Evaluating model checking for cyber threats code obfuscation identification

Abstract Code obfuscation is a set of transformations that make code programs harder to understand. The goal of code obfuscation is to make reverse engineering of programs infeasible, while maintaining the logic on the program. Originally, it has been used to protect intellectual property. However, recently code obfuscation has been also used by malware writers in order to make cyber threats easily able to evade antimalware scanners. As a matter of fact, metamorphic and polymorphic viruses exhibit the ability to obfuscate their code as they propagate. In this paper we propose a model checking-based approach which is able to identify the most widespread obfuscating techniques, without making any assumptions about the nature of the obfuscations used. We evaluate the proposed method on a real-world dataset obtaining an accuracy equal to 0.9 in the identification of obfuscation techniques.

[1]  Stefan Katzenbeisser,et al.  Protecting Software through Obfuscation , 2016, ACM Comput. Surv..

[2]  Saumya K. Debray,et al.  Deobfuscation: reverse engineering obfuscated code , 2005, 12th Working Conference on Reverse Engineering (WCRE'05).

[3]  Antonella Santone,et al.  Model Checking to Support Action Controls in the Purchasing Process , 2016, 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE).

[4]  Hao Chen,et al.  Attack of the Clones: Detecting Cloned Applications on Android Markets , 2012, ESORICS.

[5]  Saumya K. Debray,et al.  Automatic Simplification of Obfuscated JavaScript Code: A Semantics-Based Approach , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[6]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[7]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[8]  Eric Medvet,et al.  Detection of Malicious Web Pages Using System Calls Sequences , 2014, CD-ARES.

[9]  R. Nigel Horspool,et al.  A framework for metamorphic malware analysis and real-time detection , 2015, Comput. Secur..

[10]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[11]  Arun Kumar Sangaiah,et al.  Android malware detection based on system call sequences and LSTM , 2019, Multimedia Tools and Applications.

[12]  Markus Dahm,et al.  Byte Code Engineering , 1999, Java-Informations-Tage.

[13]  Eunjin Jung,et al.  Obfuscated malicious javascript detection using classification techniques , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[14]  Gerardo Canfora,et al.  Obfuscation Techniques against Signature-Based Detection: A Case Study , 2015, 2015 Mobile Systems Technologies Workshop (MST).

[15]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[16]  Saumya Debray,et al.  A Generic Approach to Automatic Deobfuscation of Executable Code , 2015, 2015 IEEE Symposium on Security and Privacy.

[17]  Stephan Merz,et al.  Model Checking , 2000 .

[18]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[19]  Xuxian Jiang,et al.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[20]  Colin Stirling,et al.  An Introduction to Modal and Temporal Logics for CCS , 1991, Concurrency: Theory, Language, And Architecture.

[21]  Arun Kumar Sangaiah,et al.  ESCAPE: Effective Scalable Clustering Approach for Parallel Execution of Continuous Position-Based Queries in Position Monitoring Applications , 2017, IEEE Transactions on Sustainable Computing.

[22]  Jun Zhang,et al.  Modeling Propagation Dynamics of Social Network Worms , 2013, IEEE Transactions on Parallel and Distributed Systems.

[23]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[24]  Edsger W. Dijkstra,et al.  Letters to the editor: go to statement considered harmful , 1968, CACM.

[25]  Antonella Santone,et al.  Infer Gene Regulatory Networks from Time Series Data with Probabilistic Model Checking , 2015, 2015 IEEE/ACM 3rd FME Workshop on Formal Methods in Software Engineering.

[26]  Gerardo Canfora,et al.  Malicious JavaScript Detection by Features Extraction , 2014, e Informatica Softw. Eng. J..

[27]  Yang Xiang,et al.  Modeling the Propagation of Worms in Networks: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[28]  Antonella Santone,et al.  Download malware? no, thanks: how formal methods can block update attacks , 2016, FM 2016.

[29]  Er-Rajy Latifa,et al.  Android: Deep look into Dalvik VM , 2015, 2015 5th World Congress on Information and Communication Technologies (WICT).

[30]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[31]  Seong-je Cho,et al.  Effects of Code Obfuscation on Android App Similarity Analysis , 2015, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[32]  Yoann Guillot,et al.  Automatic binary deobfuscation , 2009, Journal in Computer Virology.

