李佳静,梁知音,韦韬,邹维,毛剑

DOI: https://doi.org/10.3724/sp.j.1001.2010.03507

2010-01-01

Abstract:In this paper, a novel method is presented to solve these problems.This method processes the X86 executable programs statically, so it has a higher code coverage than dynamic methods.Besides, it employs a data flow analysis method to identify the jump targets for indirect jumps.It also utilizes optimized tainting mark rules based on the operation semantic of branch conditions.Experiments on 103 real malwares and 7 benign softwares show that the proposed method has the following advantages: For Trojan-spy program detection, it can reduce the false negatives caused by the explicit-flow-sensitive method, and it is effective in dealing with information steal behaviors triggered by some particular conditions.For benign program analysis, it can reduce most of the tainted branches that should be tracked in the original implicit-flow-sensitive method without optimization.

白莉莉,庞建民,张一弛,岳峰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.09.048

2010-01-01

Abstract:Aiming at the problem that malware detection method based on signature can be easily subverted by obfuscation techniques,this paper proposes a detection method based on Critical Application Programming Interface Graph(CAG).By statically extracting nodes with critical API calling from Control Flow Graph(CFG) for each malware,each malicious behavior can be presented by one CAG.A matching algorithm based on CAG is used to determine whether a suspicious executable programming has the same malicious behavior as a malware does.Experimental results show that the method can detect malware variants efficiently with low false negative rate.

李佳静,梁知音,韦韬,毛剑

DOI: https://doi.org/10.3321/j.issn:0479-8023.2008.04.007

2008-01-01

Abstract:A semantic based method is presented to analyze malicious behavior in software, with more precise description of function call based attacks, and flow sensitive, context sensitive and path sensitive inter-procedure analysis ability. Experiments on malicious and benign programs show that it is effective to identify malicious behavior in software.

JiaJing Li,Tao Wei,Wei Zou,Jian Mao

DOI: https://doi.org/10.1109/isecs.2009.148

2009-01-01

Abstract:Existing techniques based on behavior semantics for information theft malware detection have the main shortcomings of low path coverage and disability of finding hidden malicious behaviors. In this paper we propose a static method for the detection of information theft malware to overcome these shortcomings. It is particularly efficient for inter-procedure taint analysis, and it is suitable for complicated malware detection, such as Trojan and Bot. Its static style makes it able to find hidden malicious behaviors. We also present an implementation of our method that works on x86 executables and a set of experimental studies validate its good efficiency and effectiveness.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Hongying Tang,Bo Zhu,Kui Ren

DOI: https://doi.org/10.1007/978-3-642-02617-1_24

2010-01-01

Abstract:Malware has become one of the most serious threats to computer users. Early techniques based on syntactic signatures can be easily bypassed using program obfuscation. A promising direction is to combine Control Flow Graph (CFG) with instruction-level information. However, since previous work includes only coarse information, i.e., the classes of instructions of basic blocks, it results in false positives during the detection. To address this issue, we propose a new approach that generates formalized expressions upon assignment statements within basic blocks. Through combining CFG with the functionalities of basic blocks, which are represented in terms of upper variables with their corresponding formalized expressions and system calls (if any), our approach can achieve more accurate malware detection compared to previous CFG-based solutions.

Nai Xia,Bing Mao,Qingkai Zeng,Li Xie

DOI: https://doi.org/10.1007/978-3-540-77505-8_8

2007-01-01

Abstract:Control-hijacking attacks are known as critical threats to software security. Control flow monitoring is a kind of important method to mitigate this problem. In this paper, we present a new method for program control flow monitoring. Based on the static analysis of a program, we apply very simple instrumentation of a progam's source code to encode its runtime function level control flow traces and check the correctness of the traces in the OS kernel. Experiments show that this method has a tiny performance impact and is still highly effective in detecting control-hijacking attacks. We also propose to automatically handle non-standard control flow by learning programs' dynamic profiling data. Our method is hopeful to be enforceable in different environments because it does not depend closely on specific platform features and the underlying techniques can be easily found in many platforms.

Xinlei Yao,Jianmin Pang,Yichi Zhang,Yong Yu,Jianping Lu

DOI: https://doi.org/10.1109/mines.2012.25

2012-01-01

Abstract:Control flow obfuscation is an important way of software copyright protection, the main purpose is to make the static analysis tools produce wrong control flow graph, and then prevent malicious use of reverse engineering against software. In this paper we ropose an approach to implement control flow obfuscation using Windows structured exception handling mechanism. Programs are obfuscated by replacing branch instructions with exception code and inserting fake branch instruction after the exception code. Furthermore, exception code random technology is used to improve the resilience of the obfuscated code. Experimental results show that disassemble tools fail to identify 56.7% control flow of the obfuscated code, and have a misunderstanding of 40% control flow. The increase in program size and execute time of the obfuscated code is also modest.

薛永岭,黄皓,张博

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.09.046

2009-01-01

Abstract:Current software attacks often build on exploits that subvert machine-code execution.This paper proposes a new signature monitoring technique to enhance the control-flow integrity of program.It uses the execution of function as the basic item of the control-flow of the program.To get more exact intent of program,it scans the source code,and gets the information of function call sequence.According to the information,the model of program’s intent can be built.The model is used to monitor the program in runtime.Experimental results show the monitoring system makes the program more secure to reject the control-flow attacks.

