A Behavior Feature Generation Method for Obfuscated Malware Detection

Detection based on features is most popular way to prevent malware these days. Current feature abstracting and matching methods are susceptible to obfuscation techniques, and cannot deal with the variants which are emerging quickly. This paper proposes a malware feature extracting method based on its behaviors. This method can abstract the critical behaviors of malware and the dependencies between them through dynamic analysis, and generate the features to defeat malware obfuscations considering semantic irrelevancy and semantic equivalency to improve the describing capabilities of the malware features. This paper also designs a corresponding detecting method based on these features. The experiment results show that our method is more resilient to malware obfuscation techniques, especially for real world malware variants.

[1]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[2]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[3]  S. Katzenbeisser,et al.  Malware Normalization , 2005 .

[4]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[5]  Guang R. Gao,et al.  Identifying loops using DJ graphs , 1996, TOPL.

[6]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[7]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[8]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).