Skip to main content
SpringerLink
Log in

Signature Generation and Detection of Malware Families

  • Conference paper
Information Security and Privacy (ACISP 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5107))

Included in the following conference series:

Abstract

Malware detection and prevention is critical for the protection of computing systems across the Internet. The problem in detecting malware is that they evolve over a period of time and hence, traditional signature-based malware detectors fail to detect obfuscated and previously unseen malware executables. However, as malware evolves, some semantics of the original malware are preserved as these semantics are necessary for the effectiveness of the malware. Using this observation, we present a novel method for detection of malware using the correlation between the semantics of the malware and its API calls. We construct a base signature for an entire malware class rather than for a single specimen of malware. Such a signature is capable of detecting even unknown and advanced variants that belong to that class. We demonstrate our approach on some well known malware classes and show that any advanced variant of the malware class is detected from the base signature.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Pietrek, M.: An In-Depth Look into the Win32 Portable Executable File Format, in MSDN Magazine (March 2002)

    Google Scholar 

  2. VX Heavens, http://vx.netlux.org

  3. Viruslist.com - Email-Worm.Win32.Borzella, http://www.viruslist.com/en/viruses/encyclopedia?virusid=21991

  4. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-Aware Malware Detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, May 08-11, 2005, pp. 32–46 (2005)

    Google Scholar 

  5. Marinescu, A.: An Analysis of Simile, http://www.securityfocus.com/infocus/1671

  6. Sokal, R.R., Rohlf, F.J.: Biometry: The principles and practice of statistics in biological research, 3rd edn. Freeman, New York (1994)

    Google Scholar 

  7. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC), Miami Beach, FL (December 2007)

    Google Scholar 

  8. Guilfanov, I.: An Advanced Interactive Multi-processor Disassembler (2000), http://www.datarescue.com

  9. Ferrie, P., Ször, P.: Zmist opportunities. Virus Bullettin (2001)

    Google Scholar 

  10. Bilar, D.: Statistical Structures: Tolerant Fingerprinting for Classification and Analysis given at BH 2006, Las Vegas, NV. Blackhat Briefings USA (August 2006)

    Google Scholar 

  11. Cohen, F.: Computer Virus: Theory and experiments. Computers and Security 6, 22–35 (1987)

    Article  Google Scholar 

  12. Chess, D.M., White, S.R.: An undetectable computer virus. In: Proceedings of Virus Bulletin Conference (2000)

    Google Scholar 

  13. Landi, N.: Undecidability of static analysis. ACM Letters on Programming Language and systems (LOPLAS) 1(4), 323–337 (1992)

    Article  Google Scholar 

  14. Myres, E.M.: A precise interprocedural data flow algorithm. In: Conference Record of the 8th Annual ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages (POPL 1981), pp. 219–230. ACM Press, New York (1981)

    Chapter  Google Scholar 

  15. Christodorescu, M., Jha, S.: Static Anlaysis of Executables to Detect Malicious Patterns. In: Proceeding of the 12th USENIX Security Symp (Security 2003), pp. 169–186 (August 2003)

    Google Scholar 

  16. Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of USENIX Security, San Diego, CA, pp. 255–270 (August 2004)

    Google Scholar 

  17. Christodorescu, M., Jha, S., Krugel, C.: Mining Specification of Malicious Behavior. In: Proceeding of the 6th joint meeting of the European Software Engineering Conference. ACM SIGSOFT Symp. On ESES/FSE 2007 (2007)

    Google Scholar 

  18. Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static Detection of Malicious Code in Executable Programs. In: Symposium on Requirements Engineering for Information Security (SREIS 2001) (2001)

    Google Scholar 

  19. Zhang, B., Yin, J., Hao, J.: Using Fuzzy Pattern Recognition to Detect Unknown Malicious Executables Code. In: Wang, L., Jin, Y. (eds.) Fuzzy Systems and Knowledge Discovery. LNCS (LNAI), vol. 3613, pp. 629–634. Springer, Heidelberg (2005)

    Google Scholar 

  20. Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Transactions on Dependable and Secure Computing (TDSC) 4(2) (April-June, 2007)

    Google Scholar 

  21. Bergeron, J., Debbabi, M., Erhioui, M.M., Ktari, B.: Static Analysis of Binary Code to Isolate Malicious Behaviors. In: Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, June 16-18, 1999, pp. 184–189 (1999)

    Google Scholar 

  22. Sun, H.-M., Lin, Y.-H., Wu, M.-F.: API Monitoring System for Defeating Worms and Exploits in MS-Windows System. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  23. Jesse, C., Rabek, R., Khazan, I., Scott, M., Robert, L., Cunningham, K.: Detection of Injected, Dynamically Generated,and Obfuscated Malicious Code. In: Proc. of 2003 ACM workshop on Rapid Malcode (October 2003)

    Google Scholar 

  24. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy 1996 (1996)

    Google Scholar 

  25. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  26. Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Transactions On Dependable and Secure Computing 4(2) (April-June, 2007)

    Google Scholar 

  27. Zhang, Q., Reeves, D.S.: MetaAware: Identifying Metamorphic Malware. In: Choi, L., Paek, Y., Cho, S. (eds.) ACSAC 2007. LNCS, vol. 4697, Springer, Heidelberg (2007)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Security, Theory and Algorithmic Research (C-STAR), International Institute of Information Technology, Hyderabad, 500032, India

    V. Sai Sathyanarayan, Pankaj Kohli & Bezawada Bruhadeshwar

Authors
  1. V. Sai Sathyanarayan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pankaj Kohli
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bezawada Bruhadeshwar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Yi Mu Willy Susilo Jennifer Seberry

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sathyanarayan, V.S., Kohli, P., Bruhadeshwar, B. (2008). Signature Generation and Detection of Malware Families. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-70500-0_25

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69971-2

  • Online ISBN: 978-3-540-70500-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation