A semantics-based approach to malware detection

ACM Transactions on Programming Languages and Systems

Volumn 30, Issue 5, 2008, Pages

  Preda, Mila Dalla ^a   Christodorescu, Mihai ^b   Jha, Somesh ^b   Debray, Saumya ^c  

^a UNIVERSITY OF VERONA   (Italy)

^b UNIVERSITY OF WISCONSIN MADISON   (United States)

^c UNIVERSITY OF ARIZONA   (United States)

Author keywords

Abstract interpretation; Malware detection; Obfuscation; Trace semantics

Indexed keywords

ABSTRACT INTERPRETATION; ABSTRACT INTERPRETATIONS; CURRENT DETECTORS; DETECTION SCHEMES; MALWARE; MALWARE DETECTION; OBFUSCATION; SIGNATURE MATCHING; SOFTWARE SECURITY; SOUNDNESS AND COMPLETENESS; STANDARD MODEL; SYNTACTIC APPROACH; SYNTACTIC PROPERTIES; TRACE SEMANTICS;

CODES (SYMBOLS); DETECTORS; INFORMATION THEORY; MODEL CHECKING; PROGRAM INTERPRETERS; SEMANTICS; STANDARDS; SYNTACTICS;

COMPUTER CRIME;

EID: 51849164885     PISSN: 01640925     EISSN: 15584593     Source Type: Journal    
DOI: 10.1145/1387673.1387674     Document Type: Article

References (50)

1. ADLEMAN, L. M. 1988. An abstract theory of computer viruses. In Proceedings of Advances in Cryptology (CRYPTO'88). Lecture Notes in Computer Science, vol. 403. Springer, Berlin, Germany.
2. BARAK, B., GOLDREICH, O., ISMPAGLIAZZO, R., RUDICH, S., SAHAI, A., VADHAN, S., AND YANG, K. 2001. On the (im)possibility of obfuscating programs. In Proceedings of the Advances in Cryptology (CRYPTO'01). Lecture Notes in Computer Science, vol. 2139. Springer, 1-18.
3. BERGERON, J., DEBBABI, M., DESHARNAIS, J., ERHIOUI, M. M., LAVOIE, Y., AND TAWBI, N. 2001. Static detection of malicious code in executable programs. Symposium on Requirements Engineering for Information Security. http://www.sreis.org/ old/2001/index.html.
4. BRIESEMEISTER, L., PORRAS, P. A., AND TIWARI, A. 2005. Model checking of worm quarantine and counter-quarantine under a group defense. Tech. rep. SRI-CSL-05-03, Computer Science Laboratory. SRI International.
5. CHESS, D. AND WHITE, S. 2000. An undetectable computer virus. In Proceedings of the Virus Bulletin Conference (VB2000). Virus Bulletin, Orlando, FL.
6. CHOW, S., GU, Y., JOHNSON, H., AND ZAKHAROV,V. 2001. An approachtothe obfuscation of control-flow of sequential computer programs. In Proceedings of the 4th International Information Security Conference (ISC'01), G. Davida and Y. Frankel, Eds. Lecture Notes in Computer Science, vol. 2200. Springer, 144-155.
7. CHRISTODORESCU, M. AND JHA, S. 2003. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th USENIX Security Symposium (Security'03). USENIX Association, Berkeley, CA, 169-186.
8. CHRISTODORESCU, M., JHA, S., AND KRUEGEL, C. 2007. Mining specifications of malicious behavior. In Proceedings of the 6th Joint Meeting European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/ FSE'07).
9. CHRISTODORESCU, M., JHA, S., SESHIA, S. A., SONG, D., AND BRYANT, R. E. 2005. Semantics-aware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P'05). IEEE Computer Society, Los Alamitos, CA, 32-46.
10. CHRISTODORESCU, M., KINDER, J., JHA, S., KATZENBEISSER, S., AND VEITH, H. 2005. Malware normalization. Tech. rep. 1539, University of Wisconsin, Madison. WI.
11. CLARKE Jr. E. M., GRUMBERG, O., AND PELED, D. A. 2001. Model Checking. MIT Press, Cambridge, MA.
12. COHEN, F. 1985. Computer viruses. Ph.D. thesis, University of Southern California.
13. COHEN, F. 1989. Computational aspects of computer viruses. Comput. Secur. 8, 4, 325.
14. COHEN, F. B. 1987. Computer viruses: Theory and experiments. Comput. Secur. 6, 22-35.
15. COLLBERG, C., THOMBORSON, C., AND LOW, D. 1997. A taxonomy of obfuscating transformations. Tech. rep. 148, Department of Computer Sciences, University of Auckland.
16. COLLBERG, C., THOMBORSON, C., AND LOW, D. 1998. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'98). ACM Press, 184-196.
17. COUSOT, P. AND COUSOT, R. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points. In Proceedings of the 4th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'77). ACM Press, 238-252.
18. COUSOT, P. AND COUSOT, R. 1979. Systematic design of program analysis frameworks. In Proceedings of the 6th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'79). ACM Press, 269-282.
19. COUSOT, P. AND COUSOT, R. 1992. Abstract interpretation frameworks. J. Logic Comput. 2, 4 (Aug.), 511-547.
20. COUSOT, P. AND COUSOT, R. 2002. Systematic design of program transformation frameworks by abstract interpretation. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'02). ACM Press, 178-190.
21. DALLA PREDA, M., CHRISTODORESCU, M., JHA, S., AND DEBRAY, S. 2007. A semantics-based approach to malware detection. In Proceedings of the 32nd ACM Symp. on Principles of Programming Languages (POPL'07). ACM Press, 377-388.
22. DALLA PREDA, M. AND GIACOBAZZI, R. 2005. Control code obfuscation by abstract interpretation. In Proceedings of the 3rd IEEE International Conference on Software Engineering and Formal Methods (SEFM'05). IEEE Computer Society, Los Alamitos, CA, USA, 301-310.
23. DALLA PREDA, M. AND GIACOBAZZI, R. 2005. Semantics-based code obfuscation by abstract interpretation. In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming (ICALP'05). Lecture Notes in Computer Science, vol. 3580. Springer, 1325-1336.
24. DETRISTAN, T., ULENSPIEGEL, T., MALCOM, Y., AND VON UNDERDUK, M. S. 2003. Polymorphic shellcode engine using spectrum analysis. Phrack 11, 61 http://www.phrack.org.
25. GOLDWASSER, S. AND KALAI, Y. T. 2005. On the impossibility of obfuscation with auxiliary input. In Proceedings of the 46th Annual IEEE Symposium onFoundationsof Computer Science (FOCS'05). IEEE Computer Society, 553-562.
26. GUPTA, A. AND SEKAR, R. 2003. An approach for detecting self-propagating email using anomaly detection. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03), G. Vigna, E. Jonsson, and C. Kruegel, Eds. Lecture Notes in Computer Science, vol. 2820. Springer, 55-72.
27. INTEL CORPORATION. 2001. IA-32 Intel Architecture Software Developer's Manual. Intel Corporation.
28. JORDAN, M. 2002. Dealing with metamorphism. Virus Bull. 10, 4-6.
29. KINDER, J., KATZENBEISSER, S., SCHALLHART, C., AND VEITH, H. 2005. Detecting malicious code by model checking. In Proceedings of the 2nd International Conference on Intrusion and Malware Detection and Vulnerability Assessment (DIMVA'05), K. Julisch and C. Krügel, Eds. Lecture Notes in Computer Science, vol. 3548. Springer, 174-187.
30. KOLTER, J. Z. AND MALOOF, M. A. 2004. Learning to detect malicious executables in the wild. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD'04). ACM Press, 470-478.
31. LAKHOTIA, A. AND MOHAMMED, M. 2004. Imposing Order on Program Statements to Assist Anti-Virus Scanners. In Proceedings of the 11th Working Conference on Reverse Engineering (WCRE'04). IEEE Computer Society, 161-170.
32. LAKHOTIA, A. AND SINGH, P. K. 2000. Challenges in getting "formal" with viruses. In Virus Bull.
33. LEE, W., NIMBALKAR, R. A., YEE, K. K., PATIL, S. B., DESAI, P. H., TRAN, T. T., AND STOLFO, S. J. 2000. A data mining and CIDF based approach for detecting novel and distributed intrusions. In Proceedings of the 3rd International Workshop on Recent Advances in Intrusion Detection (RAID 2000). Lecture Notes in Computer Sciences, vol. 1907. Springer, 49-65.
34. LEE, W. AND STOLFO, S. 1998. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium. USENIX Association, 79-93.
35. LEE, W., STOLFO, S., AND MOK, K. W. 1999. A data mining framework for building intrusion detection models. In Proceedings of the IEEE Symposium on Security and Privacy (S & P'99). IEEE Computer Society, Los Alamitos, CA, USA, 120-132.
36. LI, W.-J., WANG, K., STOLFO, S. J., AND HERZOG, B. 2005. Fileprints: Identifying file types by n-gram analysis. In Proceedings of the 6th Annual IEEE Systems, Man, and Cybernetics (SMC) Workshop on Information Assurance (IAW'05). IEEE Computer Society, 64-71.
37. LINN, C. AND DEBRAY, S. 2003. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03). ACM Press, 290-299.
38. LO, R. W., LEVITT, K. N., AND OLSSON, R. A. 1995. Mcf: A malicious code filter. Comput. Secur. 14, 541-566.
39. MCHUGH, J. 2001. Intrusion and intrusion detection. Int. J. Inform. Secu. 1, 1, 14-35.
40. MORLEY, P. 2001. Processing virus collections. In Proceedings of the Virus Bulletin Conference (VB2'001). Virus Bulletin, 129-134.
41. NACHENBERG, C. 1997. Computer virus-antivirus coevolution. Comm. ACM 40, 1, 46-51.
42. RAJAAT. 1999. Polymorphism. 29A Mag. 1, 3, 1-2.
43. SINGH, P. AND LAKHOTIA, A. 2003. Static verification of worm and virus behaviour in binary executables using model checking. In Proceedings of the 4th IEEE Information Assurance Workshop. IEEE Computer Society, Los Alamitos, CA, USA.
44. SYMANTEC CORPORATION. 2006. Symantec Internet Security Threat Report: Trends for January 06-June 06. Vol. X. Symantec Corporation, Cupertino, CA.
45. SZÖR, P. 2005. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Boston, MA.
46. SZÖR, P. AND FERRIE, P. 2001. Hunting for metamorphic. In Proceedings of the Virus Bulletin Conference (VB2001). Virus Bulletin, 123-144.
47. WALENSTEIN, A., MATHURS, R. CHOUCHANE, M. R., AND, LAKHOTIA, A 2006. Normalizing Metamorphic Malware Using Term Rewriting. In Proceedings of the 6th International Workshop on Source Code Analysis and Manipulation (SCAM'06). 75-84, IEEE Computer Society Press.
48. WEE, H. 2005. On obfuscating point functions. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC'05). ACM Press, 523-532.
49. ZOMBIE. 2001a. Automated reverse engineering: Mistfall engine. Published online athttp://www.madchat.org//vxdevl/papers/vxers/Z0mbie/autorev. txt (last accessed on Sep. 29, 2006).
50. ZOMBIE. 2001b. Real Permutating[sic] Engine. Published online at http://vx.netlux.org/vx.php?id=er05.