李佳静,梁知音,韦韬,毛剑

DOI: https://doi.org/10.3321/j.issn:0479-8023.2008.04.007

2008-01-01

Abstract:A semantic based method is presented to analyze malicious behavior in software, with more precise description of function call based attacks, and flow sensitive, context sensitive and path sensitive inter-procedure analysis ability. Experiments on malicious and benign programs show that it is effective to identify malicious behavior in software.

LIU Heng,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.005

2011-01-01

Abstract:Static analysis and dynamic analysis are the two common analysis methods in malware analysis. With the anti-debugging, program packers, code obfuscation, polymorphism and variants such technologies coming out, the limitations of static analysis methods become more and more. Here is a tool to dynamic analysis Malware Code based on kernel callback and Regular Expressions, demonstrate it’s capabilities by analyzing the Fujacks .As a result ,improved the efficiency of the tool in the automating analysis.

YANG Xiao-hui,ZHOU Xue-hai,TIAN Jun-feng,LI Zhen

2010-01-01

Abstract:In order to improve current dynamic trusted evaluation theories and methods of software,the conceptions of behavior trace and checkpoint scene are proposed to depict the dynamic characteristics of software behaviors,the deviation degrees of behavior trace and checkpoint scene are measured by computing system call context values and formulating relationship constraint rules of system call arguments,and a dynamic trusted evaluation model is built based on software behavior automaton.Experimental results show that this novel model can accurately obtain information on software behavior and correctly detect attacks with lower overhead.

Sixian Sun,Xiao Fu,Hao Ruan,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1109/access.2018.2853121

IF: 3.9

2018-01-01

IEEE Access

Abstract:The number of applications based on the Android platform is increasing rapidly now. However, as the supervision and review of Android applications are inadequate, a reasonable chance exists that users will download malware. This malware can lead to information leakage, monetary loss, and other damages. At present, a variety of applications exist for detecting malware, but most of these applications cannot show specific malicious behaviors. Moreover, the operation of this detection software is based on the database of viruses, and thus, it cannot identify unknown malware. To solve these problems, we implemented a system to detect the behaviors of Android applications and identify known or unknown malware. Our system can monitor specified applications utilizing loading a kernel module. After the detection process, the related documents are uploaded to the server, and the dynamic behaviors are reconstructed. As a result, a behavior diagram is generated. In addition, if the user needs to know whether the application is malware, the related Android package is sent to the server and analyzed. Then, the server calculates the results and the results are returned to the client.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Zhi Xin,Huiyu Chen,Xinche Wang,Peng Liu,Sencun Zhu,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-24861-0_1

2011-01-01

Abstract:Software birthmarks utilize certain specific program characteristics to validate the origin of software, so it can be applied to detect software piracy. One state-of-the-art technology on software birthmark adopts dynamic system call dependence graphs as the unique signature of a program, which cannot be cluttered by existing obfuscation techniques and is also immune to the no-ops system call insertion attack. In this paper, we analyze its weaknesses and construct replacement attacks with the help of semantics-equivalent system calls to unlock the high frequent dependency between the system calls in an original system call dependence graph. Our results show that the proposed replacement attacks can destroy the original birthmark successfully.

Dongkui Liang,Limin Shen,Zhen Chen,Chuan Ma,Jiayin Feng

DOI: https://doi.org/10.1109/access.2022.3210386

IF: 3.9

2022-01-01

IEEE Access

Abstract:Android is the most popular mobile platform, and it has become a primary malware target. Existing behavior-based Android malware detection methods suffer from false positive and false negative problems, which lead to low detection accuracy. Formal theory is crucial in studying the behaviors of Android applications characterized by high concurrency, interaction, and mobility. However, existing formal methods mainly focus on specific issues and lack the essential abstraction and high-level description of application behavior. In this study, we propose a formal method for the description and decision of application behavior based on process algebra. First, we propose a formal method for describing application behavior at a component level using process algebra. By extending pi-calculus theory, we establish the mapping relationship from the Android application to process algebra, and present the semantics and evolution rules of behavior based on process algebra. Second, we describe the behavior of four types of components in applications and characterize concurrent interactions of components using process algebra expressions. Third, we define the behavior equivalence and simulation mechanism for application behavior analysis and propose the decision rules based on weak simulation. Finally, we discuss a demonstration case, which includes malicious behavior, to demonstrate the feasibility and effectiveness of the proposed method. The results show that our method can accurately describe and analyze application behavior, which provides theoretical support for technologies and methods of behavior-based detection.

