Abstract
Current research trends concerning malicious software indicate preferring malware behaviour over malware structure analysis. Detection is heading to methods employing malware models on higher level of abstraction, not purely on the level of program’s code. Specification of applicable level of abstraction for investigation and detection of malware may present a serious challenge. Many approaches claim using high-level abstraction of malware behaviour but they are still based on sequences of instructions which form the malicious program. Techniques which rely on syntactic representation potentially fail whenever malware writers employ mutation or obfuscation of malicious code. Our work presents a different strategy. We utilised freely available information about malicious programs which were already inspected and tried to find patterns in malware behaviour, which are not bound to syntactic representation of malicious samples and so should withstand malware mutation on the syntactic level.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Data obtained 01/08/2016.
- 3.
- 4.
- 5.
We avoid stating the real signature label because disclosing such details may negatively influence employability of presented behavioural patterns in potential detection mechanisms.
References
Alam, S., Horspool, R., Traore, I.: MARD: A framework for metamorphic malware analysis and real-time detection. In: IEEE 28th International Conference on Advanced Information Networking and Applications (AINA), pp. 480–489 (2014)
Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74320-0_10
Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: Proceedings of the 2Nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET’09, p. 8. USENIX Association, Berkeley (2009)
Cymru: totalhash (2016). https://totalhash.cymru.com/
Ding, Y., Yuan, X., Tang, K., Xiao, X., Zhang, Y.: A fast malware detection algorithm based on objective-oriented association mining. Comput. Secur. 39, 315–324 (2013). Part B(0)
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008)
Gregio, A., Bonacin, R., Nabuco, O., Monte Afonso, V., Licio De Geus, P., Jino, M.: Ontology for malware behavior: A core model proposal. In: IEEE 23rd International WETICE Conference (WETICE) 2014, pp. 453–458, June 2014
Lu, H., Wang, X., Zhao, B., Wang, F., Su, J.: Endmal: an anti-obfuscation and collaborative malware detection system using syscall sequences. Math. Comput. Model. 58(5–6), 1140–1154 (2013)
Mohd Shaid, S., Maarof, M.: Malware behavior image for malware variant identification. In: International Symposium on Biometrics and Security Technologies (ISBAST) 2014, pp. 238–243 (2014)
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy 2007, pp. 231–245 (2007)
Obrst, L., Chase, P., Markeloff, R.: Developing an ontology of the cyber security domain. In: Semantic Technologies for Intelligence, Defense, and Security (STIDS), CEUR Workshop Proceedings, vol. 96, pp. 49–56 (2012)
Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70542-0_6
Song, F., Touili, T.: Pushdown model checking for malware detection. STTT 16(2), 147–173 (2014)
Stastna, J., Tomasek, M.: Exploring malware behaviour for improvement of malware signatures. In: IEEE 13th International Scientific Conference on Informatics 2015, pp. 275–280 (2015)
Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. J. Comput. Virol. 4(4), 279–287 (2008)
Wu, L., Ping, R., Ke, L., Hai-xin, D.: Behavior-based malware analysis and detection. In: First International Workshop on Complexity and Data Mining (IWCDM) 2011, pp. 39–42. IEEE (2011)
Yuxin, D., Xuebing, Y., Di, Z., Li, D., Zhanchao, A.: Feature representation and selection in malicious code detection methods based on static system calls. Comput. Secur. 30(6–7), 514–524 (2011)
Acknowledgments
This work has been supported by the Slovak Research and Development Agency under the contract No. APVV-15-0055, and Grant No. FEI-2015-18: Coalgebraic models of component systems.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Št’astná, J., Tomášek, M. (2017). Characterising Malicious Software with High-Level Behavioural Patterns. In: Steffen, B., Baier, C., van den Brand, M., Eder, J., Hinchey, M., Margaria, T. (eds) SOFSEM 2017: Theory and Practice of Computer Science. SOFSEM 2017. Lecture Notes in Computer Science(), vol 10139. Springer, Cham. https://doi.org/10.1007/978-3-319-51963-0_37
Download citation
DOI: https://doi.org/10.1007/978-3-319-51963-0_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-51962-3
Online ISBN: 978-3-319-51963-0
eBook Packages: Computer ScienceComputer Science (R0)