Behavior Abstraction in Malware Analysis

We present an approach for proactive malware detection working by abstraction of program behaviors. Our technique consists in abstracting program traces, by rewriting given subtraces into abstract symbols representing their functionality. Traces are captured dynamically by code instrumentation, which allows us to handle packed or self-modifying malware. Suspicious behaviors are detected by comparing trace abstractions to reference malicious behaviors. The expressive power of abstraction allows us to handle general suspicious behaviors rather than specific malware code and then, to detect malware mutations. We present and discuss an implementation validating our approach.

[1]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[2]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[3]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[4]  Javier Esparza,et al.  A Uniform Framework for Problems on Context-Free Grammars , 2000, Bull. EATCS.

[5]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[6]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[7]  Arun Lakhotia,et al.  Static verification of worm and virus behavior in binary executables using model checking , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[8]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[10]  Eric Filiol,et al.  Malware Behavioral Detection by Attribute-Automata Using Abstraction from Platform and Language , 2009, RAID.

[11]  Jean-Yves Marion,et al.  Behavior Abstraction in Malware Analysis - Extended Version , 2010 .

[12]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[13]  Zhenkai Liang,et al.  Automatically Identifying Trigger-based Behavior in Malware , 2008, Botnet Detection.

[14]  Michael Meier,et al.  Measuring similarity of malware behavior , 2009, 2009 IEEE 34th Conference on Local Computer Networks.

[15]  Friedrich Otto,et al.  String-Rewriting Systems , 1993, Text and Monographs in Computer Science.

[16]  Guillaume Bonfante,et al.  Architecture of a morphological malware detector , 2009, Journal in Computer Virology.

[17]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[18]  Thomas Dullien,et al.  Graph-based comparison of Executable Objects , 2005 .

[19]  Jules Desharnais,et al.  Static Detection of Malicious Code in Executable Programs , 2000 .

[20]  Carl A. Gunter Semantics of programming languages: structures and techniques , 1993, Choice Reviews Online.