Skip to main content
SpringerLink
Log in

Using Purpose Capturing Signatures to Defeat Computer Virus Mutating

  • Conference paper
Information Security, Practice and Experience (ISPEC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6047))

Abstract

Nowadays computer viruses become more and more difficult to be identified. Modern computer viruses use various mutation techniques such as polymorphism and metamorphism to evade detection. Previous researches in mutated computer virus detection have limitations in that: 1) most of them cannot handle advanced mutation techniques; 2) the methods based on source code analysis are less practical. 3) some methods are unable to detect computer viruses immediately. In this paper, we present a new dynamic approach to detect and analyze computer viruses based on Virtual Machine technology. We show that 1) how to generate Purpose Capturing Signatures based on the information of runtime values (execution value sequence, EVS) and control flows (execution control sequence, ECS); 2) how to detect and analyze computer viruses using the purpose-capturing signatures. To our best knowledge, it is the first method to perform computer virus detection and analysis using the EVS and ECS. Our experimental evaluation demonstrates that this approach is able to use one signature to detect all mutations of the corresponding virus efficiently.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cohen, F.B.: Operating system protection through program evolution. Computers & Security 12(6) (1993)

    Google Scholar 

  2. Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Principles of Programming Languages (POPL 1998), San Diego, CA, USA (1998)

    Google Scholar 

  3. Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th. ACM Conference on Computer and Communications Security (CCS 2003), Washingtion DC, USA (2003)

    Google Scholar 

  4. Majumdar, A., Thomborson, C., Drape, S.: A survey of control-flow obfuscations. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 353–356. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Popov, I., Debray, S., Andrews, G.: Binary obfuscation using signals. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (Security 2007), Berkeley, CA, USA, pp. 1–6 (2007)

    Google Scholar 

  6. Szor, P., Ferrie, P.: Hunting for metamorphic. In: Proceedings of Virus Bulletin Conference, pp. 123–144 (2001)

    Google Scholar 

  7. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Impeding malware analysis using conditional code obfuscation. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2008), San Diego, CA, USA (2008)

    Google Scholar 

  8. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic Reverse Engineering of Malware Emulators. In: Proceedings of The 2009 IEEE Symposium on Security and Privacy (Oakland 2009), Oakland, CA, USA (2009)

    Google Scholar 

  9. Detristan, T., Ulenspiegel, T., Malcom, Y., von Underduk, M.S.: Polymorphic shellcode engine using spectrum analysis. Phrack 11(61) (2003), http://www.phrack.org

  10. Mohanty, D.: Anti-virus evasion techniques and countermeasures (2005), http://www.hackingspirits.com/eth-hac/papers/whitepapers.asp

  11. Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2004 (2004)

    Google Scholar 

  12. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of USENIX Security Symposium(Security 2003), Washingtion DC, USA (2003)

    Google Scholar 

  13. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (Oakland 2005), Oakland, CA, USA (2005)

    Google Scholar 

  14. Wroblewski, G.: General method of program code obfuscation. PhD thesis, Institute of Engineering Cybernetics, Wroclaw University of Technology, Wroclaw, Poland (2002)

    Google Scholar 

  15. Brumley, D., Wang, H., Jha, S., Song, D.: Creating Vulnerability Signatures Using Weakest Pre-conditions. In: Proceedings of Computer Security Foundations Symposium, Italy (2007)

    Google Scholar 

  16. Jia, X., Zhang, S., Jing, J., Liu, P.: Using Virtual Machines to Do Cross-Layer Damage Assessment. In: Proceedings of the ACM Workshop on Virtual Machine Security (VMSEC 2008), in association with ACM CCS, Washingtion DC, USA (2008)

    Google Scholar 

  17. Sophos (2009), http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/linux/

  18. Klein, T.: VMware Fingerprint Suite (2008), http://www.trapkit.de/research/vmm/scoopydoo/index.html

  19. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy (Oakland 2007), pp. 231–245 (2007)

    Google Scholar 

  20. Bonfante, G., Kaczmarek, M., Marion, J.: Architecture of a Morphological Malware Detector. Journal in Computer Virology 5(3), 263–270 (2008)

    Article  Google Scholar 

  21. Bonfante, G., Kaczmarek, M., Marion, J.: Control Flow to Detect Malware. In: Inter-Regional Workshop on Rigorous System Development and Analysis (2007)

    Google Scholar 

  22. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy, pp. 226–241 (2005)

    Google Scholar 

  23. Rutkowska, J.: System virginity verifier: Defining the roadmap for malware detection on windows systems. In: Hack in the Box Security Conference (2005)

    Google Scholar 

  24. Wang, Y.M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.W., Huang, Y., Kuo, S.Y.: Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for spyware management. In: Proceedings of the Large Installation System Administration Conference, LISA 2004 (2004)

    Google Scholar 

  25. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  26. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proceedings of ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, Virginia, USA (2007)

    Google Scholar 

  27. Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: Automatic Extraction of Protocal Message Format Using Dynamic Vinary Analysis. In: Proceedings of ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, Virginia, USA (2007)

    Google Scholar 

  28. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2009), California, USA (2009)

    Google Scholar 

  29. Revealer (2008), http://www.sysinternals.com/Files/RootkitRevealer.zip

  30. Wang, Y., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting stealth software with strider ghostbuster. In: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, China

    Xiaoqi Jia & Jiwu Jing

  2. The Pennsylvania State University, University Park, USA

    Xi Xiong & Peng Liu

Authors
  1. Xiaoqi Jia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xi Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jiwu Jing
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information Security Engineering, Soonchunhyang University, 646 Eupnae-ri, Shinchang-myun, Asan-si, 336-745, Chungcheongnam-do, Korea

    Jin Kwak

  2. School of Information Systems, Singapore Management University, 469 Bukit Timah Road, 259756, Singapore

    Robert H. Deng

  3. Internet and Security Policy Division, Korea Internet and Security Agency, Daedong B/D, Garak-dong 79-3, Songpa-gu, 138-950, Seoul, Korea

    Yoojae Won

  4. School of Computer Science, University of Birmingham, B15 2TT, Birmingham, UK

    Guilin Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Jia, X., Xiong, X., Jing, J., Liu, P. (2010). Using Purpose Capturing Signatures to Defeat Computer Virus Mutating. In: Kwak, J., Deng, R.H., Won, Y., Wang, G. (eds) Information Security, Practice and Experience. ISPEC 2010. Lecture Notes in Computer Science, vol 6047. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12827-1_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-12827-1_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-12826-4

  • Online ISBN: 978-3-642-12827-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation