Wenwu Li,Chao Li,Miyi Duan

DOI: https://doi.org/10.1109/ccis.2014.7175735

2014-01-01

Abstract:Authors of obfuscated malicious code generally use the code obfuscation counter technology to improve the difficulty of being reversely analyzed for programming and hide critical code, data and program logic. The detection for malicious code of code obfuscation has become one of the popular topics being researched both domestically and abroad. In this study, a method for detecting the obfuscated malicious code with behavior connection is proposed. In this method, malicious acts are described based on the extended control flow graph to improve the descriptive power of self-modifying and obfuscated code. Furthermore, interference from malicious code brought by shell adding and obfuscation is eliminated by combining the method of stain diffusion and symbolic execution. Then malicious codes are extracted and detected based on behavior connection feature. As a result, accuracy of detecting the obfuscated malicious code is enhanced.

潘剑锋,刘守群,奚宏生,谭小彬

2010-01-01

Abstract:The present study proposes a method for hidden malcode detection based on the analysis of dynamic control-flow. First we recorded the malcode-related control-flow paths of program, and then the control-flow paths were analyzed, by calling tree match algorithm, to detect the hidden malcode in the system. The experiments show that this method can detect hidden malcode efficiently at a high detection rate and with low false positive, and thus it can be applied to malcode detection on operating systems.

Qian Yu,Lansheng Han,Tinghui Dong,Cai Fu,Ming Liu

2014-01-01

Abstract:General steps of analyzing malicious binary files include: Firstly, disassemble binary codes into assembly codes applicable on the current machine; Secondly, conduct analysis to all acquired assembly codes and comprehend code intents before identifying the attribution. These steps are summarized in inclusive descriptions rather than operable properties. One of the major difficulties contained is: Nowadays obfuscated code technique besets with a barrier to direct extraction for effective information from disassembled code files. This paper proposes one binary code analysis method that is generally applicable: Firstly perform an overall analysis to the binary file and complete preliminary wiping off interference information before screening out code snippets with respectively independent functions; secondly, conduct respective processing to each code snippet and achieve more independent basic behavioral units. Inter-skipping relationship within these basic behavioral units helps reestablish the fundamental logic framework of the entire snippet, or control flow graph "CFG". In return the logic framework of the entire program is deduced as well as the genuine intent of obfuscated codes. The last part of the paper carries out corresponding simulation experiment to provide supporting voice for its correctness and effectiveness.

Hong-Liang MA,Wei WANG,Zhen HAN

DOI: https://doi.org/10.11897/SP.J.1016.2017.01699

2017-01-01

Chinese Journal of Computers

Abstract:Obfuscated malicious JavaScript code is very difficult to be detected and to be de-obfuscated.How to effectively and efficiently detect and de-obfuscate obfuscated malicious JavaScript code is thus an emerging and crucial issue.In order to dealing with the issue, in this paper, we analyze in-depth a big number of static outer and dynamic inner features of obfuscation, and accordingly extract effective static and dynamic features from obfuscation.A prototype system for the detection of obfuscation based on anomaly detection techniques and for the de-obfuscation based on variable analysis is designed, which combines static analysis and dynamic analysis of JavaScript codes.Static analysis is used mainly for the detection of obfuscated malicious JavaScript code while dynamic analysis is used for the de-obfuscation.In static analysis, only benign samples are used in training phase.Three machine learning algorithms are employed, namely, Principal Component Analysis(PCA), One-Class Support Vector Machine(OCSVM) and K-Nearest Neighbor(K-NN), to detect the obfuscation of malicious JavaScript code.In dynamic analysis, two steps are followed.Nodes of JavaScript Abstract Syntax Tree (AST) are first tracked and the related variable final values associated with the node types are then used to de-obfuscate.80574 JavaScript-based pages are collected in a real network environment for validating our methods.Extensive experimental results demonstrate that our approach is effective.In particular, PCA achieves a detection rate as 99.90% with a false positive rate as 0.1% for detecting obfuscation.Meanwhile, our de-obfuscation approach automatically de-obfuscates obfuscations with accuracy of more than 80%.

Xincheng He,Chunliu Cha,Lei Xu

DOI: https://doi.org/10.1109/APSEC.2018.00051

2018-12-01

Abstract:JavaScript plays an important role in web applications and services, which is used by millions of web pages in optimizing interface design, embedding dynamic texts, reading and writing HTML elements, validating form data, responding to browser events, controlling cookies and much more. However, since JavaScript is cross-platform and can be executed dynamically, it has been a major vehicle for web-based attacks. Existing solutions work by performing static analysis or monitoring program execution dynamically. However, since the heavy use of obfuscation techniques, many methods no longer apply to malicious JavaScript code detection, and it has been a huge challenge to de-obfuscate obfuscated malicious JavaScript code accurately. In this paper, we propose a hybrid analysis method combining static and dynamic analysis for detecting malicious JavaScript code that works by first conducting syntax analysis and dynamic instrumentation to extract internal features that are related to malicious code and then performing classificationbased detection to distinguish attacks. In addition, based on code instrumentation, we propose a new method which can deobfuscate part of obfuscated malicious JavaScript code accurately. Ultimately, we implement a browser plug-in called MJDetector and perform evaluation on 450 real web pages. Evaluation results show that our method can detect malicious JavaScript code and de-obfuscate obfucation effectively and efficiently. Specifically, MJDetector can detect JavaScipt attacks in current web pages with high accuracy 94.76% and de-obfuscate obfuscate code of specific types with accuracy 100% whereas the base line method can only detect with accuracy 81.16% and has no capacity of de-obfuscation.

Computer Science

Jianguo Ding,Jian Jin,Pascal Bouvry,Yongtao Hu,Haibing Guan

DOI: https://doi.org/10.1109/ICIMP.2009.20

2009-01-01

Abstract:With the rising popularity of the Internet, the resulting increase in the number of available vulnerable machines, and the elevated sophistication of the malicious code itself, the detection and prevention of unknown malicious codes meet great challenges. Traditional anti-virus scanner employs static features to detect malicious executable codes and is hard to detect the unknown malicious codes effectively. We propose behavior-based dynamic heuristic analysis approach for proactive detection of unknown malicious codes. The behavior of malicious codes is identified by system calling through virtual emulation and the changes in system resources. A statistical detection model and mixture of expert (MoE) model are designed to analyze the behavior of malicious codes. The experiment results demonstrate the behavior-based proactive detection is efficient in detecting unknown malicious executable codes.

Meng Li,Xiaoqi Jia,Rui Wang,Dongdai Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.08.063

2015-01-01

Abstract:In malicious code analysis and detection, the static analysis techniques are not effective to detect metamorphic/polymorphic ma-licious codes.Aiming at this problem, this paper proposes an approach for extracting the dynamic features of malicious code semantics.The method extracts the dynamic features of malicious codes in virtual environment so as to achieve the purpose of protecting physical machine. The primitive features extracted are then further sifted and processed to obtain API calling sequence information in regard to various code sam-ples.In order to make the features more effective, the traditional n-gram model is improved and the n-gram frequency information and the de-pendencies between APIs are added, the improved n-gram model is built as well.The analysis part in experimental result uses the machine learning methods, the decision trees, k-nearest neighbour, support vector machine and Bayesian networks are employed separately to perform a 10-fold crossover validation on the selected sample features.Experimental results show that this feature selection has best detection effect using decision tree J48, it can effectively detect the malicious codes using confusion and polymorphism technologies.

Xiao Cheng,Yan Hui Guo,Qi Li

DOI: https://doi.org/10.2991/emim-15.2015.115

2015-01-01

Abstract:With the rapid development of broadband wireless access technology and mobile terminal, the mobile internet developed quickly in recent years. However, malicious applications have become one of the key factors threatening the development of mobile internet. In order to protect vital interest of mobile terminal users, mobile malicious applications should be effectively prevented and controlled. This paper analyzes the existence limitation of current mobile application detection technology and uses symbolic execution on the base of stream tracing. Malicious code writers usually hide malicious code execution path, and in some special circumstances to trigger some malicious behaviors. We constraint solve execution routes with sensitive calls, and ultimately solve the specific backstage behaviors and trigger conditions. We did some experiments to evaluate the performance of the proposed method. The experimental results show that our method can work well.

Wei Hu,Jie Cheng,Xulei Chong,Ru Zhang,Bingjie Lin,Ang Xia

DOI: https://doi.org/10.1109/prml56267.2022.9882255

2022-01-01

Abstract:To avoid detection, malicious code developers often use various obfuscation methods to evade detection by malicious code detection systems. In this paper, we propose a GAN-based anti-obfuscation training method for malicious code detection models. The method addresses the problem that the obfuscated malicious code can easily evade the malicious code detector. Based on the idea of adversarial training, the method proposes to use GAN to enhance the data of small samples of obfuscated malicious code samples and use the data-enhanced samples to train the malicious code for anti-obfuscation to improve the detection performance of the malicious code detector against the obfuscated malicious code. Finally, experiments are conducted on three different malicious code detectors, and the experiments show that the anti-obfuscation training method proposed in this paper helps to improve the anti-obfuscation capability of the malicious code detector and enhance its detection performance against the obfuscated malicious code.

Ding Yuxin,Dai Wei,Zhang Yibin,Xue Chenglong

DOI: https://doi.org/10.1109/3pgcic.2014.140

2014-01-01

Abstract:An opcode behavior based method is proposed to detect malware. Opcode behaviors are represented as opcode sequences from a decompiled executable. To accurately describe the malware behaviors, we construct the opcode running tree to simulate the dynamic execution of a program, and opcode n-grams are extracted to represent the features of an executable. The experimental results show that the opcode behaviors extracted by this method can fully represent the behavior characteristics of an executable. Compared with the detection method based the opcode distributions, the proposed method has higher overall accuracy and a lower false positive rate.

Xiao Cheng,Yanhui Guo,Qi Li

2015-01-01

Abstract:With the rapid development of broadband wireless access technology and mobile terminal, the mobile internet developed quickly in recent years. However, malicious applications have become one of the key factors threatening the development of mobile internet. In order to protect vital interest of mobile terminal users, mobile malicious applications should be effectively prevented and controlled. This paper analyzes the existence limitation of current mobile application detection technology and uses symbolic execution on the base of stream tracing. Malicious code writers usually hide malicious code execution path, and in some special circumstances to trigger some malicious behaviors. We constraint solve execution routes with sensitive calls, and ultimately solve the specific backstage behaviors and trigger conditions. We did some experiments to evaluate the performance of the proposed method. The experimental results show that our method can work well.

Computer Science

Jinxin Liu,Hao Wu,Huabin Wang

DOI: https://doi.org/10.1049/ic.2014.0154

2014-01-01

Abstract:In recent years, the Android operating system for mobile terminals has developed very quickly. A variety of mobile devices which are using Android operating system are more than 60% in the domestic market share. With the number of Android application raising fast, a variety of information leakage, malicious chargeback, failure of operating system events occurred frequently; the safety of Android system also attracts wide attention of researchers. In this paper, combining static analysis and dynamic analysis, we present a malicious code detection method and implementation. Through the statistics of the sensitive API functions and tracking the flow of sensitive information, static analysis module uses the static analysis reverse technology to achieve the detection of malicious behaviors. And dynamic analysis module mainly uses system log analysis and records a variety of sensitive behaviors generated during the operation to discover intrusions. Furthermore, the ultimate combination of static analysis and dynamic analysis will determine whether the target software contains malicious codes.

Fangzhou Xu,Wang Zhang,Weizhong Qiang,Hai Jin

DOI: https://doi.org/10.1051/sands/2023023

2023-01-01

Abstract:Static analysis is often impeded by malware obfuscation techniques, such as encryption and packing, whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information. Unfortunately, malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly. While known evasive techniques can be explicitly dismantled, the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations, such as logic bombs that rely on uncertain conditions, let alone unsupported evasive techniques, which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations. In this paper, we present Antitoxin, a prototype for automatically exploring evasive malware. Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques. The probabilities of branch execution are derived from dynamic coverage, while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions. Subsequently, Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration. This is achieved through forced execution, which forcefully sets the outcomes of branches on selected paths. Additionally, Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques, thereby reducing exploration overhead. Furthermore, Antitoxin provides valuable insights into sensitive behaviors, facilitating deeper manual analysis. Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner. The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations, enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear exploration when dealing with complex control flows. Additionally, taint analysis can accurately identify branches related to logic bombs, facilitating preferential exploration.

Chenghua Tang,Mengmeng Yang,Qingze Gao,Baohua Qiang

DOI: https://doi.org/10.1504/ijics.2024.137719

2022-01-01

International Journal of Information and Computer Security

Abstract:Using behaviour association or dependency to detect malicious code can improve the recognition rate of malicious code. A malicious code detection method based on precise behaviour dependency graph (PBDG) is proposed. We create a stain file index by filtering the stain source blacklist, which not only saves storage space, but also quickly locates instructions. An active variable path verification algorithm is proposed to verify and purify the Source → Sink path. The PBDG and its matching algorithm are constructed to identify the malicious code family of the source program. The experimental results on six data sets show the effectiveness of this method. The introduction of active variable paths reduces the number of paths that need to be traversed by 91.2% at most. In terms of the detection effect of malicious code, especially for web applications, it has a good detection accuracy and a low false positive rate.

JiaJing Li,Tao Wei,Wei Zou,Jian Mao

DOI: https://doi.org/10.1109/isecs.2009.148

2009-01-01

Abstract:Existing techniques based on behavior semantics for information theft malware detection have the main shortcomings of low path coverage and disability of finding hidden malicious behaviors. In this paper we propose a static method for the detection of information theft malware to overcome these shortcomings. It is particularly efficient for inter-procedure taint analysis, and it is suitable for complicated malware detection, such as Trojan and Bot. Its static style makes it able to find hidden malicious behaviors. We also present an implementation of our method that works on x86 executables and a set of experimental studies validate its good efficiency and effectiveness.

