Skip to main content
SpringerLink
Log in

Static Program Behavior Tracing for Program Similarity Quantification

  • Conference paper
  • First Online:
Proceedings of the First International Conference on Computational Intelligence and Informatics

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 507))

Abstract

Characterizing program behavior using static analysis is a challenging problem. In this work, we focus on the fundamental problem of program similarity quantification, i.e., estimating the behavioral similarity of two programs. The solution to this problem is a sub-routine for many important practical problems, such as malware classification, code-cloning detection, program testing, and so on. The main difficulty is to be able to characterize the run-time program behavior without actually executing the program or performing emulation. In this work, we propose a novel behavior tracing approach to characterize program behaviors. We use the call-dependency relationship among the program API calls to generate a trace of the API calling sequence. The dependency tracking is done in a backward fashion, so as to capture the cause and effect relationship among the API calls. Our hypothesis is that this relationship can capture the program behavior to a large extent. We performed experiments by considering several “versions” of a given software, where each version was generated using the code obfuscation techniques. Our approach was found to be resilient up to 20 % obfuscation, i.e., our approach correctly detected that all obfuscated programs that are similar in behavior based on the API call sequences.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Malware are programs that exhibit malicious behavior that can disrupt the proper functioning of a computing system and can cause damage to sensitive data or to other resident programs.

References

  1. J. Bergeron, M. Debbabi, M. M. Erhioui, and B. Ktari. Static Analysis of Binary Code to Isolate Malicious Behaviors. In the Proceedings of the IEEE 4th International Workshop on Enterprise Security, WETICE’99, Stanford University, California, USA, June 16–18, 1999, Pages 184–189, IEEE Press.

    Google Scholar 

  2. Sean Peisert, Matt Bishop, Sidney Karin, Keith Marzullo, Analysis of Computer Intrusions Using Sequences of Function Calls, IEEE Transactions On Dependable and Secure Computing, VOL. 4, No. 2, APRIL-JUNE 2007.

    Google Scholar 

  3. Hung-Min Sun, Yue-Hsun Lin, and Ming-Fung Wu. API Monitoring System for Defeating Worms and Exploits in MS-Windows System. In Proceedings of 11th Australasian Conference on Information Security and Privacy, ACISP 2006, Melbourne, Australia.

    Google Scholar 

  4. R. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. IEEE Symposium on Security and Privacy, 2001.

    Google Scholar 

  5. Gerardo Canfora; Francesco Mercaldo; Corrado Aaron Visaggio; Paolo Di Notte; Metamorphic Malware Detection Using Code Metrics, in Information Security Journal: A Global Perspective, Taylor & Francis, pp 1–14, 2014, DOI:10.1080/19393555.2014.931487.

  6. V. Sai Sathyanarayan, Pankaj Kohli and Bezawada Bruhadeshwar. Signature Generation and Detection of Malware Families. Proceedings of 13th Australian Conference on Information Security and Privacy, ACISP 2008.

    Google Scholar 

  7. Ronghua Tian; Islam, R.; Batten, L.; Versteeg, S.; Differentiating malware from cleanware using behavioural analysis, 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp 23–30, 19–20 Oct, 2010, Nancy Lorraine.

    Google Scholar 

  8. J. Bergeron, M. Debbabi, J. Desharnais, M. Erhioui, Y. Lavoie and N. Tawbi. Static Detection of Malicious Code in Executable Programs. In the Proceedings of the International Symposium on Requirements Engineering for Information Security SREIS’01, Pages 1–8, March 5–6, 2001, Indianapolis, Indiana, USA.

    Google Scholar 

  9. R. W. Lo, K. N. Levitt, and R. A. Olsson. MCF: A Malicious Code Filter. Computers and Security, 14(6):541566, 1995.

    Google Scholar 

  10. Mihai Christodorescu and Somesh Jha. Static Anlaysis of Executables to Detect Malicious Patterns. In proceeding of the 12th USENIX Security Symp. (Security03), pages 169–186 August 2003.

    Google Scholar 

  11. Tobias Wchner, Martn Ochoa, and Alexander Pretschner. 2014. Malware detection with quantitative data flow graphs. In Proceedings of the 9th ACM symposium on Information, computer and communications security (ASIA CCS ’14). ACM, New York, NY, USA, 271–282. DOI=10.1145/2590296.2590319, http://doi.acm.org/10.1145/2590296.2590319.

  12. Raman Dugyala; Bruhadeshwar Bezawada; Romanch Agrawal; Sai Sathyanarayan; Rajinikanth Tatiparthi; Application of Information Flow Tracking for Signature Generation and Detection of Malware Families; International Journal of Applied Engineering Research (IJAER). ISSN 0973-4562 Volume 9, Number 24 (2014), pp. 29371–29390.

    Google Scholar 

  13. F. Cohen. Computer Virus: Theory and experiments. Computers and Security, 6:2235, 1987.

    Google Scholar 

  14. D.M. Chess and S.R. White. An undetectable computer virus. In proceedings of Virus Bulletin Conference, 2000.

    Google Scholar 

  15. Bilar, D.: Statistical Structures: Tolerant Fingerprinting for Classification and Analysis given at BH ’06 (Las Vegas, NV): Blackhat Briefings USA (August 2006).

    Google Scholar 

  16. Mihai Christodorescu, Somesh Jha, Sanjit A. Seshia, Dawn Song, Randal E. Bryant, Semantics-Aware Malware Detection, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p. 32–46, May 08–11, 2005.

    Google Scholar 

  17. C.Jesse, R.Rabek. I.Khazan, M.Scott, L.Robert and K.Cunningham, Detection of Injected, Dynamically Generated and Obfuscated Malicious Code. In Proceedings of 2003 ACM workshop on Rapid Malcode October 2003.

    Google Scholar 

  18. Mihai Christodorescu, Somesh Jha and Christopher Krugel. Mining Specification of Malicious Behavior. In proceeding of the 6th joint meeting of the European Software Engineering Conference. ACM SIGSOFT Symp. On ESES/FSE 2007.

    Google Scholar 

  19. Sokal, R. R. and Rohlf, F. J.; Biometry: the principles and practice of statistics in biological research., 3rd edition. New York: Freeman (1994).

    Google Scholar 

  20. Mehdi, B.; Ahmed, F.; Khayyam, S. A.; Farooq, M.; Towards a Theory of Generalizing System Call Representation for In-Execution Malware Detection, 2010 IEEE International Conference on Communications (ICC), 23–27 May 2010, pp: 1–5, Cape Town, South Africa.

    Google Scholar 

  21. M. Pietrek, An In-Depth Look into the Win32 Portable Executable File Format, in MSDN Magazine, March 2002.

    Google Scholar 

  22. VX Heavens. At http://vx.netlux.org.

  23. Ilfak Guilfanov. An Advanced Interactive Multi-processor Disassembler. http://www.datarescue.com, 2000.

  24. Kent Griffin, Scott Schneider, Xin Hu and Tzi-cker Chiueh. Automatic Generation of String Signatures for Malware Detection. In Proceedings of the 12th Symposium on Recent Advances in Intrusion Detection (RAID), Saint-Malo, Brittany, France, September 2009.

    Google Scholar 

  25. N. Landi. Undecidability of static analysis. ACM Letters on Programming Language and systems (LOPLAS), 1(4):323 337, December 1992.

    Google Scholar 

  26. C. Willems. CWSandbox: Automatic Behaviour analysis of malware. http://www.cwsandbox.org/, 2006.

  27. M. Sharif, V. Yegneswaran, H. Saidi, P.A Porras, and W. Lee. Eureka: A Framework for Enabling Static Malware Analysis. In Proceedings of the 13th European Symposium on Research in Computer Security, Malaga, Spain, October 2008.

    Google Scholar 

  28. Ulrich Bayer, Paolo Milani, Clemens Hlauschek, Christopher Kruegel, and Engin Kirda. Scalable, Behavior-Based Malware Clustering. 16th Annual Network and Distributed System Security Symposium (NDSS 2009), San Diego, February 2009.

    Google Scholar 

  29. Tony Lee, and Jigar J. Mody. Behavioral Classification. In EICAR Conference, 2006.

    Google Scholar 

  30. G. Mazeroff, V. De Cerqueira, J. Gregor, and M. Thomason. Probabilistic Tree and Automata for Application Behavior Modeling. Proceedings of 41st ACM Southeast Regional Conference, 2003.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Vardhaman College of Engineering, Hyderabad, India

    Dugyala Raman

  2. Koneru Lakshmaiah University, Guntur, India

    Bruhadeshwar Bezawada

  3. Sreenidhi Institute of Science and Technology, Hyderabad, India

    T. V. Rajinikanth

  4. Citibank, Singapore

    Sai Sathyanarayan

Authors
  1. Dugyala Raman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bruhadeshwar Bezawada
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. T. V. Rajinikanth
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sai Sathyanarayan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dugyala Raman .

Editor information

Editors and Affiliations

  1. ANITS, Prof., Comp. Sci. & Engg. Dept. ANITS, Visakhapatnam, Andhra Pradesh, India

    Suresh Chandra Satapathy

  2. JNTUH College of Engg. HYD (Autonomous), Prof. & Head, Comp. Sci. & Engg. Dept. JNTUH College of Engg. HYD (Autonomous), Hyderabad, Telangana, India

    V. Kamakshi Prasad

  3. JNTUH College of Engg. HYD (Autonomous), Pro., Dept. Computer Science & Engg. JNTUH College of Engg. HYD (Autonomous), Hyderabad, Telangana, India

    B. Padmaja Rani

  4. SCIS, University of Hyderabad , Hyderabad, India

    Siba K. Udgata

  5. CMR Technical Campus , Hyderabad, India

    K. Srujan Raju

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer Science+Business Media Singapore

About this paper

Cite this paper

Raman, D., Bezawada, B., Rajinikanth, T.V., Sathyanarayan, S. (2017). Static Program Behavior Tracing for Program Similarity Quantification. In: Satapathy, S., Prasad, V., Rani, B., Udgata, S., Raju, K. (eds) Proceedings of the First International Conference on Computational Intelligence and Informatics . Advances in Intelligent Systems and Computing, vol 507. Springer, Singapore. https://doi.org/10.1007/978-981-10-2471-9_31

Download citation

  • DOI: https://doi.org/10.1007/978-981-10-2471-9_31

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-10-2470-2

  • Online ISBN: 978-981-10-2471-9

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation