Automatic Intelligent Analysis of Malware Behaviour

In this paper, we describe the use of formal methods to model malware behaviour. The modelling of harmful behaviour rests upon syntactic structures that represent malicious procedures inside malware. The malicious activities are modelled by a formal grammar, where API calls’ components are the terminals and the set of API calls used in combination to achieve a goal are designated non-terminals. The combination of different non-terminals in various ways and tiers make up the attack vectors that are used by harmful software. Based on these syntactic structures a parser can be generated which takes execution traces as input for pattern recognition. Keywords—Malware behaviour, modelling, parsing, search, pattern matching.

[1]  Eric Filiol,et al.  Malware Behavioral Detection by Attribute-Automata Using Abstraction from Platform and Language , 2009, RAID.

[2]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[3]  Kouichi Sakurai,et al.  A behavior based malware detection scheme for avoiding false positive , 2010, 2010 6th IEEE Workshop on Secure Network Protocols.

[4]  Eric Filiol,et al.  Formalization of malware through process calculi , 2009, ArXiv.

[5]  Eric Filiol,et al.  Open Problems in Computer Virology , 2006, Journal in Computer Virology.

[6]  Jean-Yves Marion,et al.  Behavior Abstraction in Malware Analysis , 2010, RV.

[7]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[8]  Julian C. Bradfield,et al.  A general definition of malware , 2010, Journal in Computer Virology.

[9]  Christopher Krügel,et al.  Improving the efficiency of dynamic malware analysis , 2010, SAC '10.

[10]  Michael G. Thomason,et al.  Syntactic Pattern Recognition, An Introduction , 1978, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[11]  Robert Luh,et al.  BEHAVIOR BASED MALWARE RECOGNITION , 2011 .

[12]  Eric Filiol,et al.  Functional polymorphic engines: formalisation, implementation and use cases , 2008, Journal in Computer Virology.