Cryptologia
Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator
ACM Transactions on Modeling and Computer Simulation (TOMACS) - Special issue on uniform random number generation
Profile-guided code compression
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
On the (Im)possibility of Obfuscating Programs
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
MisleadingWorm Signature Generators Using Deliberate Noise Injection
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems
ICDM '06 Proceedings of the Sixth International Conference on Data Mining
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Static disassembly of obfuscated binaries
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Automating mimicry attacks using static binary analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Using Entropy Analysis to Find Encrypted and Packed Malware
IEEE Security and Privacy
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Catch me, if you can: evading network signatures with web-based polymorphic worms
WOOT '07 Proceedings of the first USENIX workshop on Offensive Technologies
A practical mimicry attack against powerful system-call monitors
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Hindering Reverse Engineering: Thinking Outside the Box
IEEE Security and Privacy
Undermining an anomaly-based intrusion detection system using common exploits
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Detecting malicious code by model checking
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
PADL'05 Proceedings of the 7th international conference on Practical Aspects of Declarative Languages
Automated discovery of mimicry attacks
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Paragraph: thwarting signature learning by training maliciously
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Frankenstein: stitching malware from benign binaries
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Covert computation: hiding code in code for obfuscation purposes
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Binary program statistical features hiding through huffman obfuscated coding
ICIC'13 Proceedings of the 9th international conference on Intelligent Computing Theories
RopSteg: program steganography with return oriented programming
Proceedings of the 4th ACM conference on Data and application security and privacy
| Hi-index | 0.00 |
Binary obfuscation plays an essential role in evading malware static analysis and detection. The widely used code obfuscation techniques, such as polymorphism and metamorphism, focus on evading syntax based detection. However, statistic test and semantic analysis techniques have been developed to thwart their evasion attempts. More recent binary obfuscation techniques are divided in their purposes of attacking either statistical or semantic approach, but not both. In this paper, we introduce mimimorphism, a novel binary obfuscation technique with the potential of evading both statistical and semantic detections. Mimimorphic malware uses instruction-syntax-aware high-order mimic functions to transform its binary into mimicry executables that exhibit high similarity to benign programs in terms of statistical properties and semantic characteristics. We implement a prototype of the mimimorphic engine on the Intel x86 platform, and evaluate its capability of evading statistical anomaly detection and semantic analysis detection techniques. Our experimental results demonstrate that the mimicry executables are indistinguishable from benign programs in terms of byte frequency distribution and entropy, as well as control flow fingerprint.