Skip to main content
SpringerLink
Log in

Malware Deception with Automatic Analysis and Generation of HoneyResource

  • Chapter
  • First Online:
Autonomous Cyber Deception

  • 1345 Accesses

Abstract

Malware often contains many system-resource-sensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware binary code, and manipulate the environment state as HoneyResource, we would then be able to deceive malware for defense purpose, e.g., immunize a computer from infections, or trick malware into believing something. Towards this end, this chapter introduces our preliminary systematic study and a prototype system, AutoVac, for automatically extracting the system resource constraints from malware code and generating HoneyResource (e.g., malware vaccines) based on the system resource conditions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 79.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Change history

  • 01 February 2020

    This book was inadvertently published as an authored work with the chapter authors mentioned in the footnotes of the chapter opening pages. This has now been updated and the chapter authors have been mentioned in the respective chapter opening pages as mentioned below:

References

  1. Anubis: Analyzing Unknown Binaries. https://seclab.cs.ucsb.edu/academic/projects/projects/anubis/.

  2. DynamoRIO . http://dynamorio.org/.

  3. malc0de. http://malc0de.com/database/.

  4. Temu . http://bitblaze.cs.berkeley.edu/temu.html.

  5. Virustotal. https://www.virustotal.com/.

  6. Zeus Trojan horse. http://en.wikipedia.org/wiki/Zeus_(Trojan_horse).

  7. T. Avgerinos, E. Schwartz, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proc. of IEEE S&P 2010.

    Google Scholar 

  8. A.Zeller. Isolating cause-effect chains from computer programs. In Proc. of the 10th ACM SIGSOFT symposium on Foundations of Software Engineering, 2002.

    Google Scholar 

  9. U. Bayer, P. Milani, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proc. of NDSS’09, 2009.

    Google Scholar 

  10. D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz. BAP: A binary analysis platform. In Proceedings of Computer Aided Verification (CAV), July 2011.

    Google Scholar 

  11. J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proc. of ACM CCS’09, 2009.

    Google Scholar 

  12. Davide Canali, Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. A quantitative study of accuracy in system call-based malware detection. In Proc. of International Symposium on Software Testing and Analysis, 2012.

    Google Scholar 

  13. L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA 2008.

    Google Scholar 

  14. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proc. of SOSP’05, pages 133–147, Brighton, United Kingdom, 2005.

    Google Scholar 

  15. M. Fredrikson, J. Somesh, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proc. of the 2010 IEEE Symposium on Security and Privacy, 2010.

    Google Scholar 

  16. S. T. King and P. M. Chen. Backtracking intrusions. In Proceedings of ACM Symposium on Operating Systems Principles, October 2003.

    Google Scholar 

  17. C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security’09, 2009.

    Google Scholar 

  18. C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proc. S&P’10, 2010.

    Google Scholar 

  19. J. Zico Kolter and Marcus A. Maloof. Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res., 7:2721–2744, December 2006.

    Google Scholar 

  20. A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proc. of the 17th ACM CCS, 2010.

    Google Scholar 

  21. Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10), San Diego, CA, February 2010.

    Google Scholar 

  22. L. Martignoni, E. Stinsony, M. Fredrikson, S. Jhaz, and J. C.Mithchelly. A layered architecture for detecting malicious behaviors. In RAID 2008.

    Google Scholar 

  23. A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proc. S&P’07, 2007.

    Google Scholar 

  24. M.Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proc. NDSS’08, 2008.

    Google Scholar 

  25. N.Johnson, J.Caballero, Z.Chen, S.McCamant, P.Poosankam, D.Reynaud, and D.Song. Differential slicing: Identifying causal execution differences for security applications. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011.

    Google Scholar 

  26. P. Porras, H. Saidi, and V. Yegneswaran. An Analysis of Conficker’s Logic and Rendezvous Points. http://mtc.sri.com/Conficker/, 2009.

  27. I. Trestian, S. Ranjan, A. Kuzmanovic, and A. Nucci. Unconstrained Endpoint Profiling (Googling the Internet). In ACM SIGCOMM’08.

    Google Scholar 

  28. A. Wichmann and E. Gerhards-Padilla. Using infection markers as a vaccine against malware attacks. In Proc. of the 2nd workshop on Security of Systems and Software resiLiency, 2012.

    Google Scholar 

  29. J. Wilhelm and T. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID’07, 2007.

    Google Scholar 

  30. H. Xin, C. Tzi-cker, and S. Kang G. Large-scale malware indexing using function-call graphs. In Proc CCS ’09, 2009.

    Google Scholar 

  31. Z. Xu, J. Zhang, G. Gu, and Z. Lin. Autovac: Towards automatically extracting system resource constraints and generating vaccines for malware immunization. In Proceedings of the 33rd International Conference on Distributed Computing Systems (ICDCS’13), Philadelphia, July 2013.

    Google Scholar 

  32. X.Wang, Z.Li, J.Xu, M.Reiter, C.Kil, and J.Choi. Packet vaccine: black-box exploit detection and signature generation. In Proc CCS’06, 2006.

    Google Scholar 

Download references

Acknowledgements

An early version of this chapter appeared in ICDCS’13 [31] . This research is partially supported by NSF (Grant No. CNS-0954096), AFOSR (Grant No. FA9550- 13-1-0077), and DARPA (Grant No. 12011593). All opinions, findings, and conclusions or recommendations expressed herein are those of the authors and do not necessarily reflect the views of NSF, AFOSR, or DARPA.

Author information

Authors and Affiliations

  1. Texas A&M University, College Station, TX, USA

    Zhaoyan Xu, Jialong Zhang & Guofei Gu

  2. The Ohio State University, Columbus, OH, USA

    Zhiqiang Lin

Authors
  1. Zhaoyan Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jialong Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhiqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Guofei Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guofei Gu .

Editor information

Editors and Affiliations

  1. Department of Software & Information System, University of North Carolina Charlotte, Charlotte, NC, USA

    Ehab Al-Shaer

  2. Department of Software and Information System, University of North Carolina, Charlotte, NC, USA

    Jinpeng Wei

  3. Computer Science Department, University of Texas at Dallas, Richardson, TX, USA

    Kevin W. Hamlen

  4. Computing and Information Science Division, Army Research Office, Durham, NC, USA

    Cliff Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Xu, Z., Zhang, J., Lin, Z., Gu, G. (2019). Malware Deception with Automatic Analysis and Generation of HoneyResource. In: Al-Shaer, E., Wei, J., Hamlen, K., Wang, C. (eds) Autonomous Cyber Deception. Springer, Cham. https://doi.org/10.1007/978-3-030-02110-8_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02110-8_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02109-2

  • Online ISBN: 978-3-030-02110-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation