offense and defense. The strategy was to build upon previous work of Giacobazzi and Dalla Preda on modeling obfuscation and deobfuscation as abstract interpretations, further that effort by developing an analytical model of the best obfuscation with respect to a deobfuscator. In addition, this research aimed at developing cost models for obfuscation and deobfuscations. The key findings of this research include: a theoretical model of computing the best obfuscation for a deobfuscator, a method for context-sensitive analysis of obfuscated code, a method for learning obfuscation transformations used by a metamorphic engine, several insights into the use of machine learning in deobfuscation, and game-theoretic models of certain scenarios of offense-defense games in software protection.
[1]
Andrew Walenstein,et al.
Tracking concept drift in malware families
,
2012,
AISec.
[2]
Arun Lakhotia,et al.
Context-sensitive analysis without calling-context
,
2010,
High. Order Symb. Comput..
[3]
Andrew Walenstein,et al.
In situ reuse of logically extracted functional components
,
2012,
Journal in Computer Virology.
[4]
Arun Lakhotia,et al.
Game-theoretic design of an information exchange model for detecting packed malware
,
2011,
2011 6th International Conference on Malicious and Unwanted Software.
[5]
Kiran S. Balagani,et al.
Making impostor pass rates meaningless: A case of snoop-forge-replay attack on continuous cyber-behavioral verification with keystrokes
,
2011,
CVPR 2011 WORKSHOPS.