Behavior Abstraction in Malware Analysis - Extended Version

We present an approach for proactive malware detection by working on an abstract representation of a program behavior. Our technique consists in abstracting program traces, by rewriting given subtraces into abstract symbols representing their functionality. Traces are captured dynamically by code instrumentation in order to handle packed or self-modifying malware. Suspicious behaviors are detected by comparing trace abstractions to reference malicious behaviors. The expressive power of abstraction allows us to handle general suspicious behaviors rather than specific malware code and then, to detect malware mutations. We present and discuss an implementation validating our approach

Abstraction-based Malware Analysis Using Rewriting and Model Checking

International audienceWe propose a formal approach for the detection of high-level malware behaviors. Our technique uses a rewriting-based abstraction mechanism, producing abstracted forms of program traces, independent of the program implementation. It then allows us to handle similar be- haviors in a generic way and thus to be robust with respect to variants. These behaviors, defined as combinations of patterns given in a signa- ture, are detected by model-checking on the high-level representation of the program. We work on unbounded sets of traces, which makes our technique useful not only for dynamic analysis, considering one trace at a time, but also for static analysis, considering a set of traces inferred from a control flow graph. Abstracting traces with rewriting systems on first order terms with variables allows us in particular to model dataflow and to detect information leak

Classification of Polymorphic Virus Based on Integrated Features

Standard virus classification relies on the use of virus function, which is a small number of bytes written in assembly language. The addressable problem with current malware intrusion detection and prevention system is having difficulties in detecting unknown and multipath polymorphic computer virus solely based on either static or dynamic features. Thus, this paper presents an effective and efficient polymorphic classification technique based on integrated features. The integrated feature is selected based on Information Gain (IG) rank value between static and dynamic features. Then, all datasets are tested on Naïve Bayes and Random Forest classifiers. We extracted 49 features from 700 polymorphic computer virus samples from Netherland Net Lab and VXHeaven, which includes benign and polymorphic virus function. We spilt the dataset based on 60:40 split ratio sizes for training and testing respectively. Our proposed integrated features manage to achieve 98.9% of accuracy value

Behavior Analysis of Malware by Rewriting-based Abstraction - Extended Version

We propose a formal approach for the detection of high-level program behaviors. These behaviors, defined as combinations of patterns in a signature, are detected by model-checking on abstracted forms of program traces. Our approach works on unbounded sets of traces, which makes our technique useful not only for dynamic analysis, considering one trace at a time, but also for static analysis, considering a set of traces inferred from a control flow graph. Our technique uses a rewriting-based abstraction mechanism, producing a high-level representation of the program behavior, independent of the program implementation. It allows us to handle similar behaviors in a generic way and thus to be robust with respect to variants. Successfully applied to malware detection, our approach allows us in particular to model and detect information leak

Abstraction by Term Rewriting for Malware Behavior Analysis - Extended Version

We propose a formal approach for behavioral analysis of programs based on dynamic analysis. It works by abstracting execution traces with respect to given behavior patterns in order to produce a high level representation of a program behavior and then, by comparing this abstract form to signatures defining reference abstract malicious behaviors. Abstraction is performed by term rewriting using rules on terms with variables, which enables to handle the data used by behavior functionalities. This technique allows us to deal with interleaved behaviors. Successfully applied to malware detection, it allows us in particular to model and detect information leak