Malware Behavior Modeling with Colored Petri Nets

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8838)


We propose a solution which provides a system operator with a mechanism that enables tracking and tracing of malware behavior which – in consequence – leads to its detection and neutralization. The detection is performed in two steps. Firstly single malicious activities are identified and filtered out. As they come from the identification module, they are compared with malware models constructed in the form of Colored Petri nets. In this article we present our approach to malware modeling. Proposed method was implemented and practically verified in laboratory environment with emulated malicious activity at the hosts level.


malware cyber attack Colored Petri net malware detection behavioral analysis 


  1. 1.
    Aucsmith, D.: Tamper–resistant software: An implementation. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 317–333. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  2. 2.
    Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Bereziński, P., Szpyrka, M., Jasiul, B., Mazur, M.: Network anomaly detection using parameterized entropy. In: Saeed, K., Snášel, V. (eds.) CISIM 2014. LNCS, vol. 8838, pp. 473–486. Springer, Heidelberg (2014)Google Scholar
  4. 4.
    Bonfante, G., Kaczmarek, M., Marion, J.-Y.: A classification of viruses through recursion theorems. In: Cooper, S.B., Löwe, B., Sorbi, A. (eds.) CiE 2007. LNCS, vol. 4497, pp. 73–82. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Borello, J.M., Mé, L.: Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology 4(3), 211–220 (2008), doi:10.1007/s11416-008-0084-2CrossRefGoogle Scholar
  6. 6.
    Cappaert, J., Preneel, B., Anckaert, B., Madou, M., De Bosschere, K.: Towards tamper resistant code encryption: practice and experience. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 86–100. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proc. of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Int. Symposium on Foundations of Software Engineering, pp. 5–14 (2007)Google Scholar
  8. 8.
    Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, pp. 32–46 (2005)Google Scholar
  9. 9.
    Flake, H.: Structural comparison of executable objects. In: Proc. of the IEEE Conference on Detection of Intrusions and Malware & Vulnerability Assessment, pp. 161–173 (2004)Google Scholar
  10. 10.
    Healy, L.: A model to study cyber attack mechanics and denial-of-service exploits over the internet’s router infrastructure using Colored Petri Nets. Tech. rep. Masters Theses and Doctoral Dissertations (2009),
  11. 11.
    Jasiul, B., Śliwa, J., Gleba, K., Szpyrka, M.: Identification of malware activities with rules. In: Proceedings of the Federated Conference on Computer Science and Information Systems, Warsaw, Poland (2014)Google Scholar
  12. 12.
    Jensen, K., Kristensen, L.: Coloured Petri Nets: Modelling and Validation of Concurrent Systems, 1st edn. Springer, Heidelberg (2009)CrossRefzbMATHGoogle Scholar
  13. 13.
    Karim, M., Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny generation using permutations of code. Journal in Computer Virology 1, 13–23 (2005)CrossRefGoogle Scholar
  14. 14.
    Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spyware detection. In: Usenix Security Symposium (2006)Google Scholar
  15. 15.
    Kolter, J., Maloof, M.: Learning to detect and classify malicious executables in the wild. Journal of Machine Learning Research 7, 2721–2744 (2006)MathSciNetzbMATHGoogle Scholar
  16. 16.
    Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through binary analysis. In: Proceedings of the Annual Computer Security Applications Conference (2004)Google Scholar
  17. 17.
    Kumar, S., Spafford, E.: A Pattern Matching Model for Misuse Intrusion Detection. Tech. rep., Computer Science Technical Reports (1994)
  18. 18.
    Lee, T., Mody, J.: Behavioral classification. In: Proceedings of EICAR Conference (2006)Google Scholar
  19. 19.
    Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conf. on Computer and Communications Security, pp. 290–299. ACM (2003)Google Scholar
  20. 20.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings of the Annual Computer Security Applications Conference (2007)Google Scholar
  21. 21.
    Nalepa, G., Bobek, S.: Rule-based solution for context-aware reasoning on mobile devices. Computer Science and Information Systems 11(1), 171–193 (2014)CrossRefGoogle Scholar
  22. 22.
    Nalepa, G., Ligęza, A.: Designing reliable Web security systems using rule-based systems approach. In: Menasalvas, E., Segovia, J., Szczepaniak, P.S. (eds.) AWIC 2003. LNCS (LNAI), vol. 2663, pp. 124–133. Springer, Heidelberg (2003)Google Scholar
  23. 23.
    Rad, B., Masrom, M., Ibrahim, S.: Camouflage in malware: From encryption to metamorphism. Int. Journal of Computer Science and Network Security 12, 74–83 (2012)Google Scholar
  24. 24.
    Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Sharif, M., Yegneswaran, V., Saidi, H., Porras, P.A., Lee, W.: Eureka: A framework for enabling static malware analysis. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 481–500. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  26. 26.
    Sliwa, J., Gleba, K., Chmiel, W., Szwed, P., Glowacz, A.: IOEM – Ontology engineering methodology for large systems. In: Jędrzejowicz, P., Nguyen, N.T., Hoang, K. (eds.) ICCCI 2011, Part I. LNCS, vol. 6922, pp. 602–611. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  27. 27.
    Śliwa, J., Jasiul, B.: Efficiency of dynamic content adaptation based on semantic description of web service call context. In: Proceedings - IEEE Military Communications Conference MILCOM 2012, Orlando, USA, pp. 1–6 (2012), doi:10.1109/MILCOM.2012.6415810Google Scholar
  28. 28.
    Szor, P.: The Art of Computer Virus Research and Defense. Addison–Wesley Professional. Symantec Press series (2005)Google Scholar
  29. 29.
    Szpyrka, M., Jasiul, B., Wrona, K., Dziedzic, F.: Telecommunications networks risk assessment with Bayesian networks. In: Saeed, K., Chaki, R., Cortesi, A., Wierzchoń, S. (eds.) CISIM 2013. LNCS, vol. 8104, pp. 277–288. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  30. 30.
    Szpyrka, M., Szmuc, T.: Decision tables in Petri net models. In: Kryszkiewicz, M., Peters, J.F., Rybiński, H., Skowron, A. (eds.) RSEISP 2007. LNCS (LNAI), vol. 4585, pp. 648–657. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  31. 31.
    Szwed, P., Skrzyński, P.: A new lightweight method for security risk assessment based on fuzzy cognitive maps. International Journal of Applied Mathematics and Computer Science 24(1), 213–225 (2014)CrossRefzbMATHGoogle Scholar
  32. 32.
    Tarapata, Z., Chmielewski, M., Kasprzyk, R.: An algorithmic approach to social knowledge processing and reasoning based on graph representation: A case study. In: Nguyen, N.T., Le, M.T., Świątek, J. (eds.) ACIIDS 2010. Part II. LNCS (LNAI), vol. 5991, pp. 93–104. Springer, Heidelberg (2010)Google Scholar
  33. 33.
    Tokhtabayev, A., Skormin, V., Dolgikh, A.: Dynamic, resilient detection of complex malicious functionalities in the system call domain. In: MILCOM, Military Communications Conference, pp. 1349–1356 (2010), doi:10.1109/MILCOM.2010.5680136Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  1. 1.C4I Systems’ DepartmentMilitary Communication InstituteZegrzePoland
  2. 2.Department of Applied Computer ScienceAGH University of Science and TechnologyKrakówPoland

Personalised recommendations