invited-talk

Mining specifications of malicious behavior

Authors:

Mihai Christodorescu,

Christopher KruegelAuthors Info & Claims

ISEC '08: Proceedings of the 1st India software engineering conference

Pages 5 - 14

https://doi.org/10.1145/1342211.1342215

Published: 19 February 2008 Publication History

Abstract

Malware detectors require a specification of maliciousbehavior. Typically, these specifications are manually constructedby investigating known malware. We present an automatic technique to overcome this laborious manual process. Our technique derives such a specification by comparing the execution behavior of a known malware against the execution behaviors of a set of benign programs. In other words, we mine the malicious behavior present in a known malware that is not present in a set of benign programs. The output of our algorithm can be used by malware detectors to detect malware variants. Since our algorithm provides a succinct description of malicious behavior present in a malware, it can also be used by security analysts for understanding the malware. We have implemented a prototype based on our algorithm and tested it on several malware programs. Experimental results obtained from our prototype indicate that our algorithm is effective in extracting malicious behaviors that can be used to detect malware variants

References

[1]

G. Ammons, R. Bodik, and J. R. Larus. Mining specifications. In Proc. 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'02), pages 4--16, 2002.

Digital Library

[2]

T. Apiwattanapong, A. Orso, and M. J. Harrold. A differencing algorithm for object-oriented programs. In Proc. 19th IEEE International Conference on Automated Software Engineering (ASE 2004), pages 2--13, Sept. 2004.

Digital Library

[3]

H. A. Basit and S. Jarzabek. Detecting higher-level similarity patterns in programs. In Proc. 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE'05), pages 156--165, New York, NY, USA, 2005.allACM Press.

Digital Library

[4]

S. Bhatkar, A. Chaturvedi, and R. Sekar. Dataflow anomaly detection. In Proc. IEEE Symposium on Security and Privacy, pages 48--62, 2006.

Digital Library

[5]

BindView. Strace for NT. Published online at http://www.bindview.com/Services/RAZOR/Utilities/Windows/strace_readme.cfm (accessed 9 Sep. 2006).

[6]

M. Christodorescu and S. Jha. Testing malware detectors. In ACM SIGSOFT International Symposium on Software Testing and Analysis 2004 (ISSTA'04), pages 34--44, 2004.

Digital Library

[7]

M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proc. IEEE Symposium on Security and Privacy, pages 32--46, 2005.

Digital Library

[8]

J. T. Giffin, S. Jha, and B. P. Miller. Efficient context-sensitive intrusion detection. In Proc. 11th Network and Distributed System Security Symposium (NDSS'04), 2004.

[9]

S. Horwitz. Identifying the semantic and textual differences between two versions of a program. In Proc. ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation (PLDI'90), pages 234--245, 1990.

Digital Library

[10]

D. Jackson and D. A. Ladd. Semantic diff: A tool for summarizing the effects of modifications. In Proc. International Conference on Software Maintenance (ICSM'94), pages 243--252, 1994.

Digital Library

[11]

T. Kamiya, S. Kusumoto, and K. Inoue. CCFinder: A multilinguistic token-based code clone detection system for large scale source code. IEEE Transactions on Software Engineering, 28(7):654--670, 2002.

Digital Library

[12]

J. Kinder, S. Katzenbeisser, C. Schallhart, and H. Veith. Detecting malicious code by model checking. In Proc. 2nd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'05), pages 174--187, 2005.

Digital Library

[13]

R. Komondoor and S. Horwitz. Using slicing to identify duplication in source code. In Proc. 8th International Symposium on Static Analysis (SAS'01), pages 40--56, London, UK, 2001. Springer-Verlag.

Digital Library

[14]

C. Kruegel, D. Mutz, W. Robertson, G. Vigna, and R. Kemmerer. Reverse engineering of network signatures. In AusCERT Asia Pacific IT Security Conference, 2005.

[15]

C. Kruegel, D. Mutz, F. Valeur, and G. Vigna. On the detection of anomalous system call arguments. In Proc. 8th European Symposium on Research in Computer Security (ESORICS'03), pages 101--118, 2003.

[16]

C. Kruegel, W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary analysis. In Proc. 20th Annual Computer Security Applications Conference (ACSAC'04), pages 91--100, 2004.

Digital Library

[17]

J. Laski and W. Szermer. Identification of program modifications and its applications in software maintenance. In Proc. Conference on Software Maintenance, pages 282--290, Nov. 9-12 1992.

[18]

Z. Li and Y. Zhou. PR--Miner: automatically extracting implicit programming rules and detecting violations in large software code. In Proc. 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE'05), pages 306--315, New York, NY, USA, 2005.allACM Press.

Digital Library

[19]

A. Marinescu. Russian doll. Virus Bulletin, 15(8):7-9, Aug. 2003.

[20]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proc. IEEE Symposium on Security and Privacy, pages 231--245, 2007.

Digital Library

[21]

S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann, 1997.

Digital Library

[22]

C. Nachenberg. Computer virus-antivirus coevolution. Communications of the ACM, 40(1):46--51, Jan. 1997.

Digital Library

[23]

R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In IEEE Symposium on Security and Privacy, pages 144--155, 2001.

Digital Library

[24]

Symantec Antivirus Research Center. Expanded threat list and virus encyclopedia. Published online at http://www.symantec.com/enterprise/security_response/threatexplorer/index.jsp (accessed 9 Sep. 2006).

[25]

P. Szor and P. Ferrie. Hunting for metamorphic. In Virus Bulletin Conference, pages 123--144, 2001.

[26]

R. M. H. Ting and J. Bailey. Mining minimal contrast subgraph patterns. In 6th SIAM International Conference on Data Mining, pages 638--642, 2006.

[27]

W. Weimer and G. C. Necula. Mining temporal specifications for error detection. In Proc. 11th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'05), pages 461--476, 2005.

Digital Library

[28]

I. Whalley, B. Arnold, D. Chess, J. Morar, and A. Segal. An environment for controlled worm replication & analysis (Internet-inna-Box). In Virus Bulletin Conference, 2000.

[29]

z0mbie. z0mbie's homepage. Published online at http://z0mbie.host.sk (accessed 16 Jan.all2004).

[30]

X. Zhang and R. Gupta. Matching execution histories of program versions. In Proc. 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE'05), pages 197--206, 2005.

Digital Library

Cited By

Deng LYu CWen HXin MSun YSun LZhu H(2024)Few-Shot Malware Classification via Attention-Based Transductive Learning NetworkMobile Networks and Applications10.1007/s11036-024-02383-zOnline publication date: 28-Aug-2024
https://doi.org/10.1007/s11036-024-02383-z
Sun RYuan XHe PZhu QChen AGregio AOliveira DLi X(2022)Learning Fast and Slow: Propedeutica for Real-Time Malware DetectionIEEE Transactions on Neural Networks and Learning Systems10.1109/TNNLS.2021.312124833:6(2518-2529)Online publication date: Jun-2022
https://doi.org/10.1109/TNNLS.2021.3121248
Jiang TCui LLin ZLu F(2022)A Survey of Malware Classification Methods Based on Data Flow GraphData Science10.1007/978-981-19-5194-7_7(80-93)Online publication date: 10-Aug-2022
https://doi.org/10.1007/978-981-19-5194-7_7
Show More Cited By

Index Terms

Mining specifications of malicious behavior
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Requirements analysis

Recommendations

Mining specifications of malicious behavior
ESEC-FSE '07: Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering

Malware detectors require a specification of malicious behavior. Typically, these specifications are manually constructed by investigating known malware. We present an automatic technique to overcome this laborious manual process. Our technique derives ...
Malware Detection by Static Checking and Dynamic Analysis of Executables

The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for ...
PbMMD

Contemporary malware makes wide use of techniques to evade popular detection approaches. Behavior-based detection is the most powerful approach to malware detection. This approach is based on system call sequences to model a malicious behavior. A ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISEC '08: Proceedings of the 1st India software engineering conference

February 2008

164 pages

ISBN:9781595939173

DOI:10.1145/1342211

General Chair:
Gautam Shroff
TCS, India
,
Program Chairs:
Pankaj Jalote
Indian Institute of Technology Delhi, India
,
Sriram Rajamani
Microsoft Research, India

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 February 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Invited-talk

Conference

ISEC08

Sponsor:

ISEC08: India Software Engineering Conference

February 19 - 22, 2008

Hyderabad, India

Acceptance Rates

Overall Acceptance Rate 76 of 315 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

63
Total Citations
View Citations
1,031
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Deng LYu CWen HXin MSun YSun LZhu H(2024)Few-Shot Malware Classification via Attention-Based Transductive Learning NetworkMobile Networks and Applications10.1007/s11036-024-02383-zOnline publication date: 28-Aug-2024
https://doi.org/10.1007/s11036-024-02383-z
Sun RYuan XHe PZhu QChen AGregio AOliveira DLi X(2022)Learning Fast and Slow: Propedeutica for Real-Time Malware DetectionIEEE Transactions on Neural Networks and Learning Systems10.1109/TNNLS.2021.312124833:6(2518-2529)Online publication date: Jun-2022
https://doi.org/10.1109/TNNLS.2021.3121248
Jiang TCui LLin ZLu F(2022)A Survey of Malware Classification Methods Based on Data Flow GraphData Science10.1007/978-981-19-5194-7_7(80-93)Online publication date: 10-Aug-2022
https://doi.org/10.1007/978-981-19-5194-7_7
Darki AFaloutsos MHan DFeldmann A(2020)RIoTMANProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies10.1145/3386367.3431317(169-182)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1145/3386367.3431317
Mahato PNarayan A(2020)QMine: A Framework for Mining Quantitative Regular Expressions from System Traces2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C)10.1109/QRS-C51114.2020.00070(370-377)Online publication date: Dec-2020
https://doi.org/10.1109/QRS-C51114.2020.00070
Dinakarrao SGuo XSayadi HNowzari CSasan ARafatirad SZhao LHomayoun H(2020)Cognitive and Scalable Technique for Securing IoT Networks Against Malware EpidemicsIEEE Access10.1109/ACCESS.2020.30119198(138508-138528)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3011919
Wuchner TCislak AOchoa MPretschner A(2019)Leveraging Compression-Based Graph Mining for Behavior-Based Malware DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.267588116:1(99-112)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2675881
Wang XLi C(2019)KerTSDroid: Detecting Android Malware at Scale through Kernel Task Structures2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS47876.2019.00128(870-879)Online publication date: Dec-2019
https://doi.org/10.1109/ICPADS47876.2019.00128
Deypir M(2019)Entropy-based security risk measurement for Android mobile applicationsSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-018-3377-523:16(7303-7319)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s00500-018-3377-5
Yu BFang YYang QTang YLiu L(2018)A survey of malware behavior description and analysisFrontiers of Information Technology & Electronic Engineering10.1631/FITEE.160174519:5(583-603)Online publication date: 16-Jul-2018
https://doi.org/10.1631/FITEE.1601745
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents