Skip to main content
SpringerLink
Log in

Behavior Abstraction in Malware Analysis

  • Conference paper
Book cover Runtime Verification (RV 2010)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6418))

Included in the following conference series:

Abstract

We present an approach for proactive malware detection working by abstraction of program behaviors. Our technique consists in abstracting program traces, by rewriting given subtraces into abstract symbols representing their functionality. Traces are captured dynamically by code instrumentation, which allows us to handle packed or self-modifying malware. Suspicious behaviors are detected by comparing trace abstractions to reference malicious behaviors. The expressive power of abstraction allows us to handle general suspicious behaviors rather than specific malware code and then, to detect malware mutations. We present and discuss an implementation validating our approach.

This work has been partially supported by the High Security Lab of the LORIA in Nancy: http://lhs.loria.fr. A full version of this article can be found in [5].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. DynamoRIO, http://dynamorio.org

  2. OpenFST, http://www.openfst.org/

  3. Pin, http://www.pintool.org

  4. Apel, M., Bockermann, C., Meier, M.: Measuring similarity of malware behavior. In: IEEE Conference on Local Computer Networks, pp. 891–898. IEEE, Los Alamitos (October 2009)

    Google Scholar 

  5. Beaucamps, P., Gnaedig, I., Marion, J.-Y.: Behavior Abstraction in Malware Analysis - Extended Version. HAL-INRIA Open Archive Number inria-00509486

    Google Scholar 

  6. Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M., Lavoie, Y., Tawbi, N.: Static detection of malicious code in executable programs. In: Symposium on Requirements Engineering for Information Security (2001)

    Google Scholar 

  7. Bonfante, G., Kaczmarek, M., Marion, J.-Y.: Architecture of a morphological malware detector. Journal in Computer Virology (2008)

    Google Scholar 

  8. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. Botnet Detection 36, 65–88 (2008)

    Article  Google Scholar 

  9. Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 129–143. Springer, Heidelberg (2006)

    Google Scholar 

  10. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, pp. 32–46. IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  11. Cohen, F.: Computer viruses: Theory and experiments. Computers and Security 6(1), 22–35 (1987)

    Article  Google Scholar 

  12. Dullien, T., Rolles, R.: Graph-based comparison of executable objects. In: Symposium sur la Sécurité des Technologies de l’Information et des Télécommunications (2005)

    Google Scholar 

  13. Esparza, J., Rossmanith, P., Schwoon, S.: A uniform framework for problems on context-free grammars. Bulletin of the EATCS 72, 169–177 (2000)

    MathSciNet  MATH  Google Scholar 

  14. Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: Network Distributed Security Symposium, Internet Society (2008)

    Google Scholar 

  15. Gunter, C.A.: Semantics of Programming Languages: Structures and Techniques. MIT Press, Cambridge (1992)

    MATH  Google Scholar 

  16. Jacob, G., Debar, H., Filiol, E.: Malware behavioral detection by attribute-automata using abstraction from platform and language. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 81–100. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  17. Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 174–187. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  18. Charlier, B.L., Mounji, A., Swimmer, M.: Dynamic detection and classification of computer viruses using general behaviour patterns. In: International Virus Bulletin Conference, pp. 1–22 (1995)

    Google Scholar 

  19. Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  20. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy, pp. 231–245. IEEE Computer Society, Los Alamitos (2007)

    Google Scholar 

  21. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, pp. 144–155. IEEE Computer Society, Los Alamitos (2001)

    Google Scholar 

  22. Singh, P.K., Lakhotia, A.: Static verification of worm and virus behavior in binary executables using model checking. In: Information Assurance Workshop, pp. 298–300. IEEE Press, Los Alamitos (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. INPL - INRIA Nancy Grand Est Nancy-Université - LORIA, Campus Scientifique - BP 239, F54506, Vandoeuvre-lès-Nancy Cedex, France

    Philippe Beaucamps, Isabelle Gnaedig & Jean-Yves Marion

Authors
  1. Philippe Beaucamps
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Isabelle Gnaedig
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Yves Marion
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computer Science, University of Manchester, Kilburn Building, Oxford Road, M13 9PL, Manchester, UK

    Howard Barringer

  2. INRIA, Rennes - Bretagne Atlantique, France

    Ylies Falcone

  3. Department of Computer Science, Saarland University, 66123, Saarbrücken, Germany

    Bernd Finkbeiner

  4. Jet Propulsion Laboratory, M/S 3041-285, 4800 Oak Grove Drive, 91109, Pasadena, CA, USA

    Klaus Havelund

  5. PRECISE Center, Department of Computer and Information Science, University of Pennsylvania, 19104, Philadelphia, PA, USA

    Insup Lee  & Oleg Sokolsky  & 

  6. Department of Computer Science, University of Malta, MSD 06, Msida, Malta

    Gordon Pace

  7. Department of Computer Science, University of Illinois at Urbana-Champaign, 201 N. Goodwin, 61801, Urbana, IL, USA

    Grigore Roşu

  8. Microsoft Research,, One Microsoft Way, 98052, Redmond, WA, USA

    Nikolai Tillmann

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Beaucamps, P., Gnaedig, I., Marion, JY. (2010). Behavior Abstraction in Malware Analysis. In: Barringer, H., et al. Runtime Verification. RV 2010. Lecture Notes in Computer Science, vol 6418. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16612-9_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16612-9_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16611-2

  • Online ISBN: 978-3-642-16612-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation