On the possibility of practically obfuscating programs towards a unified perspective of code protection

Beaucamps, Philippe; Filiol, Éric

doi:10.1007/s11416-006-0029-6

Cited by 43 publications

(30 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…To reconstruct such a primitive, we need to consider and combine multiple operations. As we do not conduct fine-grained taint analysis [1,6,14], we need to reassemble the memory based on its addresses, which can serve as a rough approximation.…”

Section: Fine-grained Dynamic Binary Instrumentationmentioning

confidence: 99%

Automated Identification of Cryptographic Primitives in Binary Programs

Gröbert

Willems

Holz

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Identifying that a given binary program implements a specific cryptographic algorithm and finding out more information about the cryptographic code is an important problem. Proprietary programs and especially malicious software (so called malware) often use cryptography and we want to learn more about the context, e.g., which algorithms and keys are used by the program. This helps an analyst to quickly understand what a given binary program does and eases analysis. In this paper, we present several methods to identify cryptographic primitives (e.g., entire algorithms or only keys) within a given binary program in an automated way. We perform fine-grained dynamic binary analysis and use the collected information as input for several heuristics that characterize specific, unique aspects of cryptographic code. Our evaluation shows that these methods improve the state-of-the-art approaches in this area and that we can successfully extract cryptographic keys from a given malware binary.

show abstract

Section: Fine-grained Dynamic Binary Instrumentationmentioning

confidence: 99%

Automated Identification of Cryptographic Primitives in Binary Programs

Gröbert

Willems

Holz

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Nowdays malware samples increasingly employ techniques such as polymorphism [2], metamorphism [1], packing, instruction virtualization, and emulation to bypass signatures and defeat attempts to analyze their inner mechanisms [20]. In order to remain effective, many Anti-Malware venders have turned their classic signaturebased method to cloud (server) based detection.…”

Section: Cloud Based Malware Detectionmentioning

confidence: 99%

Combining file content and file relations for cloud based malware detection

Ye¹,

Zhu³

et al. 2011

Proceedings of the 17th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining

View full text Add to dashboard Cite

Due to their damages to Internet security, malware (such as virus, worms, trojans, spyware, backdoors, and rootkits) detection has caught the attention not only of anti-malware industry but also of researchers for decades. Resting on the analysis of file contents extracted from the file samples, like Application Programming Interface (API) calls, instruction sequences, and binary strings, data mining methods such as Naive Bayes and Support Vector Machines have been used for malware detection. However, besides file contents, relations among file samples, such as a "Downloader" is always associated with many Trojans, can provide invaluable information about the properties of file samples. In this paper, we study how file relations can be used to improve malware detection results and develop a file verdict system (named "Valkyrie") building on a semi-parametric classifier model to combine file content and file relations together for malware detection. To the best of our knowledge, this is the first work of using both file content and file relations for malware detection. A comprehensive experimental study on a large collection of PE files obtained from the clients of anti-malware products of Comodo Security Solutions Incorporation is performed to compare various malware detection approaches. Promising experimental results demonstrate that the accuracy and efficiency of our Valkyrie system outperform other popular anti-malware software tools such as Kaspersky AntiVirus and McAfee VirusScan, as well as other alternative data mining based detection systems. Our system has already been incorporated into the scanning tool of Comodo's Anti-Malware software.

show abstract

“…Several recent Win32 PE malware are included in the test dataset for analysis such as Redgirl, Bancos, MSNBot and Viking. For each malware, we collect their variants generated by the malware authors applying the encryption and obfuscation techniques [4,5], like flow modification, data segment modification and insertion of dead code. These variants of the malware are not included in our training set.…”

Section: Variants Of Known Malware Detectionmentioning

confidence: 99%

SBMDS: an interpretable string based malware detection system using SVM ensemble with bagging

Chen

Wang

et al. 2008

J Comput Virol

View full text Add to dashboard Cite

Malicious executables are programs designed to infiltrate or damage a computer system without the owner's consent, which have become a serious threat to the security of computer systems. There is an urgent need for effective techniques to detect polymorphic, metamorphic and previously unseen malicious executables of which detection fails in most of the commercial anti-virus software. In this paper, we develop interpretable string based malware detection system (SBMDS), which is based on interpretable string analysis and uses support vector machine (SVM) ensemble with Bagging to classify the file samples and predict the exact types of the malware. programming interface (API) execution calls and important semantic strings reflecting an attacker's intent and goal. Our SBMDS is carried out with four major steps: (1) first constructing the interpretable strings by developing a feature parser; (2) performing feature selection to select informative strings related to different types of malware; (3) followed by using SVM ensemble with bagging to construct the classifier; (4) and finally conducting the malware detector, which not only can detect whether a program is malicious or not, but also can predict the exact type of the malware. Our case study on the large collection of file samples collected by Kingsoft Anti-virus lab illustrate that: (1) The accuracy and efficiency of our SBMDS outperform several popular anti-virus software; (2) Based on the signatures of interpretable strings, our SBMDS outperforms data mining based detection systems which employ single SVM, Naive Bayes with bagging, Decision Trees with bagging; (3) Compared with the IMDS which utilizes the objective-oriented association (OOA) based classification on API calls, our SBMDS achieves better performance. Our SBMDS system has already been incorporated into the scanning tool of a commercial anti-virus software.

show abstract

On the possibility of practically obfuscating programs towards a unified perspective of code protection

Cited by 43 publications

References 10 publications

Automated Identification of Cryptographic Primitives in Binary Programs

Automated Identification of Cryptographic Primitives in Binary Programs

Combining file content and file relations for cloud based malware detection

SBMDS: an interpretable string based malware detection system using SVM ensemble with bagging

Contact Info

Product

Resources

About