[33]  Roberto Giacobazzi,et al.  Semantics-based code obfuscation by abstract interpretation , 2009, J. Comput. Secur..

[34]  J. Koenderink Q… , 2014, Les noms officiels des communes de Wallonie, de Bruxelles-Capitale et de la communaute germanophone.

[35]  Wei Xu,et al.  The power of obfuscation techniques in malicious JavaScript code: A measurement study , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[36]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[37]  Roberto Barbuti,et al.  Reduced Models for Efficient CCS Verification , 2005, Formal Methods Syst. Des..

[38]  Bill Venners,et al.  Inside the Java Virtual Machine , 1997 .

[39]  Arun Kumar Sangaiah,et al.  Reproducing dynamics related to an Internet of Things framework: A numerical and statistical approach , 2017, J. Parallel Distributed Comput..

[40]  Antonella Santone,et al.  Incremental construction of systems: An efficient characterization of the lacking sub-system , 2013, Sci. Comput. Program..

[41]  Mark Stamp,et al.  Opcode graph similarity and metamorphic detection , 2012, Journal in Computer Virology.

[42]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[43]  Nguyen Minh Hai,et al.  Multi-threaded On-the-Fly Model Generation of Malware with Hash Compaction , 2016, ICFEM.

[44]  Kim G. Larsen,et al.  CAAL: Concurrency Workbench, Aalborg Edition , 2015, ICTAC.

[45]  Wanlei Zhou,et al.  Identifying Propagation Sources in Networks: State-of-the-Art and Comparative Studies , 2017, IEEE Communications Surveys & Tutorials.

[46]  Gerardo Canfora,et al.  Metamorphic Malware Detection Using Code Metrics , 2014, Inf. Secur. J. A Glob. Perspect..

[47]  David S. Rosenblum,et al.  Model checking service compositions under resource constraints , 2007, ESEC-FSE '07.

[48]  Aniello Cimitile,et al.  Formal Methods Meet Mobile Code Obfuscation Identification of Code Reordering Technique , 2017, 2017 IEEE 26th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE).

[49]  Tayssir Touili,et al.  Model-Checking for Android Malware Detection , 2014, APLAS.

[50]  Nguyen Minh Hai,et al.  Obfuscation Code Localization Based on CFG Generation of Malware , 2015, FPS.

[51]  Antonella Santone,et al.  Malware and Formal Methods: Rigorous Approaches for detecting Malicious Behaviour , 2017, ARES.

[52]  Eric Medvet,et al.  Impact of Code Obfuscation on Android Malware Detection based on Static and Dynamic Analysis , 2018, ICISSP.

[53]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[54]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[55]  Antonella Santone,et al.  Download Malware? No, Thanks. How Formal Methods Can Block Update Attacks , 2016, 2016 IEEE/ACM 4th FME Workshop on Formal Methods in Software Engineering (FormaliSE).

[56]  Da Lin Hunting for Undetectable Metamorphic Viruses , 2018 .

[57]  Glenn Bruns,et al.  Distributed systems analysis with CCS , 1997 .

[58]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[59]  Junwei Tang,et al.  Identify and Inspect Libraries in Android Applications , 2018, Wirel. Pers. Commun..

[60]  Tayssir Touili,et al.  CARET model checking for malware detection , 2017, SPIN.

[61]  Antonella Santone,et al.  Hey Malware, I Can Find You! , 2016, 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE).

[62]  Antonella Santone,et al.  Abstract Interpretation and Model Checking for Checking Secure Information Flow in Concurrent Systems , 2003, Fundam. Informaticae.

[63]  Antonella Santone,et al.  Ransomware Inside Out , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[64]  Phillip A. Laplante,et al.  What Every Engineer Should Know about Software Engineering , 2007 .

[65]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[66]  Stefan Brunthaler Virtual-Machine Abstraction and Optimization Techniques , 2009, Electron. Notes Theor. Comput. Sci..

[67]  R. Nigel Horspool,et al.  Sliding window and control flow weight for metamorphic malware detection , 2014, Journal of Computer Virology and Hacking Techniques.

[68]  Arun Kumar Sangaiah,et al.  An intelligent decision computing paradigm for crowd monitoring in the smart city , 2017, J. Parallel Distributed Comput..

[69]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.