Abstract
Characterizing program behavior using static analysis is a challenging problem. In this work, we focus on the fundamental problem of program similarity quantification, i.e., estimating the behavioral similarity of two programs. The solution to this problem is a sub-routine for many important practical problems, such as malware classification, code-cloning detection, program testing, and so on. The main difficulty is to be able to characterize the run-time program behavior without actually executing the program or performing emulation. In this work, we propose a novel behavior tracing approach to characterize program behaviors. We use the call-dependency relationship among the program API calls to generate a trace of the API calling sequence. The dependency tracking is done in a backward fashion, so as to capture the cause and effect relationship among the API calls. Our hypothesis is that this relationship can capture the program behavior to a large extent. We performed experiments by considering several “versions” of a given software, where each version was generated using the code obfuscation techniques. Our approach was found to be resilient up to 20 % obfuscation, i.e., our approach correctly detected that all obfuscated programs that are similar in behavior based on the API call sequences.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Malware are programs that exhibit malicious behavior that can disrupt the proper functioning of a computing system and can cause damage to sensitive data or to other resident programs.
References
J. Bergeron, M. Debbabi, M. M. Erhioui, and B. Ktari. Static Analysis of Binary Code to Isolate Malicious Behaviors. In the Proceedings of the IEEE 4th International Workshop on Enterprise Security, WETICE’99, Stanford University, California, USA, June 16–18, 1999, Pages 184–189, IEEE Press.
Sean Peisert, Matt Bishop, Sidney Karin, Keith Marzullo, Analysis of Computer Intrusions Using Sequences of Function Calls, IEEE Transactions On Dependable and Secure Computing, VOL. 4, No. 2, APRIL-JUNE 2007.
Hung-Min Sun, Yue-Hsun Lin, and Ming-Fung Wu. API Monitoring System for Defeating Worms and Exploits in MS-Windows System. In Proceedings of 11th Australasian Conference on Information Security and Privacy, ACISP 2006, Melbourne, Australia.
R. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. IEEE Symposium on Security and Privacy, 2001.
Gerardo Canfora; Francesco Mercaldo; Corrado Aaron Visaggio; Paolo Di Notte; Metamorphic Malware Detection Using Code Metrics, in Information Security Journal: A Global Perspective, Taylor & Francis, pp 1–14, 2014, DOI:10.1080/19393555.2014.931487.
V. Sai Sathyanarayan, Pankaj Kohli and Bezawada Bruhadeshwar. Signature Generation and Detection of Malware Families. Proceedings of 13th Australian Conference on Information Security and Privacy, ACISP 2008.
Ronghua Tian; Islam, R.; Batten, L.; Versteeg, S.; Differentiating malware from cleanware using behavioural analysis, 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp 23–30, 19–20 Oct, 2010, Nancy Lorraine.
J. Bergeron, M. Debbabi, J. Desharnais, M. Erhioui, Y. Lavoie and N. Tawbi. Static Detection of Malicious Code in Executable Programs. In the Proceedings of the International Symposium on Requirements Engineering for Information Security SREIS’01, Pages 1–8, March 5–6, 2001, Indianapolis, Indiana, USA.
R. W. Lo, K. N. Levitt, and R. A. Olsson. MCF: A Malicious Code Filter. Computers and Security, 14(6):541566, 1995.
Mihai Christodorescu and Somesh Jha. Static Anlaysis of Executables to Detect Malicious Patterns. In proceeding of the 12th USENIX Security Symp. (Security03), pages 169–186 August 2003.
Tobias Wchner, Martn Ochoa, and Alexander Pretschner. 2014. Malware detection with quantitative data flow graphs. In Proceedings of the 9th ACM symposium on Information, computer and communications security (ASIA CCS ’14). ACM, New York, NY, USA, 271–282. DOI=10.1145/2590296.2590319, http://doi.acm.org/10.1145/2590296.2590319.
Raman Dugyala; Bruhadeshwar Bezawada; Romanch Agrawal; Sai Sathyanarayan; Rajinikanth Tatiparthi; Application of Information Flow Tracking for Signature Generation and Detection of Malware Families; International Journal of Applied Engineering Research (IJAER). ISSN 0973-4562 Volume 9, Number 24 (2014), pp. 29371–29390.
