Skip to main content
Log in

On Malfunction, Mechanisms and Malware Classification

Philosophy & Technology Aims and scope Submit manuscript

Cite this article

Abstract

Malware has been around since the 1980s and is a large and expensive security concern today, constantly growing over the past years. As our social, professional and financial lives become more digitalised, they present larger and more profitable targets for malware. The problem of classifying and preventing malware is therefore urgent, and it is complicated by the existence of several specific approaches. In this paper, we use an existing malware taxonomy to formulate a general, language independent functional description of malware as transformers between states of the host system and described by a trust relation with its components. This description is then further generalised in terms of mechanisms, thereby contributing to a general understanding of malware. The aim is to use the latter in order to present an improved classification method for malware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. For a general introduction, see Houkes and Vermaas (2010).

  2. An organisation might also have security violations in administrative, communications, personnel or physical security, for example. Security is from the perspective of the system to be secured, i.e. there is not one absolute concept.

  3. NIST glossary entry: https://csrc.nist.gov/Glossary/?term=5475.

  4. See Alberts et al. (2004, p.3). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

  5. See, e.g. Sikorski and Honig (2012, Ch.0).

  6. For early classifications, see Cohen (1987) and Denning (1988).

  7. See https://standards.ieee.org/develop/indconn/icsg/mmdef.html.

  8. See http://grouper.ieee.org/groups/malware/malwg/Schema1.2/full_clean_file_example.xml.

  9. It is interesting to note that MAEC capabilities where first called mechanisms.

  10. See https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile.

  11. Writing in 2006, Rutkowska (2006) marks this type as uninteresting. The more recent prevalence of ransomware, which uses normal system features to disrupt the user’s tasks to extort money, indicates that type 0 malware can nonetheless significantly harm an organisation’s security architecture.

  12. For a canonical perspective on defining access control, see Bell and LaPadula (1973).

  13. The following definition is formulated as a special case of the more general one provided in Primiero and Taddeo (2012).

  14. See Spring and Hatleback (2017) and Spring and Illari (2018) for detailed discussion of the kill chain and its role in building knowledge in InfoSec.

  15. We do not claim this is the only way to analyze or describe the analysis of the situation. Some of these steps will be intuitive to professional malware analysts or program verification logicians. We view this similarity as a main contribution. By casting malware analysis in this mechanistic lens, we can see similarities between fields in biology and computer science that otherwise appear starkly dissimilar.

References

  • Addis, B., & Garrick, S. (2014). Botnet takedowns—our GameOver Zeus experience. In Botconf, Nancy, France, Dec 3. AILB-IBFA.

  • Alberts, C, Dorofee, A, Killcrece, G, Ruefle, R, Zajicek, M. (2004). Defining incident management processes for CSIRTS: a work in progress. Technical Report CMU/SEI-2004-TR-015. Software Engineering Institute, Carnegie Mellon University.

  • AV-Test. (2017). Malware Statistics. Technical report. The Indendent IT-Security Institute.

  • Bechtel, W, & Richardson, RC. (1993). Discovering complexity: decomposition and localization as strategies in scientific research, 1st edn. Princeton: Princeton University Press.

    Google Scholar 

  • Beck, D., Kirillov, I., Chase, P. (2012). The MAEC language— overview. Technical report. The Mitre Corporation.

  • Bell, D.E., & LaPadula, L.J. (1973). Secure computer systems: mathematical foundations. Technical Report MTR-2547 (Vol. 1). MITRE Corp.: Bedford.

    Google Scholar 

  • Caltagirone, S, Pendergast, A, Betz, C. (2013). The diamond model of intrusion analysis. Technical report, Center for Cyber Intelligence Analysis and Threat Research. http://www.threatconnect.com/methodology/diamond_model_of_intrusion_analysis.

  • CERT/CC. (2017). Basic fuzzing framework (bff). https://www.cert.org/vulnerability-analysis/tools/bff.cfm. Accessed Feb 6, 2017.

  • Cohen, F. (1987). Computer viruses: theory and experiments. Computers and Security, 6(1), 22–35.

    Article  Google Scholar 

  • Craver, CF. (2001). Role functions, mechanisms, and hierarchy. Philosophy of Science, 68, 53–74.

    Article  Google Scholar 

  • Craver, CF. (2007). Explaining the brain: mechanisms and the mosaic of unity of neuroscience. Oxford: Oxford University Press.

    Book  Google Scholar 

  • Darden, L. (2006). Reasoning in biological discoveries: essays on mechanisms, interfield relations, and anomaly resolution. Cambridge: Cambridge University Press.

    Book  Google Scholar 

  • Denning, P. (1988). Computer viruses. Technical report. Research Inst. for Advanced Computer Science.

  • Erdélyi, G. (2004). Hide ‘n’ seek? Anatomy of stealth malware. Technical report. F-Secure Corporation.

  • Floridi, L, Fresco, N, Primiero, G. (2015). On malfunctioning software. Synthese, 192(4), 1199 –1220.

    Article  Google Scholar 

  • Fresco, N., & Primiero, G. (2013). Miscomputation. Philosophy & Technology, 26(3), 253–272.

    Article  Google Scholar 

  • Galmiche, D, Méry, D, Pym, D. (2005). The semantics of BI and resource tableaux. Mathematical Structures in Computer Science, 15(06), 1033–1088.

    Article  Google Scholar 

  • Glennan, S., & Illari, P. (2017). Mechanisms and the new mechanical philosophy. Evanston: Routledge.

    Book  Google Scholar 

  • ICSG Malware Metadata Exchange Format Working Group. (2011). Malware metadata exchange format behavioral.

