Imposing order on program statements to assist anti-virus scanners

Lakhotia, Arun; Mohammed, Mohssen

doi:10.1109/wcre.2004.24

Cited by 22 publications

(17 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In contrast, many of the other approaches to detection, perhaps with the exception of the work by Christodorescu et al [6], are informal. For example, in control-flow analysis (e.g., [17,14]), the flow of control is extracted from a program based on an implicit assumption about the way that looping instructions work, i.e., they update the value of the instruction pointer. Based on this assumption, the control-flow graph is constructed.…”

Section: Formal and Informal Approachesmentioning

confidence: 99%

“…For example, the approach of Lakhotia and Mohammed to control-and data-flow analysis resulted in a rewritten version of a program called a zero form [17,14]. The specification of Intel 64 could be used to prove the equivalence of the original program and its zero form through dynamic analysis in manner of Section 3.…”

Section: Formal and Informal Approachesmentioning

confidence: 99%

“…Lakhotia & Mohammed describe an algorithm for imposing order on high-level language programs based on control-and data-flow analysis [17,14]. Bruschi et al [1] describe a similar method for malware detection to the one described by Lakhotia & Mohammed, which uses code normalisation.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Detection of metamorphic and virtualization-based malware using algebraic specification

Webster

Malcolm

2008

J Comput Virol

View full text Add to dashboard Cite

We present an overview of the latest developments in the detection of metamorphic and virtualizationbased malware using an algebraic specification of the Intel 64 assembly programming language. After giving an overview of related work, we describe the development of a specification of a subset of the Intel 64 instruction set in Maude, an advanced formal algebraic specification tool. We develop the technique of metamorphic malware detection based on equivalence-in-context so that it is applicable to imperative programming languages in general, and we give two detailed examples of how this might be used in a practical setting to detect metamorphic malware. We discuss the application of these techniques within anti-virus software, and give a proof-of-concept system for defeating detection counter-measures used by virtualization-based malware, which is based on our Maude specification of Intel 64. Finally, we compare formal and informal approaches to malware detection, and give some directions for future research.

show abstract

Section: Formal and Informal Approachesmentioning

confidence: 99%

Section: Formal and Informal Approachesmentioning

confidence: 99%

See 1 more Smart Citation

Detection of metamorphic and virtualization-based malware using algebraic specification

Webster

Malcolm

2008

J Comput Virol

View full text Add to dashboard Cite

show abstract

“…More general approaches, similar in intent to ours, attempt to normalize C programs by ordering program statements and expressions [40] and to apply compiler-optimization techniques to eliminate obfuscated code [41,42]. These algorithms complement ours as they perform local deobfuscation.…”

Section: Related Workmentioning

confidence: 99%

Software transformations to improve malware detection

et al. 2007

View full text Add to dashboard Cite

Abstract. Malware is code designed for a malicious purpose, such as obtaining root privilege on a host. A malware detector identifies malware and thus prevents it from adversely affecting a host. In order to evade detection, malware writers use various obfuscation techniques to transform their malware. There is strong evidence that commercial malware detectors are susceptible to these evasion tactics. In this paper, we describe the design and implementation of a malware transformer that reverses the obfuscations performed by a malware writer. Our experimental evaluation demonstrates that this malware transformer can drastically improve the detection rates of commercial malware detectors.

show abstract

“…For instance, 9 of 13 CERT advisories from 1998 involved buffer overflows [1] and in 1999, they accounted for at least 50% of advisories issued by CERT [2]. Several papers presenting reverse engineering and transformations that relate to security have been presented at recent WCRE conferences [22,24,25,26,27].…”

Section: Introductionmentioning

confidence: 99%