Skip to main content
SpringerLink
Log in

Static extracting method of software intended behavior based on API functions invoking

  • Published:
Wuhan University Journal of Natural Sciences

Abstract

The method of extracting and describing the intended behavior of software precisely has become one of the key points in the fields of software behavior’s dynamic and trusted authentication. In this paper, the author proposes a specified measure of extracting SIBDS (software intended behaviors describing sets) statically from the binary executable using the software’s API functions invoking, and also introduces the definition of the structure used to store the SIBDS in detail. Experimental results demonstrate that the extracting method and the storage structure definition offers three strong properties: (i) it can describe the software’s intended behavior accurately; (ii) it demands a small storage expense; (iii) it provides strong capability to defend against mimicry attack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Chinchani R, van den Berg E. A Fast Static Analysis Approach to Detect Exploit Code inside Network Flows[C]// Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID). Berlin: Spriner-Verlag, 2006: 284–308.

    Google Scholar 

  2. Xu Jianyun, Sung A H, C Patrick, etal. Polymorphic Malicious Executable Scanner by API Sequence Analysis[C]//Fourth International Conference on Hybrid Intelligent Systems (HIS’04). Washington D C: IEEE Computer Society Press, 2004: 378–383.

    Google Scholar 

  3. Christodorescu M, Jha S. Static Analysis of Executables to Detect Malicious Patterns[C/OL]. [2007-12-20]. http://www.usenix.org/events/sec03/tech/full_papers/christodorescu/christodorescu.pdf.

  4. Bergeron J, Debbabi M, Desharnais J. Static Detection of Malicious Code in Executable Programs[C/OL]. [2007-12-10]. http://www.sreis.org/old/2001/papers/sreis014.pdf.

  5. Wagner D A. Static Analysis and Computer Security: New Techniques for Software Assurance [D/OL]. [2007-12-10]. http://http.cs.berkeley.edu/~daw/papers/phd-dis.ps.

  6. Sung A H, Xu J, Chavez P, et al. Static Analyzer of Vicious Executables[C]//Computer Security Applications Conference 2004. Washington D C: IEEE Computer Society Press, 2004: 326–334.

    Google Scholar 

  7. Liu Zhen, Bridges S M, Vaughn R B. Combining Static Analysis and Dynamic Learning to Build Accurate Intrusion Detection Models[C]//IEEE International Information Assurance Workshop 2005. Washington D C: IEEE Computer Society Press, 2005: 164–177.

    Google Scholar 

  8. Feng H H, Giffin J T, Huang Y, et al. Formalizing Sensitivity in Static Analysis for Intrusion Detection[C]//Proceedings of the IEEE Symposium on Security and Privacy. Washington D C: IEEE Computer Society, 2004:194–210.

    Google Scholar 

  9. Forrest S, Hofmeyr S, Somayaji A, et al. A Sense of Self for Unix Processes[C]//Proceedings of the 1996 IEEE Symposium on Security and Privacy. Washington D C: IEEE Computer Society Press, 1996:120–128.

    Chapter  Google Scholar 

  10. Hofmeyr S, Forrest S, Somayaji A. Intrusion Detection Using Sequences of System Calls[J]. Journal of Computer Security, 1998, (6):151–180.

  11. Su Purui, Yang Yi. Intrusion Detection Model Based on Executable Static Analysis[J]. Chinese Journal of Computers, 2006, (9):1572–1578 (Ch).

  12. Yan Qiao, Xie Weixin, Song Ge. System Call Anomaly Detection Method Based on HMM[J]. Acta Electronica Sinica, 2003, (8):1486–1490 (Ch).

  13. Tan Xiaobin, Wang Weiping, Xi Hongsheng. A Hidden Markov Model Used in Intrusion Detection[J]. Journal of Computer Research and Development, 2003,(2): 245–250(Ch).

  14. Zhang Xiangfeng, Sun Yufang, Zhao Qingsong. Intrusion Detection Based on Sub-Set of System Calls[J]. Acta Electronica Sinica, 2004, (8):1338–1442 (Ch).

Download references

Author information

Authors and Affiliations

  1. School of Computer, Wuhan University, Wuhan, 430072, Hubei, China

    Guojun Peng, Xuanchen Pan, Jianming Fu & Huanguo Zhang

Authors
  1. Guojun Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xuanchen Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jianming Fu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Huanguo Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Huanguo Zhang.

Additional information

Foundation item: Supported by the National Natural Science Foundation of China (60673071, 60743003, 90718005, 90718006) and the National High Technology Research and Development Program of China (863 Program) (2006AA01Z442, 2007AA01Z411)

Rights and permissions

Reprints and permissions

About this article

Cite this article

Peng, G., Pan, X., Fu, J. et al. Static extracting method of software intended behavior based on API functions invoking. Wuhan Univ. J. Nat. Sci. 13, 615–620 (2008). https://doi.org/10.1007/s11859-008-0521-6

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11859-008-0521-6

Key words

CLC number

Search

Navigation