  • Hatleback, E, & Spring, JM. (2018). A refinement to the general mechanistic account. European Journal of Philosophy of Science. In press.

  • Houkes, W, & Vermaas, PE. (2010). Technical functions— on the use and design of artefacts, volume 1 of Philosophy of Engineering and Technology. Berlin: Springer.

    Google Scholar 

  • Howard, JD, & Longstaff, TA. (1998). A common language for computer security incidents. Technical Report SAND98-8667, Sandia National Laboratories.

  • Hutchins, E M, Cloppert, MJ, Amin, RM. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1, 80.

    Google Scholar 

  • Illari, P., & Williamson, J. (2012). What is a mechanims? Thinking about mechanisms across the sciences. European Journal for Philosophy of Science, 2, 119–135.

    Article  Google Scholar 

  • Jacob, G, Debar, H, Filiol, E. (2008). Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, 4(3), 251–266.

    Article  Google Scholar 

  • Jespersen, B., & Carrara, M. (2011). Two conceptions of technical malfunction. Theoria, 77(2), 117–138.

    Article  Google Scholar 

  • Jespersen, B, & Carrara, M. (2013). A new logic of technical malfunction. Studia Logica, 101(3), 547–581.

    Article  Google Scholar 

  • Jin, W, Cohen, C, Gennari, J, Hines, C, Chaki, S, Gurfinkel, A, Havrilla, J, Narasimhan, P. (2014). Recovering C++ objects from binaries using inter-procedural data-flow analysis. In Program Protection and Reverse Engineering Workshop. San Diego: ACM.

  • Kramer, S, & Bradfield, JC. (2010). A general definition of malware. Journal in Computer Virology, 6(2), 105–114.

    Article  Google Scholar 

  • Kroes, P. (2012). Proper functions and technical artefact kinds (pp. 89–125). Netherlands: Springer.

    Google Scholar 

  • Lamport, L. (1977). Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, SE-3(2), 125–143.

    Article  Google Scholar 

  • Lawrence Livermore National Laboratory. (2016). Rose compiler infrastructure. http://rosecompiler.org/.

  • MITRE. (2015). Common weakness enumeration: a community-developed dictionary of software weakness types v2.9. http://cwe.mitre.org.

  • Falliere, E., Chien, N., Murchu, L.O. (2011). Symantec security response, v.1.4. w32.stuxnet dossier.

  • O’Hearn, P.W. (2015). From categorical logic to Facebook engineering. In Logic in Computer Science (LICS) (pp. 17–20): IEEE.

  • Piccinini, G. (2007). Computing mechanisms. Philosophy of Science, 74(4), 501–526.

    Article  Google Scholar 

  • Primiero, G, & Taddeo, M. (2012). A modal type theory for formalizing trusted communications. Journal of Applied Logic, 10(1), 92–114.

    Article  Google Scholar 

  • Pym, D, Spring, JM., O’Hearn, P. (2018). Why separation logic works. Philosophy & Technology. https://doi.org/10.1007/s13347-018-0312-8.

  • Rhee, J., Riley, R., Xu, D., Jiang, X. (2009). Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In 2009 international conference on availability, reliability and security (pp. 74–81).

  • Rossow, C, Dietrich, CJ, Grier, C, Kreibich, C, Paxson, V, Pohlmann, N, Bos, H, Van Steen, M. (2012). Prudent practices for designing malware experiments: status quo and outlook. In IEEE symposium on security and privacy (S&P) (pp. 65–79).

  • Rutkowska, J. (2006). Introducing stealth malware taxonomy. Technical report, COSEINC Advanced Malware Labs.

  • Salomon, D. (2006). Foundations of computer security. Berlin: Springer.

    Google Scholar 

  • Schaefer, R. (2009). The epistemology of computer security. SIGSOFT Software Engineering Notes, 34(6), 8–10.

    Article  Google Scholar 

  • Shirey, R. (2007). Internet Security Glossary, Version 2. RFC 4949.

  • Sikorski, M., & Honig, A. (2012). Practical malware analysis: the hands-on guide to dissecting malicious software, 1st edn. San Francisco: No Starch Press.

    Google Scholar 

  • Spring, J.M., & Hatleback, E. (2017). Thinking about intrusion kill chains as mechanisms. Journal of Cybersecurity, 3(3), 185–197.

    Google Scholar 

  • Spring, J.M., & Illari, P. (2018). Building general knowledge of mechanisms in information security. Philosophy & Technology. https://doi.org/10.1007/s13347-018-0329-z.

  • Szor, P. (2005). The art and craft of computer virus research and defense. Reading: Addison-Wesley.

    Google Scholar 

  • van Eck, D. (2016). The philosophy of science and engineering design. Springer International Publishing.

  • Weaver, N., Paxson, V., Staniford, S., Cunningham, R. (2003). A taxonomy of computer worms. In S. Staniford, & S. Savage (Eds.) Proceedings of the 2003 ACM Workshop on Rapid Malcode, WORM 2003, Washington, DC, USA, October 27, 2003 (pp. 11–18): ACM Press.

Download references

Acknowledgments

This research was conducted while Giuseppe Primiero and Frida Solheim were affiliated to the Department of Computer Science, Middlesex University London (UK).

Giuseppe Primiero was partially supported by the Project PROGRAMme ANR-17-CE38-0003-01.

Jonathan Spring was supported by University College London’s Overseas Research Scholarship and Graduate Research Scholarship.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Giuseppe Primiero.

Rights and permissions

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Primiero, G., Solheim, F.J. & Spring, J.M. On Malfunction, Mechanisms and Malware Classification. Philos. Technol. 32, 339–362 (2019). https://doi.org/10.1007/s13347-018-0334-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13347-018-0334-2

Keywords

Navigation