Mining specifications of malicious behavior

Proceedings of the 2008 1st India Software Engineering Conference, ISEC'08

Volumn , Issue , 2008, Pages 5-14

  Christodorescu, Mihai ^a   Jha, Somesh ^b   Kruegel, Christopher ^c  

^a IBM RESEARCH   (United States)

^b UNIVERSITY OF WISCONSIN   (United States)

^c VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

Author keywords

Behavior based detection; Differential analysis; Malspec

Indexed keywords

AUTOMATIC TECHNIQUE; BEHAVIOR-BASED DETECTION; DIFFERENTIAL ANALYSIS; MALICIOUS BEHAVIOR; MALSPEC; MALWARES; MANUAL PROCESS;

ALGORITHMS; COMPUTER SOFTWARE; DETECTORS; MINING; SET THEORY; SPECIFICATIONS;

COMPUTER CRIME;

EID: 58049219641     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1342211.1342215     Document Type: Conference Paper

References (30)

1. G. Amnions, R. Bodik, and J. R. Larus. Mining specifications. In Proc. 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'02), pages 4-16, 2002.
2. T. Apiwattanapong, A. Orso, and M. J. Harrold. A differencing algorithm for object-oriented programs. In Proc. 19th IEEE International Conference on Automated Software Engineering (ASE 2004), pages 2-13, Sept. 2004.
3. H. A. Basit and S. Jarzabek. Detecting higher-level similarity patterns in programs. In Proc. 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEG/FSE'05), pages 156-165, New York, NY, USA, 2005. ACM Press.
4. S. Bhatkar, A. Chaturvedi, and R. Sekar. Dataflow anomaly detection. In Proc. IEEE Symposium on Security and Privacy, pages 48-62, 2006.
5. BindView. Strace for NT. Published online at http://www.bindview.com/ Services/RAZOR/Utilities/Windows/strace-readme.cfm (accessed 9 Sep. 2006).
6. M. Christodorescu and S. Jha. Testing malware detectors. In ACM SIGSOFT International Symposium on Software Testing and Analysis 2004 (ISSTA'04), pages 34-44, 2004.
7. M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proc. IEEE Symposium on Security and Privacy, pages 32-46, 2005.
8. J. T. Giffin, S. Jha, and B. P. Miller. Efficient context-sensitive intrusion detection. In Proc. 11th Network and Distributed System Security Symposium (NDSS'04), 2004.
9. S. Horwitz. Identifying the semantic and textual differences between two versions of a program. In Proc. ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation (PLDI'90), pages 234-245, 1990.
10. D. Jackson and D. A. Ladd. Semantic diff: A tool for summarizing the effects of modifications. In Proc. International Conference on Software Maintenance (IGSM'94), pages 243-252, 1994.
11. T. Kamiya, S. Kusumoto, and K. Inoue. CCFinder: A multilinguistic token-based code clone detection system for large scale source code. IEEE Transactions on Software Engineering, 28(7):654-670, 2002.
12. J. Kinder, S. Katzenbeisser, C. Schallhart, and H. Veith. Detecting malicious code by model checking. In Proc. 2nd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'05), pages 174-187, 2005.
13. R. Komondoor and S. Horwitz. Using slicing to identify duplication in source code. In Proc. 8th International Symposium on Static Analysis (SAS'01), pages 40-56, London, UK, 2001. Springer-Verlag.
14. C. Kruegel, D. Mutz, W. Robertson, G. Vigna, and R. Kemmerer. Reverse engineering of network signatures. In AusCERT Asia Pacific IT Security Conference, 2005.
15. C. Kruegel, D. Mutz, F. Valeur, and G. Vigna. On the detection of anomalous system call arguments. In Proc. 8th European Symposium on Research in Computer Security (ESORICS'03), pages 101-118, 2003.
16. C. Kruegel, W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary analysis. In Proc. 20th Annual Computer Security Applications Conference (AGSAC04), pages 91-100, 2004.
17. J. Laski and W. Szermer. Identification of program modifications and its applications in software maintenance. In Proc. Conference on Software Maintenance, pages 282-290, Nov. 9-12 1992.
18. Z. Li and Y. Zhou. PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code. In Proc. 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEG/FSE'05), pages 306-315, New York, NY, USA, 2005. ACM Press.
19. A. Marinescu. Russian doll. Virus Bulletin, 15(8):7-9, Aug. 2003.
20. A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proc. IEEE Symposium on Security and Privacy, pages 231-245, 2007.
21. S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann, 1997.
22. C. Nachenberg. Computer virus-antivirus coevolution. Communications of the ACM, 40(1):46-51, Jan. 1997.
23. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In IEEE Symposium on Security and Privacy, pages 144-155, 2001.
24. Symantec Antivirus Research Center. Expanded threat list and virus encyclopedia. Published online at http://www.symantec.com/enterprise/security- response/threatexplorer/index.jsp (accessed 9 Sep. 2006).
25. P. Ször and P. Ferrie. Hunting for metamorphic. In Virus Bulletin Conference, pages 123-144, 2001.
26. R. M. H. Ting and J. Bailey. Mining minimal contrast subgraph patterns. In 6th SIAM International Conference on Data Mining, pages 638-642, 2006.
27. W. Weimer and G. C. Necula. Mining temporal specifications for error detection. In Proc. 11th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'05), pages 461-476, 2005.
28. I. Whalley, B. Arnold, D. Chess, J. Morar, and A. Segal. An environment for controlled worm replication & analysis (Internet-inna-Box). In Virus Bulletin Conference, 2000.
29. zOmbie. zOmbie's homepage. Published online at http://z0mbie.host.sk (accessed 16 Jan. 2004).
30. X. Zhang and R. Gupta. Matching execution histories of program versions. In Proc. 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEG/FSE'05), pages 197-206, 2005.