DiffSig: resource differentiation based malware behavioral concise signature generation

Authors:
Huabiao Lu;Baokang Zhao;Xiaofeng Wang;Jinshu Su
Affiliations:
School of Computer, National University of Defense Technology, Changsha, China;School of Computer, National University of Defense Technology, Changsha, China;School of Computer, National University of Defense Technology, Changsha, China;School of Computer, National University of Defense Technology, Changsha, China
Venue:
ICT-EurAsia'13 Proceedings of the 2013 international conference on Information and Communication Technology
Year:
2013

Citing 10
Cited 0

Rootkits: Subverting the Windows Kernel

Rootkits: Subverting the Windows Kernel
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Dynamic application-layer protocol analysis for network intrusion detection

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Mining specifications of malicious behavior

Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
System Call API Obfuscation (Extended Abstract)

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
A view on current malware behaviors

LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Effective and efficient malware detection at the end host

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
AccessMiner: using system-centric models for malware protection

Proceedings of the 17th ACM conference on Computer and communications security
Malware Obfuscation Techniques: A Brief Survey

BWCCA '10 Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Malware obfuscation obscures malware into a different form that's functionally identical to the original one, and makes syntactic signature ineffective. Furthermore, malware samples are huge and growing at an exponential pace. Behavioral signature is an effective way to defeat obfuscation. However, state-of-the-art behavioral signature, behavior graph, is although very effective but unfortunately too complicated and not scalable to handle exponential growing malware samples; in addition, it is too slow to be used as real-time detectors. This paper proposes an anti-obfuscation and scalable behavioral signature generation system, DiffSig, which voids information-flow tracking which is the chief culprit for the complex and inefficiency of graph behavior, thus, losing some data dependencies, but describes handle dependencies more accurate than graph behavior by restrict the profile type of resource that each handle dependency can reference to. Our experiment results show that DiffSig is scalable and efficient, and can detect new malware samples effectively.