Synthesizing near-optimal malware specifications from suspicious behaviors

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2010, Pages 45-60

  Fredrikson, Matt ^a   Jha, Somesh ^a   Christodorescu, Minai ^b   Sailer, Reiner ^b   Yan, Xifeng ^c  

^a University of Wisconsin   (United States)

^b IBM T J WATSON RESEARCH CENTER   (United States)

^c University of California   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ANTI VIRUS; AUTOMATIC TECHNIQUE; BEHAVIOR-BASED; BEHAVIOR-BASED DETECTION; CONCEPT ANALYSIS; DETECTION RATES; FALSE POSITIVE; GRAPH MINING; LARGE CLASS; MALICIOUS BEHAVIOR; MALWARES; NUMBER OF FALSE ALARMS; OPEN SOURCES; PROBABILISTIC SAMPLING;

COMPUTER CRIME; DETECTORS;

SPECIFICATIONS;

EID: 77955210614     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2010.11     Document Type: Conference Paper

References (41)

1. B. Acohido and J. Swartz, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity. Union Square Press, April 2008.
2. D. Perry, "Here comes the flood or end of the pattern file," in Virus Bulletin (VB2008), Ottawa, 2008.
3. M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant, "Semantics-aware malware detection," in Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P'06). Washington, DC, USA: IEEE Computer Society, 2005, pp. 32-46.
4. M. Egele, C. Kruegel, E. Kirda, H. Yin, , and D. Song, "Dynamic spyware analysis," in Proceedings of the 2007 USENIX Annual Technical Conference (USENIX'07). USENIX, 2007, pp. 233-246.
5. C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, "Effective and efficient malware detection at the end host," in Proceedings of the 18th USENIX Security Symposium (Security'09), August 2009.
6. D. Brumley, C. Hartwig, M. G. Kang, Z. L. J. Newsome, P. Poosankam, D. Song, and H. Yin, "BitScope: Automatically dissecting malicious binaries," School of Computer Science, Carnegie Mellon University, Tech. Rep. CMU-CS07-133, Mar. 2007.
7. A. Moser, C. Kruegel, and E. Kirda, "Exploring multiple execution paths for malware analysis," in Proceedings of the 2007 IEEE Symposium on Security and Privacy (S&P'07). IEEE Computer Society, 2007, pp. 231-245.
8. X. Yan, H. Cheng, J. Han, and P. S. Yu, "Mining significant graph patterns by leap search," in Proceedings of the 2008 ACM SIGMOD International Conference on Management of Data (SIGMOD'08). New York, NY, USA: ACM Press, 2008, pp. 433-444.
9. R. Wille, "Restructuring lattice theory: an approach based on hierarchies of concepts," Ordered Sets, 1982.
10. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, R Jahanian, and J. Nazario, "Automated classification and analysis of internet malware," in Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID'07). Springer, 2007, pp. 178-197.
11. K. Rieck, T. HoIz, C. Willems, P. Dussel, and P. Laskov, "Learning and classification of malware behavior," in Proceedings of the 5th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA'08). Springer, 2008, pp. 108-125.
12. X. Zhang, R. Gupta, and Y. Zhang, "Precise dynamic slicing algorithms," in Proceedings of the 25th International Conference on Software Engineering (ICSE '03). Washington, DC, USA: IEEE Computer Society, 2003, pp. 319-329.
13. "Symantec security response," http://www.symantec.com/business/ security-response/index.jsp.
14. P. Bremaud, Markov Chains: Gibbs Fields, Monte Carlo Simulation, and Queues. Springer, January 2001.
15. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, "Panorama: Capturing system-wide information flow for malware detection and analysis," in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), 2007.
16. M. Christodorescu, S. Jha, and C. Kruegel, "Mining specifications of malicious behavior," in Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'07). New York, NY, USA: ACM Press, 2007, pp. 5-14.
17. Microsoft Corporation, "MSDN Library," http: //msdn.microsoft.com/en-us/library/default.aspx.
18. R. M. H. Ting and J. Bailey, "Mining minimal contrast subgraph patterns," in Proceedings of the 2006 SIAM International Conference on Data Mining (SDM'06). SIAM, 2006.
19. L. Nourine and O. Raynaud, "A fast algorithm for building lattices," Inf. Process. Lett., vol. 71, no. 5-6, pp. 199-204, 1999.
20. BindView, "Strace for NT," http://www.bindview.com.
21. R Bellard, "QEMU, a fast and portable dynamic translator," http://fabrice.bellard.free.fr/qemu/.
22. I. Whalley, B. Arnold, D. Chess, J. Morar, A. Segal, and M. Swimmer, "An environment for controlled worm replication and analysis," in Virus Bulletin Conference, 2000.
23. "SRI honeynet and malware analysis," http://www.cyber-ta. org/Honeynet.
24. E. Larkin, "Top internet security suites: Paying for protection," PC Magazine, January 2009.
25. Damballa, Inc., "3% to 5% of enterprise assets are compromised by bot-driven targeted attack malware," Mar. 2008, Press Release.
26. "Sana security active malware defense technology center," http://www.sanasecurity.com/amdtc.
27. "Threatflre anti-malware," http://www.threatflre.com.
28. D. Wagner and P. Soto, "Mimicry attacks on host-based intrusion detection systems," in Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS'02). ACM Press, 2002, pp. 255-264.
29. "Malicious programs descriptions search," http://www. viruslist.com/en/virusesdescribed http://viruslist.com/en/virusesdescribed.
30. "McAfee threat center," http://www.mcafee.com/us/threat-center.
31. S. Yevtushenko, "Computing and visualizing concept lattices," Ph.D. dissertation, Technischen Universitat Darmstadt, Darmstadt, Germany, Oct. 2004.
32. D. Wagner and D. Dean, "Intrusion detection via static analysis," in Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P'01), 2001.
33. A. Cozzie, R Stratton, H. Xue, and S. T. King, "Digging for data structures," in Proceedings of the 8th USENIX Symposium on OS Design and Implementation (OSDI'08), 2008.
34. E. Stinson and J. C. Mitchell, "Characterizing bots' remote control behavior," in Proceedings of the 4th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA'07). Berlin, Heidelberg: Springer-Verlag, 2007, pp. 89-108.
35. G. Ammons, R. Bodik, and J. R. Larus, "Mining specifications," in Proceedings of the 29th Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (POPL'02). New York, NY, USA: ACM Press, 2002, pp. 4-16.
36. S. Shoham, E. Yahav, S. Fink, and M. Pistoia, "Static specification mining using automata-based abstractions," in Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis 2007 (ISSTA'07). New York, NY, USA: ACM Press, 2007, pp. 174-184.
37. S. Sankaranarayanan, R Ivanči, and A. Gupta, "Mining library specifications using inductive logic programming," in Proceedings of the 30th International Conference on Software Engineering (ICSE '08). New York, NY, USA: ACM Press, 2008, pp. 131-140.
38. V. Ganapathy, D. King, T. Jaeger, and S. Jha, "Mining security-sensitive operations in legacy code using concept analysis," in Proceedings of the 29th International Conference on Software Engineering (ICSE '07). Washington, DC, USA: IEEE Computer Society, 2007, pp. 458-467.
39. G. Snelting and R Tip, "Reengineering class hierarchies using concept analysis," in SIGSOFT '98/FSE-6: Proceedings of the 6th ACM SIGSOFT international symposium on Foundations of software engineering. New York, NY, USA: ACM Press, 1998, pp. 99-110.
40. P. Tonella, "Concept analysis for module restructuring," IEEE Transactions on Software Engineering, vol. 27, no. 4, pp. 351-363, 2001.
41. -, "Using a concept lattice of decomposition slices for program understanding and impact analysis," IEEE Transactions on Software Engineering, vol. 29, no. 6, pp. 495-509, 2003.