Abstraction by Term Rewriting for Malware Behavior Analysis - Extended Version

We propose a formal approach for behavioral analysis of programs based on dynamic analysis. It works by abstracting execution traces with respect to given behavior patterns in order to produce a high level representation of a program behavior and then, by comparing this abstract form to signatures defining reference abstract malicious behaviors. Abstraction is performed by term rewriting using rules on terms with variables, which enables to handle the data used by behavior functionalities. This technique allows us to deal with interleaved behaviors. Successfully applied to malware detection, it allows us in particular to model and detect information leak.

[1]  Jules Desharnais,et al.  Static Detection of Malicious Code in Executable Programs , 2000 .

[2]  Stephan Merz,et al.  Temporal Logic and State Systems , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[3]  Peter J. Clarke,et al.  Characterization of virus replication , 2007, Journal in Computer Virology.

[4]  Hubert Comon,et al.  Tree automata techniques and applications , 1997 .

[5]  Herbert Bos,et al.  Can we make operating systems reliable and secure? , 2006, Computer.

[6]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[7]  Jean-Yves Marion,et al.  Behavior Abstraction in Malware Analysis , 2010, RV.

[8]  Baudouin Le Charlier,et al.  Dynamic Detection and Classification of Computer Viruses Using General Behaviour Patterns , 1995 .

[9]  Joshua D. Guttman,et al.  Verifying information flow goals in Security-Enhanced Linux , 2005, J. Comput. Secur..

[10]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[11]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[12]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[13]  Arun Lakhotia,et al.  Static verification of worm and virus behavior in binary executables using model checking , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[14]  Stephan Merz,et al.  Temporal Logic and State Systems (Texts in Theoretical Computer Science. An EATCS Series) , 2010 .

[15]  Sophie Tison,et al.  Regular Tree Languages and Rewrite Systems , 1995, Fundam. Informaticae.

[16]  Eric Filiol,et al.  Malware Behavioral Detection by Attribute-Automata Using Abstraction from Platform and Language , 2009, RAID.