Deobfuscation of Computer Virus Malware Code with Value State Dependence Graph

  • Ivan Dychka
  • Ihor Tereikovskyi
  • Liudmyla Tereikovska
  • Volodymyr Pogorelov
  • Shynar Mussiraliyeva
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 754)

Abstract

This paper deals with improvement of malware protection efficiency. The analysis of applied scientific research on malware protection development has shown that improvement of the methods for deobfuscation of program code being analyzed is one of the main means of increasing efficiency of malware recognition. This paper demonstrates that the main drawback of the modern-day deobfuscation methods is that they are insufficiently adapted to the formalized presentation of the functional semantics of programs being tested. Based on the research results, we suggest that theoretical solutions which have been tried out in program code optimization procedures may be used for code deobfuscation. In the course of the study, we have developed a program code deobfuscation procedure utilizing a value state dependence graph. Utilization of the developed procedure was found to enable presentation of the functional semantics of the programs being tested in a graph form. As the result, identification of malware based on its execution semantics became possible. The paper shows that further research should focus on the development of a method for comparison of the value state dependence graph of the program being tested with corresponding graphs of security software and malware.

Keywords

Deobfuscation Value state dependence graph Malware Code optimization 

References

  1. 1.
    Yadegari, B.N.: Automatic deobfuscation and reverse engineering of obfuscated code. Ph.D. thesis, The University of Arizona, Tucson, USA, 22 September 2016, 200 p (2016)Google Scholar
  2. 2.
    Xu, W., Zhang, F., Zhu, S.: The power of obfuscation techniques in malicious JavaScript code: a measurement study. In: 7th International Conference. Malicious and Unwanted Software, 2012, 8 p (2002). 10.1109Google Scholar
  3. 3.
    Ming, J., Xin, Z., Lan, P., et al.: Impeding behaviour-based malware analysis via replacement attacks to malware specifications. Springer [Electronic], September 2017, pp. 1–13 (2017). https://link.springer.com/article/10.1007/s11416-016-0281-3
  4. 4.
    Robertson, C.: PDF Obfuscation, A Primer [Electronic], SANS Institute Reading Room site, No. 1, 2012, pp. 1–38 (2012). https://www.bing.com
  5. 5.
    Singh, A.: Identifying Malicious Code Through Reverse Engineering. Springer, New York (2009). 196 pMATHGoogle Scholar
  6. 6.
    Udupa, Sh.K., Debray, S.K., Madou, M.: Deobfuscation: reverse engineering obfuscated code. In: 2005 12th Working Conference on Reverse Engineering (WCRE 2005), No. 13, pp. 1–10 (2005)Google Scholar
  7. 7.
    Lawrence, A.C.: Optimising Compilation with the Value State Dependence Graph. University of Cambridge, Great Britain, 183 p. (Cambridge CB3 0FD) (2008)Google Scholar
  8. 8.
    Nico, R.: Utilising the Value State Dependence Graph for Haskell. University of Gothenburg, Göteborg, Sweden, 68 p (2012)Google Scholar
  9. 9.
    Zhengbing, H., Dychka, I.A., Onai, M., Bartkoviak, A.: The analysis and investigation of multiplicative inverse searching methods in the ring of integers modulo M. Intell. Syst. Appl. 11, 9–18 (2016)Google Scholar
  10. 10.
    Zhengbing, H., Tereykovskiy, I., Tereykovska, L., Pogorelov, V.: Determination of structural parameters of multilayer perceptron designed to estimate parameters of technical systems. Intell. Syst. Appl. 10, 57–62 (2017)Google Scholar
  11. 11.
    Pogorelov, V.V., Marchenko, O.I.: Ohlyad vnutrishnikh form predstavlennya prohramy dlya translyatsiyi z protsedurnykh mov prohramuvannya u funktsional’ni movy [Review of internal program presentation forms for translation from procedural programming languages to functional languages]. Sci. Mag. (23), 85–92 (2016). Computer Integrated Technologies: Education, Science, ProductionGoogle Scholar
  12. 12.
    Kushnarev, M.V.: Metody i modeli raspoznavaniya vredonosnyh programm na osnove iskusstvennyh immunnyh sistem [Methods and models of malware recognition based on artificial immune systems], Thesis of Candidate of Technical Sciences, Specialty 05.13.23 – Atrificial intelligence systems and tools, Kharkiv, Ukraine, 164 p (2016)Google Scholar
  13. 13.
    Unhul, V.V.: Analysis and development of methods of scripts deobfuscation to identify threats to information computer sustainability. Int. Sci. Mag. 2(6), 19–27 (2016)Google Scholar
  14. 14.
    Petrov, S.A.: Building adaptive security system based on multi-agent system. In: Materials of the Second International Research and Practice Conference, Westwood, Canada, vol. 2, pp. 196–201 (2013)Google Scholar
  15. 15.
    Hu, Z., Gnatyuk, S., Koval, O., Gnatyuk, V., Bondarovets, S.: Anomaly detection system in secure cloud computing environment. Int. J. Comput. Netw. Inf. Secur. (IJCNIS) 9(4), 10–21 (2017). https://doi.org/10.5815/ijcnis.2017.04.02Google Scholar
  16. 16.
    Hu, Z., Gnatyuk, V., Sydorenko, V., Odarchenko, R., Gnatyuk, S.: Method for cyberincidents network-centric monitoring in critical information infrastructure. Int. J. Comput. Netw. Inf. Secur. (IJCNIS) 9(6), 30–43 (2017). https://doi.org/10.5815/ijcnis.2017.06.04Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2019

Authors and Affiliations

  1. 1.National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”KyivUkraine
  2. 2.Kyiv National University of Construction and ArchitectureKyivUkraine
  3. 3.Al-Farabi Kazakh National UniversityAlmatyKazakhstan

Personalised recommendations