Chao DAI,Jian-min PANG,Yi-chi ZHANG,Liang ZHU,Feng YUE,Hong-wei TAO

2017-01-01

Abstract:The malware behavior analysis is composed of analysis in disassembly level and system-call level.Out of the finer grain,the analysis in disassembly level is irreplaceable in characterizing the code behavior.However,the existing analysis technologies in disassembly level is not good at coping with discontinuous instruction sequences.In view of this situation and characteristics of binary code,this paper proposes a method of behavior analysis in disassembly level based on pattern matching with wildcards and gap-length constrains,called CFG-refinedSAIL.It reconstructs the code structure by the recursive traversal disassembly algorithm first.Then the algorithm compares the opcode sequences in each basicblock of control flow with the opcode sequences of malware behavior in a refined way to find out the malware behavior in disassembly level.Finally,the test validates the effectiveness the algorithm,and its performance is good,which could provide the basis for subsequent analysis of malware.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Wu Liu,Ping Ren,Ke Liu,Hai-xin Duan

DOI: https://doi.org/10.1109/IWCDM.2011.17

2011-01-01

Abstract:Malware, such as Trojan Horse, Worms and Spy ware severely threatens Internet. We observed that although malware and its variants may vary a lot from content signatures, they share some behavior features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the technique of malware behavior extraction, presents the formal Malware Behavior Feature (MBF) extraction method, and proposes the malicious behavior feature based malware detection algorithm. Finally we designed and implemented the MBF based malware detection system, and the experimental results show that it can detect newly appeared unknown malwares.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Lei Yu,Xiucun Tang,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2532443.2532465

2013-01-01

Abstract:It is encouraged to develop practical approaches to ensure that the software artifacts are created as expected or defect-free as early as possible. In the industry, software analysis and testing techniques are widely used solutions for codes and executables, respectively. However, software design artifacts can only be verified by manual peer review in design phase. In this paper, we propose an approach to automatically simulate the expected software behavior depicted in UML activity diagrams. First, UML activity diagrams are parsed and initialized semantically with a concrete execution. Second, the model is symbolically executed, to collect paths, input variables, and their path conditions. Then, the path conditions are passed to a constraint solver to generate a set of concrete value of possible input variables. Final, the generated concrete input variables are semantically executed on the model to identify the defects as well as to collect the execution path. The model simulation approach reuses the design models, automates the simulation process by using model-based concolic execution, and has the advantage of visibility and observability on model simulation. In addition, we found that the solvable paths represent behavioral scenarios. While simulating the model, input values corresponding to execution paths in the model are generated automatically. They can also be used as test suites to find the inconsistency between the design and implementation. We have also developed a prototype tool to support the above process, and have conducted a trivial case study to demonstrate the applicability of our approach.

JiaJing Li,Tao Wei,Wei Zou,Jian Mao

DOI: https://doi.org/10.1109/isecs.2009.148

2009-01-01

Abstract:Existing techniques based on behavior semantics for information theft malware detection have the main shortcomings of low path coverage and disability of finding hidden malicious behaviors. In this paper we propose a static method for the detection of information theft malware to overcome these shortcomings. It is particularly efficient for inter-procedure taint analysis, and it is suitable for complicated malware detection, such as Trojan and Bot. Its static style makes it able to find hidden malicious behaviors. We also present an implementation of our method that works on x86 executables and a set of experimental studies validate its good efficiency and effectiveness.

Monire Norouzi,Saeed Parsa,Ali Mahjur

DOI: https://doi.org/10.48550/arXiv.1406.2791

2014-06-11

Abstract:Formal method techniques provides a suitable platform for the software development in software systems. Formal methods and formal verification is necessary to prove the correctness and improve performance of software systems in various levels of design and implementation, too. Security Discussion is an important issue in computer systems. Since the antivirus applications have very important role in computer systems security, verifying these applications is very essential and necessary. In this paper, we present four new approaches for antivirus system behavior and a behavioral model of protection services in the antivirus system is proposed. We divided the behavioral model in to preventive behavior and control behavior and then we formal these behaviors. Finally by using some definitions we explain the way these behaviors are mapped on each other by using our new approaches.

