5 research outputs found
Towards understanding malware behaviour by the extraction of API calls
One of the recent trends adopted by malware authors is to use packers or software tools that instigate code obfuscation in order to evade detection by antivirus scanners. With evasion techniques such as polymorphism and metamorphism malware is able to fool current detection techniques. Thus, security researchers and the anti-virus industry are facing a herculean task in extracting payloads hidden within packed executables. It is a common practice to use manual unpacking or static unpacking using some software tools and analyse the application programming interface (API) calls for malware detection. However, extracting these features from the unpacked executables for reverse obfuscation is labour intensive and requires deep knowledge of low-level programming that includes kernel and assembly language. This paper presents an automated method of extracting API call features and analysing them in order to understand their use for malicious purpose. While some research has been conducted in arriving at file birthmarks using API call features and the like, there is a scarcity of work that relates to features in malcodes. To address this gap, we attempt to automatically analyse and classify the behavior of API function calls based on the malicious intent hidden within any packed program. This paper uses four-step methodology for developing a fully automated system to arrive at six main categories of suspicious behavior of API call features. © 2010 IEEE
Detecting code theft via a static instruction trace birthmark for Java methods
Abstract—A software birthmark is an inherent program characteristic that can identify a program. In this paper, we propose a static instruction trace birthmark to detect code theft of Java methods. Because the static instruction traces can reflect the algorithmic structure of a program, our birthmark can be used to detect algorithm theft which existing static birthmarks cannot handle. Because the static instruction traces are extracted by static analyses, they can be applied to library programs which previous dynamic birthmarks could not. We evaluate the proposed birthmark with respect to two criteria: credibility and resilience. Experimental result shows that our birthmark is more resilient than and at least as credible as the existing Java birthmarks. I
Structural analysis of source code plagiarism using graphs
A dissertation submitted to the Faculty of Science, University of the Witwatersrand,
Johannesburg in fulfillment of the requirements for the degree of Master of Science.
May 2017Plagiarism is a serious problem in academia. It is prevalent in the computing discipline
where students are expected to submit source code assignments as part of their
assessment; hence, there is every likelihood of copying. Ideally, students can collaborate
with each other to perform a programming task, but it is expected that each student
submit his/her own solution for the programming task. More so, one might conclude
that the interaction would make them learn programming. Unfortunately, that may not
always be the case. In undergraduate courses, especially in the computer sciences, if a
given class is large, it would be unfeasible for an instructor to manually check each and
every assignment for probable plagiarism. Even if the class size were smaller, it is still
impractical to inspect every assignment for likely plagiarism because some potentially
plagiarised content could still be missed by humans. Therefore, automatically checking
the source code programs for likely plagiarism is essential.
There have been many proposed methods that attempt to detect source code plagiarism
in undergraduate source code assignments but, an ideal system should be able to
differentiate actual cases of plagiarism from coincidental similarities that usually occur
in source code plagiarism. Some of the existing source code plagiarism detection
systems are either not scalable, or performed better when programs are modified with
a number of insertions and deletions to obfuscate plagiarism. To address this issue, a
graph-based model which considers structural similarities of programs is introduced to
address cases of plagiarism in programming assignments.
This research study proposes an approach to measuring cases of similarities in programming
assignments using an existing plagiarism detection system to find similarities
in programs, and a graph-based model to annotate the programs. We describe
experiments with data sets of undergraduate Java programs to inspect the programs
for plagiarism and evaluate the graph-model with good precision. An evaluation of
the graph-based model reveals a high rate of plagiarism in the programs and resilience
to many obfuscation techniques, while false detection (coincident similarity) rarely occurred.
If this detection method is adopted into use, it will aid an instructor to carry
out the detection process conscientiously.MT 201
Software similarity and classification
This thesis analyses software programs in the context of their similarity to other software programs. Applications proposed and implemented include detecting malicious software and discovering security vulnerabilities