Similarity-based matching meets Malware Diversity
作者: Stefan Brunthaler , Michael Franz , Per Larsen , Stephen Crane , Mathias Payer
DOI:
关键词: Source code 、 Computer science 、 Code (cryptography) 、 Theoretical computer science 、 Malware 、 Set (abstract data type) 、 Data mining 、 Similarity (network science) 、 Software
摘要: Similarity metrics, e.g., signatures as used by anti-virus products, are the dominant technique to detect if a given binary is malware. The underlying assumption of this approach that all instances malware (or even family) will be similar each other. Software diversification probabilistic uses code and data randomization expressiveness in target instruction set generate large amounts functionally equivalent but different binaries. Malware diversity builds on software ensures any two diversified same have low similarity (according metrics). An LLVM-based prototype implementation diversifies both binaries our evaluation shows based only match one or few pool generated from source code.
arxiv.org
harvard.edu参考文章(43)
Giampaolo Fresi Roglia, Roberto Paleari, Lorenzo Martignoni, Danilo Bruschi, A fistful of red-pills: how to automatically generate procedures to detect CPU emulators WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies. pp. 2- 2 ,(2009)
Tal Garfinkel, Keith Adams, Jason Franklin, Andrew Warfield, Compatibility is not transparency: VMM detection myths and realities HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems. pp. 6- ,(2007)
Thomas Raffetseder, Christopher Kruegel, Engin Kirda, Detecting System Emulators Lecture Notes in Computer Science. pp. 1- 18 ,(2007) , 10.1007/978-3-540-75496-1_1
Jon Oberheide, Michael Bailey, Farnam Jahanian, None, PolyPack: an automated online packing service for optimal antivirus evasion WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies. pp. 9- 9 ,(2009)
Martina Lindorfer, Clemens Kolbitsch, Paolo Milani Comparetti, Detecting Environment-Sensitive Malware Lecture Notes in Computer Science. pp. 338- 357 ,(2011) , 10.1007/978-3-642-23644-0_18
Rakan El-Khalil, Angelos D. Keromytis, Hydan: Hiding Information in Program Binaries international conference on information and communication security. pp. 187- 199 ,(2004) , 10.1007/978-3-540-30191-2_15
Zhiqiang Lin, Ryan D. Riley, Dongyan Xu, Polymorphing Software by Randomizing Data Structure Layout Detection of Intrusions and Malware, and Vulnerability Assessment. pp. 107- 126 ,(2009) , 10.1007/978-3-642-02918-9_7
Fredrik Valeur, Christopher Kruegel, Giovanni Vigna, William Robertson, Static disassembly of obfuscated binaries usenix security symposium. pp. 18- 18 ,(2004)
Christian Collberg, Douglas Low, C. Thomborson, A Taxonomy of Obfuscating Transformations Department of Computer Science, The University of Auckland, New Zealand. ,(1997)
Kevin W. Hamlen, Vishwath Mohan, Frankenstein: stitching malware from benign binaries WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies. pp. 8- 8 ,(2012)