Software Engineering,Cryptography and Security

黄洲,彭鑫,赵文耘

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.08.040

2009-01-01

Computer Science

Abstract:Object behavior protocol is important for understanding object interfaces,correct module composition and reuse of classes.In the previous work,we proposed an antumotic method of extracting object behavior protocols based on static source code analysis.The method obtains direct and indirect dependencies between interfacing methods from source code,then constructs interface state diagrams based on intra-class dependency relations.In this paper,we further presented the supporting tool for automatic behavior proptocol recovery,including the main tool modules,implementation techniques in each part.

Yuankui Li,Linzhang Wang

DOI: https://doi.org/10.1007/978-3-642-35795-4_59

2013-01-01

Abstract:During the development of a software, its source code is continuously being modified. Even after the deployment, the maintenance work still involves changing the source code. Some of the modification performed on the source code is rather meaningless, while others might cause some critical behavioral changes. To help understand the modification, we can distinguish the behavioral changes and ease the tedious work. Our approach focuses on eliminating two kinds of changes: the unessential changes and the behavioral-unrelated changes, to achieve a better change detection result. © Springer-Verlag Berlin Heidelberg 2013.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

bin cao,zhen chen,hongjian liu,ge ma,peng zhang,guodong peng

DOI: https://doi.org/10.1109/ICNDC.2013.9

2013-01-01

Abstract:With the rapid growth of Internet, the amount of malicious codes is exploding. Some security software vendors provide new cloud-based safeguard software for client users. These software, as part of Internet ware, consist of many modules with different functions and Internet behaviors. The Trojan scanning module, for instance, is based on cloud scanning function, which is achieved by collecting a large number of suspicious files on users' hosts and scanning them in remote cloud platforms. While providing security, they also bring a serious problem of user privacy. In this paper, we use black box testing method to analyze the network behavior of four safeguard software, especially the Trojan scanning module based on cloud scanning function. In specific, we conduct extensive experiments to examine the network behaviors of the major function modules used by these safeguard software. In this paper we present a reasonable network behavior model that can help the safeguard software to protect users' privacy. One way of looking at our contributions is the network behavior comparison and analysis of four safeguard software which are widely used in China. And the experimental results validate our claims either.

LIU Bo,WEN Wei-ping,SUN Hui-ping,QING Si-han

DOI: https://doi.org/10.3969/j.issn.1671-1122.2009.05.013

2009-01-01

Abstract:With the increasing harmfulness of software vulnerability, identifying potential vulnerabilities in software has become the focus of security research. The current analysis method can be roughly divided into two categories: static analysis and dynamic analysis. This paper presents an idea based on open source static analysis tool BugScam. First, set up vulnerability model. Then, map the model to program and begin vulnerability analysis. We classified vulnerability model to function model and logic model and research the corresponding relationship between model and program. Finally, we give an introduction of our improved automatic vulnerability analysis tool ClearBug. The experiment results show that our tool can effectively find out some software vulnerability.

Zhaoli Liu,Xiaohong Guan,Shancang Li,Tao Qin,Chao He

DOI: https://doi.org/10.1109/access.2018.2882812

IF: 3.9

2018-01-01

IEEE Access

Abstract:The widespread use of social media, cloud computing, and Internet of Things generates massive behavior data recorded by system logs, and how to utilize these data to improve the stability and security of these systems becomes more and more difficult due to the increasing number of users and amount of data. In this paper, we propose a novel model named behavior rhythm (BR) to characterize and visualize the user's behaviors from the massive logs and apply it to the system security management. Based on the BR model, we conduct the clustering analysis to mine the user clusters. Different management and access control policies can be applied to different clusters to improve the management efficiency. Then, we apply the non-negative matrix factorization method to analyze the BRs and perform abnormal detection, and employ the BR similarity calculation to perform fast potential anomaly tracking. The detection and tracing results can help the administrators to control the threats efficiently. Experimental results based on the datasets collected from the campus network center of Xi'an Jiaotong University verify the accuracy and efficiency of our method in user behavior profiling and security management, which lay a solid foundation for improving system stability and quality of service.