Jinkun Pan,Xiaoguang Mao

DOI: https://doi.org/10.2991/ameii-16.2016.157

2016-01-01

Abstract:In recent years, malicious JavaScript code has become more and more pervasive and been used by attackers to perform their attacks on the Web. To evade the detection of defense measures, various kinds of obfuscation techniques have been applied by the malicious script, taking advantage of the dynamic nature of JavaScript language. In this paper, we propose a new machine-learning based detection approach aiming at defeating such evasion attempts. Dynamic execution traces are recorded to capture all behaviors performed by the malicious script, including the dynamic generated code. Semantic-based deobfuscation is used to simplify the traces to get more concise and more essential instructions. None-ordered and none-concessive trace patterns are extracted from the deobfuscated traces to represent the intrinsic features for malicious scripts. We evaluated our approach with a large number of dataset collected from the Internet. The empirical results demonstrate that our approach is able to detect obfuscated malicious JavaScript code both effectively and efficiently.

Zhimin Yin,Xiangzhan Yu,Linhua Niu

DOI: https://doi.org/10.2991/icaise.2013.45

2013-01-01

Abstract:The malicious code on the network is increasingly rampant that the traditional detection method of characteristic code has been difficult to deal with malicious code, with features of various variants, deformations and other problems. In this paper we present a new static analysis model based on software fingerprint to distinguish malicious codes. Through obtaining the software call graph by disassembling the binary file and mapping it as an image, shape moments can be obtained as the software fingerprint based on the retrieval theory of content image, combined with moment theory and the image's color, texture and shape features. The idea of pattern matching is used to measure the extracted software fingerprint similarity to determine whether it is malicious code or not. Then, we analyze the collected program samples. Test and verify whether the program has good performance in uniqueness, invariability and sensibility.

刘巍伟,石勇,郭煜,韩臻,沈昌祥

DOI: https://doi.org/10.3321/j.issn:0372-2112.2009.04.005

2009-01-01

Abstract:The existing malicious code detection algorithms which are based on individual behaviors have some drawbacks.In this paper we present a new malicious code detection algorithm based on behavior characteristics by importing improved attack tree model to describe the entity relationships during the malicious code execution time.It is named IBC-DA.The experiments result shows that the proposed algorithm works in most cases of detection and only has minor errors in few conditions.This algorithm has very positive sense for unknown malicious code detection.

Jinming Wang,Tao Yang,Pengchao Yao,Bingjing Yan,Weijie Hao,Qiang Yang

DOI: https://doi.org/10.1109/powercon53785.2021.9697702

2021-01-01

Abstract:With the introduction of advanced information technology of Cyber-physical Power System (CPPS), the information exchange between CPPS and the outside is increasingly inevitable and frequent while attackers have rising motivation to attack CPPS terminals especially through malware. The existing detectors against malware mainly detect files at the static level, of which the key lies in the malware signature library. The detectors can efficiently identify the known viruses whose signatures have been included in the library, while for new or mutated malware, such technologies often do not play a good role. Meanwhile, the weak anti-disturbance and robustness make the detectors easy to suffer adversarial attacks. Therefore, an effective adversarial example generation technology capable of improving the detection ability of CPPS terminals is necessary. This paper proposes two code obfuscation approaches as well as their combination, which are able to obfuscate the codes of malware while keeping the semantics consistent. The approaches aim to extend the obfuscation coverage and alter the static characteristic of malware, finally to generate adversarial examples which can mislead malware detectors so as to finally upgrade detection technologies. We evaluated our generated adversarial examples using four different types of commercial detectors. The results confirm that generated adversarial examples are capable of bypassing the commercial malware detectors at the static level, especially for the detectors based on feature matching and heuristic detection.

Ding Yuxin,Yuan Xuebing,Zhou Di,Dong Li,An Zhanchao

DOI: https://doi.org/10.1016/j.cose.2011.05.007

IF: 5.105

2011-01-01

Computers & Security

Abstract:Currently almost all static methods for detecting malicious code are signature-based, this leads the result that viruses can easily escape detection by simple mechanisms such as code obfuscation. In this paper, a behavior-based detection approach is proposed to address this problem. The behaviors of interest are defined as static system call sequences. Unlike the traditional approach, which derives system call sequences by running executables (i.e., dynamic system call sequences), this approach statically analyzes binary code to derive system call sequences. In this paper, a method for deriving static system call sequences is presented, and two automatic feature-selection methods based on n-grams are proposed. We use machine-learning methods, including the K-nearest neighbor, Support Vector Machine, and decision tree methods to classify executables. The proposed approach is compared with the dynamic detection approach using dynamic system call sequences. The experimental results show that the proposed approach has higher accuracy and a lower false positive rate than the dynamic detection approach.