LIU Heng,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.005

2011-01-01

Abstract:Static analysis and dynamic analysis are the two common analysis methods in malware analysis. With the anti-debugging, program packers, code obfuscation, polymorphism and variants such technologies coming out, the limitations of static analysis methods become more and more. Here is a tool to dynamic analysis Malware Code based on kernel callback and Regular Expressions, demonstrate it’s capabilities by analyzing the Fujacks .As a result ,improved the efficiency of the tool in the automating analysis.

XIA Nai,GUO Ming-song,Bing Mao,Li Xie

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.02.038

2007-01-01

Abstract:Attacks to program vulnerabilities is a severe problem nowadays.This paper puts forward a new simplified approach based on programs' runtime control flow monitoring.Compared to the methods based on system call sequence analysis,this approach has better granularity;Compared to the methods using whole call graph verification,it has the same effectiveness but more applicable.The results show that this approach can detect many kinds of known attacks to program vulnerabilities.

Haizhou Wang,Nanqing Luo,Peng LIu

2024-11-09

Abstract:Sandboxes and other dynamic analysis processes are prevalent in malware detection systems nowadays to enhance the capability of detecting 0-day malware. Therefore, techniques of anti-dynamic analysis (TADA) are prevalent in modern malware samples, and sandboxes can suffer from false negatives and analysis failures when analyzing the samples with TADAs. In such cases, human reverse engineers will get involved in conducting dynamic analysis manually (i.e., debugging, patching), which in turn also gets obstructed by TADAs. In this work, we propose a Large Language Model (LLM) based workflow that can pinpoint the location of the TADA implementation in the code, to help reverse engineers place breakpoints used in debugging. Our evaluation shows that we successfully identified the locations of 87.80% known TADA implementations adopted from public repositories. In addition, we successfully pinpoint the locations of TADAs in 4 well-known malware samples that are documented in online malware analysis blogs.

Cryptography and Security,Artificial Intelligence

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

Yang Zhao,Zeng Qingkai

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.04.001

2013-01-01

Abstract:This paper proposes a method to automatically detect anti-analysis malware.This approach records the traces of system calls and instructions executed by malware across four different analysis platform based on two monitoring and recording technologies.At first,the system call traces are compared.If a deviation exists,further comparison on instruction traces is needed to determine whether the root cause is anti-analysis or not.Experimental results have demonstrated that the approach can detect varies of analysis evasion technology.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Chao DAI,Jian-min PANG,Yi-chi ZHANG,Liang ZHU,Feng YUE,Hong-wei TAO

2017-01-01

Abstract:The malware behavior analysis is composed of analysis in disassembly level and system-call level.Out of the finer grain,the analysis in disassembly level is irreplaceable in characterizing the code behavior.However,the existing analysis technologies in disassembly level is not good at coping with discontinuous instruction sequences.In view of this situation and characteristics of binary code,this paper proposes a method of behavior analysis in disassembly level based on pattern matching with wildcards and gap-length constrains,called CFG-refinedSAIL.It reconstructs the code structure by the recursive traversal disassembly algorithm first.Then the algorithm compares the opcode sequences in each basicblock of control flow with the opcode sequences of malware behavior in a refined way to find out the malware behavior in disassembly level.Finally,the test validates the effectiveness the algorithm,and its performance is good,which could provide the basis for subsequent analysis of malware.

He SUN,Lifa WU,Zheng HONG,Huiying YAN,Yafeng ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2017.03.027

2017-01-01

Abstract:Extracting a complete and accurate function call graph is the foundation of malware similarity analysis based on function call graph.This paper proposes a malware function call graph extraction method which integrates both dynamic and static analysis methods.It extracts executable path of malicious programs on the basis of static disassembly,and an active discovery strategy of hidden information is used to find out the hidden instructions and function calls in the malware.A dynamic feedback mechanism is used to ensure the information synchronization during the process of static and dynamic analysis.The experimental results show that the proposed method can deal with all kinds of reverse analysis technologies and extract a complete and accurate function call graph from malwares.

Xiaokai Ma,Zhemin Yang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2017.11.058

2017-01-01

Abstract:With the development of malware detection and analysis techniques,a large number of malwares use evasion techniques to fight against security analysis.Among these evasion techniques,code-hiding evasion techniques hide application code from static analysis,thus cause analysis results wrong or incomplete.The explosive growth of malware required automated detection of code-hiding evasion techniques.Through manual analysis of 142 malicious samples,this paper summarized an approach for detecting code-hiding evasion techniques and implemented a generic automated detection framework.We use the detection framework to do experiments on 2 278 samples in a third party applications market,and find that 34.9％ samples use code-hiding evasion techniques.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

文勇,蔡铭,陈刚,杨子江,金星

DOI: https://doi.org/10.16208/j.issn1000-7024.2010.11.037

2010-01-01

Abstract:To effectively carry out the object code analysis and verification,a novel method of control flow and structural coverage measurement for object code verification is presented based on CPU module extension.By branch instruction function extension,along with a new module for dynamic branch target buffer,the control flow of object code is collected effectively.And then,the algorithm for control flow construction and structural coverage measurement are given respectively.Both the overhead and computation complexity are acceptable with analysis study.Competitive advantage of this method is independent of compiler and non-incursive measurement for the object code.