F. Cohen. Computer Virus: Theory and experiments. Computers and Security, 6:2235, 1987.
D.M. Chess and S.R. White. An undetectable computer virus. In proceedings of Virus Bulletin Conference, 2000.
Bilar, D.: Statistical Structures: Tolerant Fingerprinting for Classification and Analysis given at BH ’06 (Las Vegas, NV): Blackhat Briefings USA (August 2006).
Mihai Christodorescu, Somesh Jha, Sanjit A. Seshia, Dawn Song, Randal E. Bryant, Semantics-Aware Malware Detection, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p. 32–46, May 08–11, 2005.
C.Jesse, R.Rabek. I.Khazan, M.Scott, L.Robert and K.Cunningham, Detection of Injected, Dynamically Generated and Obfuscated Malicious Code. In Proceedings of 2003 ACM workshop on Rapid Malcode October 2003.
Mihai Christodorescu, Somesh Jha and Christopher Krugel. Mining Specification of Malicious Behavior. In proceeding of the 6th joint meeting of the European Software Engineering Conference. ACM SIGSOFT Symp. On ESES/FSE 2007.
Sokal, R. R. and Rohlf, F. J.; Biometry: the principles and practice of statistics in biological research., 3rd edition. New York: Freeman (1994).
Mehdi, B.; Ahmed, F.; Khayyam, S. A.; Farooq, M.; Towards a Theory of Generalizing System Call Representation for In-Execution Malware Detection, 2010 IEEE International Conference on Communications (ICC), 23–27 May 2010, pp: 1–5, Cape Town, South Africa.
M. Pietrek, An In-Depth Look into the Win32 Portable Executable File Format, in MSDN Magazine, March 2002.
VX Heavens. At http://vx.netlux.org.
Ilfak Guilfanov. An Advanced Interactive Multi-processor Disassembler. http://www.datarescue.com, 2000.
Kent Griffin, Scott Schneider, Xin Hu and Tzi-cker Chiueh. Automatic Generation of String Signatures for Malware Detection. In Proceedings of the 12th Symposium on Recent Advances in Intrusion Detection (RAID), Saint-Malo, Brittany, France, September 2009.
N. Landi. Undecidability of static analysis. ACM Letters on Programming Language and systems (LOPLAS), 1(4):323 337, December 1992.
C. Willems. CWSandbox: Automatic Behaviour analysis of malware. http://www.cwsandbox.org/, 2006.
M. Sharif, V. Yegneswaran, H. Saidi, P.A Porras, and W. Lee. Eureka: A Framework for Enabling Static Malware Analysis. In Proceedings of the 13th European Symposium on Research in Computer Security, Malaga, Spain, October 2008.
Ulrich Bayer, Paolo Milani, Clemens Hlauschek, Christopher Kruegel, and Engin Kirda. Scalable, Behavior-Based Malware Clustering. 16th Annual Network and Distributed System Security Symposium (NDSS 2009), San Diego, February 2009.
Tony Lee, and Jigar J. Mody. Behavioral Classification. In EICAR Conference, 2006.
G. Mazeroff, V. De Cerqueira, J. Gregor, and M. Thomason. Probabilistic Tree and Automata for Application Behavior Modeling. Proceedings of 41st ACM Southeast Regional Conference, 2003.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Science+Business Media Singapore
About this paper
Cite this paper
Raman, D., Bezawada, B., Rajinikanth, T.V., Sathyanarayan, S. (2017). Static Program Behavior Tracing for Program Similarity Quantification. In: Satapathy, S., Prasad, V., Rani, B., Udgata, S., Raju, K. (eds) Proceedings of the First International Conference on Computational Intelligence and Informatics . Advances in Intelligent Systems and Computing, vol 507. Springer, Singapore. https://doi.org/10.1007/978-981-10-2471-9_31
Download citation
DOI: https://doi.org/10.1007/978-981-10-2471-9_31
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-2470-2
Online ISBN: 978-981-10-2471-9
eBook Packages: EngineeringEngineering (R0)