Malware lineage in the wild
作者: Irfan Ul Haq , Sergio Chica , Juan Caballero , Somesh Jha
DOI: 10.1016/J.COSE.2018.07.012
关键词: Malware analysis 、 Hash function 、 Theoretical computer science 、 Computer science 、 Set (abstract data type) 、 Source code 、 Malware 、 Executable 、 Lineage (genetic)
摘要: Abstract Malware lineage studies the evolutionary relationships among malware and has important applications for analysis. A persistent limitation of prior approaches is to consider every input sample a separate version. This problematic since majority are packed packing process produces many polymorphic variants (i.e., executables with different file hash) same Thus, samples correspond version it challenging identify distinct versions from variants. problem does not manifest in because they work on synthetic malware, that packed, or which unpackers available. In this work, we propose novel approach works collected wild. Given set family, no source code available may be our graph where nodes family edges describe between versions. To enable approach, first technique scalable indexing determining shared functions any pair samples. We have evaluated accuracy 13 open-source programs applied produce graphs 10 popular families. Our achieve average 26 times reduction number
arxiv.org
harvard.edu
sci-hub.se 参考文章(53)
Md. Enamul. Karim, Andrew Walenstein, Arun Lakhotia, Laxmi Parida, Malware Phylogeny Generation using Permutations of Code Journal in Computer Virology. ,vol. 1, pp. 13- 23 ,(2005) , 10.1007/S11416-005-0002-9
Stephanie Wehner, Analyzing worms and network traffic using compression Journal of Computer Security. ,vol. 15, pp. 303- 320 ,(2007) , 10.3233/JCS-2007-15301
Min Gyung Kang, Pongsin Poosankam, Heng Yin, Renovo Proceedings of the 2007 ACM workshop on Recurring malcode - WORM '07. pp. 46- 53 ,(2007) , 10.1145/1314389.1314399
Christian Kreibich, Nicholas Weaver, Chris Kanich, Weidong Cui, Vern Paxson, GQ Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference - IMC '11. pp. 397- 412 ,(2011) , 10.1145/2068816.2068854
Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker, Finding diversity in remote code injection exploits internet measurement conference. pp. 53- 64 ,(2006) , 10.1145/1177080.1177087
Cullen Linn, Saumya Debray, Obfuscation of executable code to improve resistance to static disassembly computer and communications security. pp. 290- 299 ,(2003) , 10.1145/948109.948149
Craig Darmetko, Steven Jilcott, John Everett, Inferring Accurate Histories of Malware Evolution from Structural Evidence the florida ai research society. ,(2013)
X Ugarte Pedrero, D Balzarotti, I Santos, PG Bringas, RAMBO: Run-Time Packer Analysis with Multiple Branch Observation international conference on detection of intrusions and malware and vulnerability assessment. pp. 186- 206 ,(2016) , 10.1007/978-3-319-40667-1_10
Asia Slowinska, Dennis Andriesse, Victor van der Veen, Herbert Bos, Xi Chen, An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries usenix security symposium. pp. 583- 600 ,(2016)
Marcos Sebastián, Richard Rivera, Platon Kotzias, Juan Caballero, AVclass : A Tool for Massive Malware Labeling recent advances in intrusion detection. pp. 230- 253 ,(2016) , 10.1007/978-3-319-45719-2_11