Runtime Verification

Volume 6418 of the series Lecture Notes in Computer Science pp 168-182

Behavior Abstraction in Malware Analysis

  • Philippe BeaucampsAffiliated withINPL - INRIA Nancy Grand Est Nancy-Université - LORIA
  • , Isabelle GnaedigAffiliated withINPL - INRIA Nancy Grand Est Nancy-Université - LORIA
  • , Jean-Yves MarionAffiliated withINPL - INRIA Nancy Grand Est Nancy-Université - LORIA

* Final gross prices may vary according to local VAT.

Get Access


We present an approach for proactive malware detection working by abstraction of program behaviors. Our technique consists in abstracting program traces, by rewriting given subtraces into abstract symbols representing their functionality. Traces are captured dynamically by code instrumentation, which allows us to handle packed or self-modifying malware. Suspicious behaviors are detected by comparing trace abstractions to reference malicious behaviors. The expressive power of abstraction allows us to handle general suspicious behaviors rather than specific malware code and then, to detect malware mutations. We present and discuss an implementation validating our approach.


Malware behavioral detection behavior abstraction trace string rewriting finite state automaton formal language dynamic binary instrumentation