Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1007/11790754_8guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

Detecting self-mutating malware using control-flow graph matching

Published: 13 July 2006 Publication History

Abstract

Next generation malware will by be characterized by the intense use of polymorphic and metamorphic techniques aimed at circumventing the current malware detectors, based on pattern matching. In order to deal with this new kind of threat, novel techniques have to be devised for the realization of malware detectors. Recent papers started to address such an issue and this paper represents a further contribution in such a field. More precisely in this paper we propose a strategy for the detection of metamorphic malicious code inside a program P based on the comparison of the control flow graphs of P against the set of control flow graphs of known malware. We also provide experimental data supporting the validity of our strategy

References

[1]
Boomerang. http://boomerang.sourceforge.net
[2]
MetaPHOR. http://securityresponse.symantec.com/avcenter/venc/data/ w32.simile.html
[3]
A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques and Tools. Addison-Wesley, 1986
[4]
C. Associates. Security advisor center glossary. http://www3.ca.com/securityadvisor/glossary.aspx
[5]
D. Bruschi, L. Martignoni, and M. Monga. Using code normalization for fighting self-mutating malware. In Proceedings od the International Symposium of Secure Software Engineering, Arlington, VA, 2006. IEEE Computer Society
[6]
D. M. Chess and S. R. White. An undetectable computer virus. In Proceedings of Virus Bulletin Conference, Sept. 2000
[7]
M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In Proceedings of USENIX Security Symposium, Aug. 2003
[8]
M. Christodorescu and S. Jha. Testing malware detectors. In Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004), pages 34-44, Boston, MA, USA, July 2004. ACM Press
[9]
M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semanticsaware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (Oakland 2005), Oakland, CA, USA, May 2005
[10]
F. B. Cohen. A Short Course on Computer Viruses. Wiley Professional Computing, 1994
[11]
C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland, July 1997
[12]
S. K. Debray, W. Evans, R. Muth, and B. D. Sutter. Compiler techniques for code compaction. ACM Trans. Program. Lang. Syst., 22(2):378-415, 2000
[13]
P. Ferrie and P. Ször. Zmist opportunities. Virus Bullettin, March 2001
[14]
P. Foggia. The VFLib graph matching library, version 2.0. http://amalfi.dis.unina.it/graph/db/vflib-2.0/
[15]
A. Kapoor. An approach towards disassembly of malicious binaries. Master's thesis, University of Louisiana at Lafayette, 2004
[16]
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In International Symposium on Recent Advances in Intrusion Detection, 2005
[17]
C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proceedings of USENIX Security 2004, pages 255-270, San Diego, CA, August 2004
[18]
A. Lakhotia, E. U. Kumar, and M. Venable. A method for detecting obfuscated calls in malicious binaries. Software Engineering, IEEE Transactions on, 31(11):955-968, 2005
[19]
C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, pages 290-299, New York, NY, USA, 2003. ACM Press
[20]
S. S. Muchnick. Advanced compiler design and implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1997
[21]
J. Newsome, B. Karp, and D. X. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy, pages 226-241, 2005
[22]
S. Pearce. Viral polymorphism. Sans Institute, 2003
[23]
P. Ször and P. Ferrie. Hunting for metamorphic. In Proceedings of Virus Bulletin Conference, Sept. 2001

Cited By

View all
  • (2024)R2I: A Relative Readability Metric for Decompiled CodeProceedings of the ACM on Software Engineering10.1145/36437441:FSE(383-405)Online publication date: 12-Jul-2024
  • (2023)EMBERSimProceedings of the 37th International Conference on Neural Information Processing Systems10.5555/3666122.3667283(26722-26743)Online publication date: 10-Dec-2023
  • (2023)Accurate Disassembly of Complex Binaries Without Use of Compiler MetadataProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624766(1-18)Online publication date: 25-Mar-2023
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings
DIMVA'06: Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
July 2006
194 pages
ISBN:354036014X
  • Editors:
  • Roland Büschkes,
  • Pavel Laskov

Sponsors

  • Runs: Runs
  • McAfee: McAfee
  • Symantec: Symantec
  • Techonologiestiftung Berlin: Techonologiestiftung Berlin

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 13 July 2006

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)R2I: A Relative Readability Metric for Decompiled CodeProceedings of the ACM on Software Engineering10.1145/36437441:FSE(383-405)Online publication date: 12-Jul-2024
  • (2023)EMBERSimProceedings of the 37th International Conference on Neural Information Processing Systems10.5555/3666122.3667283(26722-26743)Online publication date: 10-Dec-2023
  • (2023)Accurate Disassembly of Complex Binaries Without Use of Compiler MetadataProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624766(1-18)Online publication date: 25-Mar-2023
  • (2023)Scalable Program Clone Search through Spectral AnalysisProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616279(808-820)Online publication date: 30-Nov-2023
  • (2023)Dependency-Aware Metamorphic Testing of Datalog EnginesProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598052(236-247)Online publication date: 12-Jul-2023
  • (2023)A Transformer-based Function Symbol Name Inference Model from an Assembly Language for Binary ReversingProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582823(951-965)Online publication date: 10-Jul-2023
  • (2022)Practical Binary Code Similarity Detection with BERT-based Transferable Similarity LearningProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567975(361-374)Online publication date: 5-Dec-2022
  • (2022)Harm-DoS: Hash Algorithm Replacement for Mitigating Denial-of-Service Vulnerabilities in Binary ExecutablesProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545967(276-291)Online publication date: 26-Oct-2022
  • (2022)Systematically Evaluating the Robustness of ML-based IoT Malware Detection SystemsProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545960(308-320)Online publication date: 26-Oct-2022
  • (2022)SMODIC: A Model Checker for Self-modifying CodeProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3538978(1-6)Online publication date: 23-Aug-2022
  • Show More Cited By

View Options

View options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media