Attacker obscures malware into different versions, making syntactic nature based detection ineffective. State-of-the-art behavioral signature, behavior graph, is effective but unfortunately too complicated to be extracted from malware samples. In addition, malware detection using behavior graph is NP-Complete, thus it is too slow to be used in real-time detectors. This paper proposes an anti-obfuscation, more simple but comparably effective malware behavioral signature, ResSig, which focuses on the resources that malware operate on. ResSig describes behaviors on a same resource and constraints between different resources. Extracting ResSig voids cumbersome information-flow tracking technol- ogy and is scalable to process exponential growing malware samples. Our experimental results show that ResSig is scalable and efficient, and can detect new malware samples effectively.
[1]
Christopher Krügel,et al.
Effective and Efficient Malware Detection at the End Host
,
2009,
USENIX Security Symposium.
[2]
Christopher Krügel,et al.
AccessMiner: using system-centric models for malware protection
,
2010,
CCS '10.
[3]
Ming-Yang Kao,et al.
Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience
,
2006,
2006 IEEE Symposium on Security and Privacy (S&P'06).
[4]
Kangbin Yim,et al.
Malware Obfuscation Techniques: A Brief Survey
,
2010,
2010 International Conference on Broadband, Wireless Computing, Communication and Applications.