Impeding behavior-based malware analysis via replacement attacks to malware specifications
作者: Jiang Ming , Zhi Xin , Pengwei Lan , Dinghao Wu , Peng Liu
DOI: 10.1007/S11416-016-0281-3
关键词:
摘要: As the underground market of malware flourishes, there is an exponential increase in number and diversity malware. A crucial question analysis research how to define specifications or signatures that faithfully describe similar malicious intent also clearly stand out from other programs. Although traditional based on syntactic are efficient, they can be easily defeated by various obfuscation techniques. Since behavior often stable across instances, behavior-based which capture real characteristics during run time, have become more prevalent anti-malware tasks, such as detection clustering. This kind specification typically extracted system call dependence graph a sample invokes. In this paper, we present replacement attacks camouflage behaviors poisoning specifications. The key method our replace its semantically equivalent variants so samples within one family turn different. result, analysts put efforts into reexamining may been investigated before. We distil general attacking strategies mining than 5200 samples’ implement compiler-level prototype automate attacks. Experiments 960 demonstrate effectiveness approach impede similarity comparison end, discuss possible countermeasures order strengthen existing defense.
springer.com
elsevier.com
sci-hub.se 参考文章(39)
Giampaolo Fresi Roglia, Roberto Paleari, Lorenzo Martignoni, Danilo Bruschi, A fistful of red-pills: how to automatically generate procedures to detect CPU emulators WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies. pp. 2- 2 ,(2009)
Roberto Paleari, Lorenzo Martignoni, Matt Fredrikson, Emanuele Passerini, Somesh Jha, Jon Giffin, Drew Davidson, Automatic generation of remediation procedures for malware infections usenix security symposium. pp. 27- 27 ,(2010)
Thomas Raffetseder, Christopher Kruegel, Engin Kirda, Detecting System Emulators Lecture Notes in Computer Science. pp. 1- 18 ,(2007) , 10.1007/978-3-540-75496-1_1
Zhi Xin, Huiyu Chen, Xinche Wang, Peng Liu, Sencun Zhu, Bing Mao, Li Xie, Replacement attacks on behavior based software birthmark international conference on information security. pp. 1- 16 ,(2011) , 10.1007/978-3-642-24861-0_1
Michael Sikorski, Andrew Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software ,(2012)
Abhinav Srivastava, Andrea Lanzi, Jonathon Giffin, Davide Balzarotti, Operating system interface obfuscation and the revealing of hidden operations international conference on detection of intrusions and malware and vulnerability assessment. pp. 214- 233 ,(2011) , 10.1007/978-3-642-22424-9_13
Zhi Wang, Jiang Ming, Chunfu Jia, Debin Gao, Linear Obfuscation to Combat Symbolic Execution Computer Security – ESORICS 2011. ,vol. 6879, pp. 210- 226 ,(2011) , 10.1007/978-3-642-23822-2_12
Christopher Kruegel, Ralf Hund, Thorsten Holz, Gregoire Jacob, JACKSTRAWS: picking command and control connections from bot traffic usenix security symposium. pp. 29- 29 ,(2011)
Joris Kinable, Orestis Kostakis, Malware classification based on call graph clustering Journal of Computer Virology and Hacking Techniques. ,vol. 7, pp. 233- 245 ,(2011) , 10.1007/S11416-011-0151-Y
Danilo Bruschi, Lorenzo Martignoni, Mattia Monga, Detecting Self-mutating Malware Using Control-Flow Graph Matching Detection of Intrusions and Malware & Vulnerability Assessment. ,vol. 4064, pp. 129- 143 ,(2006) , 10.1007/11790754_8