Evaluation Methodologies in Software Protection Research

Man-at-the-end (MATE) attackers have full control over the system on which the attacked software runs, and try to break the confidentiality or integrity of assets embedded in the software. Both companies and malware authors want to prevent such attacks. This has driven an arms race between attackers and defenders, resulting in a plethora of different protection and analysis methods. However, it remains difficult to measure the strength of protections because MATE attackers can reach their goals in many different ways and a universally accepted evaluation methodology does not exist. This survey systematically reviews the evaluation methodologies of papers on obfuscation, a major class of protections against MATE attacks. For 572 papers, we collected 113 aspects of their evaluation methodologies, ranging from sample set types and sizes, over sample treatment, to performed measurements. We provide detailed insights into how the academic state of the art evaluates both the protections and analyses thereon. In summary, there is a clear need for better evaluation methodologies. We identify nine challenges for software protection evaluations, which represent threats to the validity, reproducibility, and interpretation of research results in the context of MATE attacks

A Framework for Recognition and Confronting of Obfuscated Malwares Based on Memory Dumping and Filter Drivers

In this paper obfuscation techniques used by novel malwares presented and compared. IAT smashing, string encryption and dynamic programing are explained in static methods and hooking at user and kernel level of OS with DLL injection, modifying of SSDT and IDT table addresses, filter IRPs, and possessor emulation are techniques in dynamic methods. This paper suggest Approach for passing through malware obfuscation techniques. In order that it can analyze malware behaviors. Our methods in proposed approach are detection presence time of a malware at user and kernel level of OS, dumping of malware executable memory at correct time and precise hook installing. Main purpose of this paper is establishment of an efficient platform to analyze behavior and detect novel malwares that by use of metamorphic engine, packer and protector tools take action for obfuscation and metamorphosis of themself. At final, this paper use a dataset embeds different kind of obfuscated and metamorphic malwares in order to prove usefulness of its methods experiments. Show that proposed methods can confront most malware obfuscation techniques. It evaluated success rate to unpacking, obfuscated malwares and it shows 85 success rate to recognize kernel level malwares. © 2017, Springer Science+Business Media, LLC