Malware behavioral detection by attribute-automata using abstraction from platform and language

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5758 LNCS, Issue , 2009, Pages 81-100

  Jacob, Grégoire ^a,b   Debar, Hervé ^a   Filiol, Eric ^b  

^a ORANGE LABS   (France)

^b Operational Virology and Cryptology Lab   (France)

Author keywords

Attribute Grammars; Behaviors; Interpretation; Malware

Indexed keywords

ABSTRACTION LAYER; DATAFLOW; DETECTION RATES; EXECUTABLES; FALSE POSITIVE; GENERIC APPROACH; INTERPRETED LANGUAGES; MALWARES; OBJECT CLASSIFICATION; PROCESSING SYSTEMS; SEMANTIC RULES; THEORETICAL RESULT; TWO LAYERS;

ABSTRACTING; COMPUTER CRIME; DETECTORS; LINGUISTICS; PARALLEL FLOW; TRANSLATION (LANGUAGES);

INTRUSION DETECTION;

EID: 76649135461     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-04342-0_5     Document Type: Conference Paper

References (22)

1. Charlier, B.L., Mounji, A., Swimmer, M.: Dynamic detection and classification of computer viruses using general behaviour patterns. Virus Bulletin (1995)
2. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proc. of the Network and Distributed System Security Symposium, NDSS (2005)
3. Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow anomaly detection. In: Proc. of the IEEE Symposium on Security and Privacy (SSP), pp. 48-62 (2006)
4. Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behaviour. In: Proc. of the 6th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineeering, pp. 5-14 (2007)
5. Morales, J.A., Clarke, P.J., Deng, Y.: Identification of file infecting viruses through detection of self-reference replication. Journal in Computer Virology Online (2008)
6. Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78-97. Springer, Heidelberg (2008)
7. Knuth, D.E.: Semantics of context-free grammars. Theory of Computing Systems 2, 127-145 (1968)
8. Jacob, G., Filiol, E., Debar, H.: Malwares as interactive machines: A new framework for behavior modelling. Journal in Computer Virology 4(3), 235-250 (2008)
9. Jacob, G., Filiol, E., Debar, H.: Functional polymorphic engines: Formalisation, implementation and use cases. Journal in Computer Virology Online (2008)
10. US Department of Defense: "Orange Book" - Trusted Computer System Evaluation Criteria. Rainbow Series (1983)
11. NTInternals: The undocumented functions microsoft windows nt/2k/xp/2003, http://undocumented.ntinternals.net
12. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326-343. Springer, Heidelberg (2003)
13. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proc. of the IEEE Symposium on Security and Privacy (SSP), p. 202 (2002)
14. Al-Mamory, S.O., Zhang, H.: Ids alerts correlation using grammar-based approach. Journal in Computer Virology Online (2008)
15. NtTrace: Native api tracing for windows, http://www.howzatt.demon.co.uk/ NtTrace/
16. QEMU: Processor emulator, http://fabrice.bellard.free.fr/qemu/
17. Marion, J.Y., Reynaud-Plantey, D.: Practical obfuscation by interpretation. In: 3rd Workshop on the Theory of Computer Viruses, WTCV (2008)
18. MSDN: Vbscript language reference, http://msdn.microsoft.com/en-us/ library/d1wf56tt.aspx
19. VXHeaven: Repository, http://vx.netlux.org/
20. OffensiveComputing: Repository, http://www.offensivecomputing.net/
21. Carrera, E.: Malware - behavior, tools, scripting and advanced analysis. In: HITBSec Conf. (2008)
22. Anubis: Analyzing unknown malware, http://anubis.iseclab.org/