[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1007/978-3-540-70500-0_25guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

Signature Generation and Detection of Malware Families

Published: 07 July 2008 Publication History

Abstract

Malware detection and prevention is critical for the protection of computing systems across the Internet. The problem in detecting malware is that they <em>evolve</em>over a period of time and hence, traditional signature-based malware detectors fail to detect obfuscated and previously unseen malware executables. However, as malware evolves, some semantics of the original malware are preserved as these semantics are necessary for the effectiveness of the malware. Using this observation, we present a novel method for detection of malware using the correlation between the semantics of the malware and its API calls. We construct a base signature for an entire malware class rather than for a single specimen of malware. Such a signature is capable of detecting even unknown and advanced variants that belong to that class. We demonstrate our approach on some well known malware classes and show that any advanced variant of the malware class is detected from the base signature.

References

[1]
Pietrek, M.: An In-Depth Look into the Win32 Portable Executable File Format, in MSDN Magazine (March 2002).
[2]
VX Heavens, http://vx.netlux.org
[3]
Viruslist.com - Email-Worm.Win32.Borzella, http://www.viruslist.com/en/viruses/encyclopedia?virusid=21991
[4]
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-Aware Malware Detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, May 08-11, 2005, pp. 32-46 (2005).
[5]
Marinescu, A.: An Analysis of Simile, http://www.securityfocus.com/infocus/1671
[6]
Sokal, R.R., Rohlf, F.J.: Biometry: The principles and practice of statistics in biological research, 3rd edn. Freeman, New York (1994).
[7]
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC), Miami Beach, FL (December 2007).
[8]
Guilfanov, I.: An Advanced Interactive Multi-processor Disassembler (2000), http://www.datarescue.com
[9]
Ferrie, P., Ször, P.: Zmist opportunities. Virus Bullettin (2001).
[10]
Bilar, D.: Statistical Structures: Tolerant Fingerprinting for Classification and Analysis given at BH 2006, Las Vegas, NV. Blackhat Briefings USA (August 2006).
[11]
Cohen, F.: Computer Virus: Theory and experiments. Computers and Security 6, 22-35 (1987).
[12]
Chess, D.M., White, S.R.: An undetectable computer virus. In: Proceedings of Virus Bulletin Conference (2000).
[13]
Landi, N.: Undecidability of static analysis. ACM Letters on Programming Language and systems (LOPLAS) 1(4), 323-337 (1992).
[14]
Myres, E.M.: A precise interprocedural data flow algorithm. In: Conference Record of the 8th Annual ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages (POPL 1981), pp. 219-230. ACM Press, New York (1981).
[15]
Christodorescu, M., Jha, S.: Static Anlaysis of Executables to Detect Malicious Patterns. In: Proceeding of the 12th USENIX Security Symp (Security 2003), pp. 169-186 (August 2003).
[16]
Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of USENIX Security, San Diego, CA, pp. 255-270 (August 2004).
[17]
Christodorescu, M., Jha, S., Krugel, C.: Mining Specification of Malicious Behavior. In: Proceeding of the 6th joint meeting of the European Software Engineering Conference. ACM SIGSOFT Symp. On ESES/FSE 2007 (2007).
[18]
Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static Detection of Malicious Code in Executable Programs. In: Symposium on Requirements Engineering for Information Security (SREIS 2001) (2001).
[19]
Zhang, B., Yin, J., Hao, J.: Using Fuzzy Pattern Recognition to Detect Unknown Malicious Executables Code. In: Wang, L., Jin, Y. (eds.) Fuzzy Systems and Knowledge Discovery. LNCS (LNAI), vol. 3613, pp. 629-634. Springer, Heidelberg (2005).
[20]
Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Transactions on Dependable and Secure Computing (TDSC) 4(2) (April-June, 2007).
[21]
Bergeron, J., Debbabi, M., Erhioui, M.M., Ktari, B.: Static Analysis of Binary Code to Isolate Malicious Behaviors. In: Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, June 16- 18, 1999, pp. 184-189 (1999).
[22]
Sun, H.-M., Lin, Y.-H., Wu, M.-F.: API Monitoring System for Defeating Worms and Exploits in MS-Windows System. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058. Springer, Heidelberg (2006).
[23]
Jesse, C., Rabek, R., Khazan, I., Scott,M., Robert, L., Cunningham, K.: Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In: Proc. of 2003 ACM workshop on Rapid Malcode (October 2003).
[24]
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy 1996 (1996).
[25]
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: IEEE Symposium on Security and Privacy (2001).
[26]
Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Transactions On Dependable and Secure Computing 4(2) (April-June, 2007).
[27]
Zhang, Q., Reeves, D.S.: MetaAware: Identifying Metamorphic Malware. In: Choi, L., Paek, Y., Cho, S. (eds.) ACSAC 2007. LNCS, vol. 4697, Springer, Heidelberg (2007).

Cited By

View all
  • (2024)A Comprehensive Analysis of Explainable AI for Malware HuntingACM Computing Surveys10.1145/367737456:12(1-40)Online publication date: 11-Jul-2024
  • (2023)PSP-Mal: Evading Malware Detection via Prioritized Experience-based Reinforcement Learning with Shapley PriorProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627178(580-593)Online publication date: 4-Dec-2023
  • (2022)HEAVENExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.117083201:COnline publication date: 1-Sep-2022
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings
ACISP '08: Proceedings of the 13th Australasian conference on Information Security and Privacy
July 2008
477 pages
ISBN:9783540699712

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 07 July 2008

Author Tags

  1. Malware Detection
  2. Signature Generation
  3. Static Analysis

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 22 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)A Comprehensive Analysis of Explainable AI for Malware HuntingACM Computing Surveys10.1145/367737456:12(1-40)Online publication date: 11-Jul-2024
  • (2023)PSP-Mal: Evading Malware Detection via Prioritized Experience-based Reinforcement Learning with Shapley PriorProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627178(580-593)Online publication date: 4-Dec-2023
  • (2022)HEAVENExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.117083201:COnline publication date: 1-Sep-2022
  • (2021)A Machine-Learning-Based Framework for Supporting Malware Detection and AnalysisComputational Science and Its Applications – ICCSA 202110.1007/978-3-030-86970-0_25(353-365)Online publication date: 13-Sep-2021
  • (2019)ShellfierProceedings of the 2019 8th International Conference on Software and Computer Applications10.1145/3316615.3316731(462-466)Online publication date: 19-Feb-2019
  • (2018)An Efficient Malicious Code Detection System Based on Convolutional Neural NetworksProceedings of the 2018 2nd International Conference on Computer Science and Artificial Intelligence10.1145/3297156.3297246(86-89)Online publication date: 8-Dec-2018
  • (2018)Automatic malware mutant detection and group classification based on the n-gram and clustering coefficientThe Journal of Supercomputing10.1007/s11227-015-1594-674:8(3489-3503)Online publication date: 1-Aug-2018
  • (2017)Malware Detection by Static Checking and Dynamic Analysis of ExecutablesInternational Journal of Information Security and Privacy10.5555/3272800.327280311:3(29-41)Online publication date: 1-Jul-2017
  • (2017)Packer identification based on metadata signatureProceedings of the 7th Software Security, Protection, and Reverse Engineering / Software Security and Protection Workshop10.1145/3151137.3160687(1-11)Online publication date: 5-Dec-2017
  • (2017)Scanning memory with YaraDigital Investigation: The International Journal of Digital Forensics & Incident Response10.1016/j.diin.2017.02.00520:C(34-43)Online publication date: 1-Mar-2017
  • Show More Cited By

View Options

View options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media