Behavior abstraction in malware analysis

Authors:
Philippe Beaucamps;Isabelle Gnaedig;Jean-Yves Marion
Affiliations:
INPL, INRIA Nancy Grand Est, Nancy-Université, LORIA, Vandoeuvre-lès-Nancy Cedex, France;INPL, INRIA Nancy Grand Est, Nancy-Université, LORIA, Vandoeuvre-lès-Nancy Cedex, France;INPL, INRIA Nancy Grand Est, Nancy-Université, LORIA, Vandoeuvre-lès-Nancy Cedex, France
Venue:
RV'10 Proceedings of the First international conference on Runtime verification
Year:
2010

Citing 9
Cited 5

Computer viruses: theory and experiments

Computers and Security
Semantics of programming languages: structures and techniques

Semantics of programming languages: structures and techniques
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Exploring Multiple Execution Paths for Malware Analysis

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A Layered Architecture for Detecting Malicious Behaviors

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Malware Behavioral Detection by Attribute-Automata Using Abstraction from Platform and Language

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Detecting self-mutating malware using control-flow graph matching

DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Detecting malicious code by model checking

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Dynamic behavior matching: a complexity analysis and new approximation algorithms

CADE'11 Proceedings of the 23rd international conference on Automated deduction
A stateful approach to generate synthetic events from Kernel traces

Advances in Software Engineering
LTL model-checking for malware detection

TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
PoMMaDe: pushdown model-checking for malware detection

Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
Analyzing program dependencies for malware detection

Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present an approach for proactive malware detection working by abstraction of program behaviors. Our technique consists in abstracting program traces, by rewriting given subtraces into abstract symbols representing their functionality. Traces are captured dynamically by code instrumentation, which allows us to handle packed or self-modifying malware. Suspicious behaviors are detected by comparing trace abstractions to reference malicious behaviors. The expressive power of abstraction allows us to handle general suspicious behaviors rather than specific malware code and then, to detect malware mutations. We present and discuss an implementation validating our approach.