HERO: A novel malware detection framework based on binary translation

Malware has become one of the most serious threats to computer information system. In this paper, we describe HERO (Hybrid security extension of binary translation), a novel framework that exploits static and dynamic binary translation features to detect broad spectrum malware and prevent its execution. By operating directly on binary code without any assumption on the availability of source code, HERO is appropriate for translating low-level binary code to high-level proper representation, obtaining CFG (Control Flow Graph) and other high-level Control Structure by static binary translation-based analyzer. Then Critical API Graph based on CFG is generated to do sub-graph matching with the defined Malware Behavior Template. If static analysis cannot finish generating CFG because of code obfuscation used in malware, the dynamic binary translation based analyzer in HERO is called to undertake the process to take on the remaining code analysis. Compared with other detection approaches, HERO is found to be very efficient in terms of detection capability and false alarm rate.

[1]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[2]  Erik R. Altman,et al.  Welcome to the Opportunities of Binary Translation , 2000, Computer.

[3]  Derek Bruening,et al.  An infrastructure for adaptive dynamic optimization , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..

[4]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[5]  A.H. Sung,et al.  Polymorphic malicious executable scanner by API sequence analysis , 2004, Fourth International Conference on Hybrid Intelligent Systems (HIS'04).

[6]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[7]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[8]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[9]  Yanfang Ye,et al.  IMDS: intelligent malware detection system , 2007, KDD '07.