Employing Program Semantics for Malware Detection

In recent years, malware has emerged as a critical security threat. In addition, malware authors continue to embed numerous anti-detection features to evade the existing malware detection approaches. Against this advanced class of malicious programs, dynamic behavior-based malware detection approaches outperform the traditional signature-based approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on system-calls to model the infection and propagation dynamics of malware. However, these approaches do not account an important anti-detection feature of modern malware, i.e., systemcall injection attack. This attack allows the malicious binaries to inject irrelevant and independent system-calls during the program execution thus modifying the execution sequences defeating the existing system-call-based detection. To address this problem, we propose an evasion-proof solution that is not vulnerable to system-call injection attacks. Our proposed approach characterizes program semantics using asymptotic equipartition property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract information-rich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to call-injection attacks as the discriminating components are not directly visible to malware authors. We run a thorough set of experiments to evaluate our solution and compare it with the existing system-call-based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances.

[1]  Julian R. Ullmann,et al.  An Algorithm for Subgraph Isomorphism , 1976, J. ACM.

[2]  Guofei Gu,et al.  Shadow attacks: automatically evading system-call-behavior based malware detection , 2011, Journal in Computer Virology.

[3]  Yi-Ming Chen,et al.  A System Call Analysis Method with MapReduce for Malware Detection , 2011, 2011 IEEE 17th International Conference on Parallel and Distributed Systems.

[4]  P. Vinod,et al.  MOMENTUM: MetamOrphic malware exploration techniques using MSA signatures , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[5]  Marco Ramilli,et al.  Multiprocess malware , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[6]  Subhransu Maji,et al.  Classification using intersection kernel support vector machines is efficient , 2008, 2008 IEEE Conference on Computer Vision and Pattern Recognition.

[7]  Somesh Jha,et al.  Synthesizing near-optimal malware specifications from suspicious behaviors , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[8]  Joshua Saxe,et al.  Visualization of shared system call sequence relationships in large malware corpora , 2012, VizSec '12.

[9]  Dawn Xiaodong Song,et al.  Recognizing malicious software behaviors with tree automata inference , 2012, Formal Methods Syst. Des..

[10]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[11]  Tin Kam Ho,et al.  The Random Subspace Method for Constructing Decision Forests , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[12]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[13]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[14]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[15]  Zhe Dang,et al.  Typical Paths of a Graph , 2011, Fundam. Informaticae.

[16]  Somesh Jha,et al.  Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[18]  Md. Rafiqul Islam,et al.  Classification of malware based on integrated static and dynamic features , 2013, J. Netw. Comput. Appl..

[19]  Horst Bunke,et al.  Graph Clustering Using the Weighted Minimum Common Supergraph , 2003, GbRPR.

[20]  Lior Rokach,et al.  Detection of unknown computer worms based on behavioral classification of the host , 2008, Comput. Stat. Data Anal..

[21]  Felix C. Freiling,et al.  Visual analysis of malware behavior using treemaps and thread graphs , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[22]  Diomidis Spinellis,et al.  Reliable identification of bounded-length viruses is NP-complete , 2003, IEEE Trans. Inf. Theory.

[23]  Lorie M. Liebrock,et al.  Improving antivirus accuracy with hypervisor assisted analysis , 2010, Journal in Computer Virology.

[24]  Xin Wang,et al.  Growing Grapes in Your Computer to Defend Against Malware , 2014, IEEE Transactions on Information Forensics and Security.

[25]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[26]  Joaquin Garcia-Alfaro,et al.  Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance , 2015, Lecture Notes in Computer Science.

[27]  Levente Buttyán,et al.  nEther: in-guest detection of out-of-the-guest malware analyzers , 2011, EUROSEC '11.

[28]  Curtis B. Storlie,et al.  Graph-based malware detection using dynamic analysis , 2011, Journal in Computer Virology.

[29]  Gang Xu,et al.  What you see predicts what you get - lightweight agent-based malware detection , 2013, Secur. Commun. Networks.

[30]  Richard E. Korf,et al.  The Branching Factor of Regular Search Spaces , 1998, AAAI/IAAI.

[31]  Thomas M. Cover,et al.  Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing) , 2006 .

[32]  Qiang Li,et al.  A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches , 2014, ISPEC.

[33]  Mauro Conti,et al.  Detecting Targeted Smartphone Malware with Behavior-Triggering Stochastic Models , 2014, ESORICS.

[34]  Muttukrishnan Rajarajan,et al.  Environment-Reactive Malware Behavior: Detection and Categorization , 2014, DPM/SETOP/QASA.

[35]  Fei Wang,et al.  ENDMal: An anti-obfuscation and collaborative malware detection system using syscall sequences , 2013, Math. Comput. Model..

[36]  Lorie M. Liebrock,et al.  Visualizing compiled executables for malware analysis , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[37]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[38]  Nizar Kheir,et al.  Behavioral classification and detection of malware through HTTP user agent anomalies , 2013, J. Inf. Secur. Appl..

[39]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[40]  HoTin Kam The Random Subspace Method for Constructing Decision Forests , 1998 .

[41]  Roland H. C. Yap,et al.  Experiments with Malware Visualization , 2012, DIMVA.

[42]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.

[43]  Michael J. Quinn,et al.  Parallel graph algorithms , 1984, CSUR.

[44]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[45]  Elmar Gerhards-Padilla,et al.  Bee Master: Detecting Host-Based Code Injection Attacks , 2014, DIMVA.

[46]  Pawel Rzazewski,et al.  Improving High-Performance GPU Graph Traversal with Compression , 2014, ADBIS.

[47]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[48]  Mark Stamp,et al.  Deriving common malware behavior through graph clustering , 2013, Comput. Secur..

[49]  Christopher Krügel,et al.  Revolver: An Automated Approach to the Detection of Evasive Web-based Malware , 2013, USENIX Security Symposium.

[50]  Mansour Ahmadi,et al.  Malware detection by behavioural sequential patterns , 2013 .

[51]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.

[52]  Vijay Laxmi,et al.  Behavioural detection with API call-grams to identify malicious PE files , 2012, SecurIT '12.

[53]  Hongyuan Qiu,et al.  Static malware detection with Segmented Sandboxing , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).