Abstract
Most of malware detectors are based on syntactic signatures that identify known malicious programs. Up to now this architecture has been sufficiently efficient to overcome most of malware attacks. Nevertheless, the complexity of malicious codes still increase. As a result the time required to reverse engineer malicious programs and to forge new signatures is increasingly longer. This study proposes an efficient construction of a morphological malware detector, that is a detector which associates syntactic and semantic analysis. It aims at facilitating the task of malware analysts providing some abstraction on the signature representation which is based on control flow graphs. We build an efficient signature matching engine over tree automata techniques. Moreover we describe a generic graph rewriting engine in order to deal with classic mutations techniques. Finally, we provide a preliminary evaluation of the strategy detection carrying out experiments on a malware collection.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Beaucamps Ph., Filiol E.: On the possibility of practically obfuscating programs towards a unified perspective of code protection. J. Comput. Virol. 3(1), 3–21 (2007)
Bonfante, G., Kaczmarek, M., Marion, J.Y.: Control Flow Graphs as Malware Signatures. WTCV, May (2007)
Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. Technical report, Università degli Studi di Milano, September (2006)
Christodorescu M., Jha S.: Testing malware detectors. ACM SIGSOFT Softw. Eng. Notes 29(4), 34–44 (2004)
Christodorescu M., Jha S., Kinder J., Katzenbeisser S., Veith H.: Software transformations to improve malware detection. J. Comput. Virol. 3(4), 253–265 (2007)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy (2005)
Comon, H., Dauchet, M., Gilleron, R., Jacquemard, F., Lugiez, D., Tison, S., Tommasi, M.: Tree automata techniques and applications, 10, (1997). Available on: http://www.grappa.univ-lille3.fr/tata
Dalla Preda, M., Christodorescu, M., Jha, S., Debray, S.: A semantics-based approach to malware detection. In: POPL’07 (2007)
Filiol E.: Computer Viruses: From Theory to Applications. Springer, Heidelberg (2005)
Filiol E.: Advanced Viral Techniques: Mathematical and Algorithmic Aspects. Springer, Berlin (2006)
Filiol, E.: Malware pattern scanning schemes secure against black-box analysis. In: 15th EICAR (2006)
Gryaznov, D.: Scanners of the Year 2000: Heuristics. Proceedings of the 5th International Virus Bulletin (1999)
Kephart, J.O., Arnold, W.C.: Automatic extraction of computer virus signatures. In: Proceedings of the Fourth Virus Bulletin International Conference, pp. 178–184 (1994)
Schultz, M.G., Eskin, E., Zadok, E., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: Proceedings of the IEEE Symposium on Security and Privacy, p. 38 (2001)
Ször, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005)
Tesauro G.J., Kephart J.O., Sorkin G.B.: Neural networks for computer virus recognition. Expert, IEEE (see also IEEE Intell. Syst. Appl.) 11(4), 5–6 (1996)
Walenstein A., Mathur R., Chouchane M.R., Lakhotia A.: Normalizing metamorphic malware using term rewriting. SCAM 0, 75–84 (2006)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bonfante, G., Kaczmarek, M. & Marion, JY. Architecture of a morphological malware detector. J Comput Virol 5, 263–270 (2009). https://doi.org/10.1007/s11416-008-0102-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0102-4