Abstract
Malicious Software referred to as Malware refers to a software that has infiltrated to a computer without the authorization of the computer (or the owner of the computer). Typical categories of malicious code include Trojan Horses, viruses, worms etc. Malware has been a major cause of concern for information security. With the growth in complexity of computing systems and the ubiquity of information due to WWW, detection of malware has become horrendously complex. In this paper, we shall survey the theory behind malware to provide the challenges behind detection of malware. It is of interest to note that the power of the malware (or for that matter computer warfare) can be seen in the theories proposed by the iconic scientists Alan Turing and John von Neumann. The malicious nature of malware can be broadly categorized as injury and infection analogously in the epidemiological framework. On the same lines, the remedies can also be thought of through analogies with epidemiological notions like disinfection, quarantine, environment control etc. We shall discuss these aspects and relate the above to notions of computability.
Adleman in his seminal paper has extrapolated protection mechanisms such as quarantine, disinfection and certification. It may be noted that most of the remedies in general are undecidable. We shall discuss remedies that are being used and contemplated. One of the well-known restricted kind of remedies is to search for signatures of possible malwares and detect them before getting it through to the computer. Large part of the current remedies rely on signature based approaches that is, heavy reliance on the detection of syntactic patterns. Recent trends in security incidence reports show a huge increase in obfuscated exploits; note that in the majority of obfuscators, the execution behaviour remains the same while it can escape syntactic recognitions. Further, malware writers are using a combination of features from various types of classic malwares such as viruses and worms. Thus, it has become all the more necessary to take a holistic approach and arrive at detection techniques that are based on characterizations of malware behaviour that includes the environment in which it is expected to execute.
In the paper, we shall first survey various approaches of behavioural characterization of malware, difficulties of virus detection, practical virus detection techniques and protection mechanisms from viruses. Towards the end of the paper, we shall briefly discuss our new approach of detecting malware via a new method of validation in a quarantine environment and show our preliminary results for the detection of malware on systems that are expected to carry a priori known set of software.
The work was partially supported under Indo-Trento Promotion for Advanced Research.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Adleman, L.M.: An abstract theory of computer viruses. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 354–374. Springer, Heidelberg (1990)
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)
Bhattacharjee, A.K., Sen, G., Dhodapkar, S.D., Karunakar, K., Rajan, B., Shyamasundar, R.K.: A system for object code validation. In: Joseph, M. (ed.) FTRTFT 2000. LNCS, vol. 1926, pp. 152–169. Springer, Heidelberg (2000)
Chow, S., Gu, Y., Johnson, H., Zakharov, V.A.: An approach to the obfuscation of control-flow of sequential computer programs. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 144–155. Springer, Heidelberg (2001)
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: SSYM 2003: Proceedings of the 12th conference on USENIX Security Symposium, Berkeley, CA, USA, pp. 12–12. USENIX Association (2003)
Christodorescu, M., Jha, S.: Testing malware detectors. In: ISSTA 2004: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis, pp. 34–44. ACM, New York (2004)
Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Crnkovic, I., Bertolino, A. (eds.) ESEC/SIGSOFT FSE, pp. 5–14. ACM, New York (2007)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D.X., Bryant, R.E.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, pp. 32–46. IEEE Computer Society, Los Alamitos (2005)
Cohen, F.: Computer viruses: theory and experiments. Comput. Secur. 6(1), 22–35 (1987)
Cohen, F.: Computer Viruses. PhD thesis, University of Southern California (1986)
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland (July 1997), http://www.cs.auckland.ac.nz/~collberg/Research/Publications/CollbergThomborsonLow97a/index.html
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS 2008: Proceedings of the 15th ACM conference on Computer and communications security, pp. 51–62. ACM, New York (2008)
Dittrich, D.: Malware to crimeware: How far they gone, and how do we catch up? Login, The USENIX Magazine 34(4), 35–44 (2009)
Filiol, E.: Computer Viruses from Theory to Applications. IRIS International Series. Springer, France (2005)
IBM X Force Threat Reports. IBM Internet Security Systems X-Force, trend and risk report (2008), http://www-935.ibm.com/services/us/iss/xforce/trendreports/
IBM X Force Threat Reports. IBM Internet Security Systems X-Force, mid-year trend and risk report (2009), http://www-935.ibm.com/services/us/iss/xforce/trendreports/
Forrest, S., Hofmeyr, S.A., Somayaji, A.: Computer immunology. CACM 40(10), 88–96 (1997)
Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is not transparency: Vmm detection myths and realities. In: HOTOS 2007: Proceedings of the 11th USENIX workshop on Hot topics in operating systems, Berkeley, CA, USA, pp. 1–6. USENIX Association (2007)
Horwitz, S.: Precise flow-insensitive may-alias analysis is np-hard. ACM Trans. Program. Lang. Syst. 19(1), 1–6 (1997)
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security, pp. 128–138. ACM, New York (2007)
King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: Implementing malware with virtual machines. In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, Washington, DC, USA, pp. 314–327. IEEE Computer Society, Los Alamitos (2006)
Kundaji, R., Shyamasundar, R.: Refinement calculus: A basis for translation validation, debugging and certification. Theoretical Computer Science 354, 156–168 (2006)
Morrisett, G., Crary, K., Glew, N., Grossman, D., Samuels, R., Smith, F., Walker, D., Weirich, S., Zdancewic, S.: Talx86: A realistic typed assembly language. In: Second Workshop on Compiler Support for System Software, pp. 25–35 (1999)
Myers, A.C.: Jflow: practical mostly-static information flow control. In: POPL 1999: Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 228–241. ACM, New York (1999)
Necula, G.C.: Proof-carrying code. In: POPL 1997: Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 106–119. ACM, New York (1997)
Von Neumann, J.: Theory of Self-Reproducing Automata. University of Illinois Press, Champaign (1966)
Raffetseder, T., Krügel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007)
Ramalingam, G.: The undecidability of aliasing. ACM Trans. Program. Lang. Syst. 16(5), 1467–1471 (1994)
Rice, H.G.: Classes of recursively enumerable sets and their decision problems. Transactions of the American Mathematical Society 74(2), 358–366 (1953)
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Seshadri, A., Luk, M., Perrig, A., van Doorn, L., Khosla, P.: Externally verifiable code execution. CACM 49(9), 45–49 (2006)
Shah, H.J., Shyamasundar, R.K.: On run-time enforcement of policies. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 268–281. Springer, Heidelberg (2007)
Shyamasundar, R., Shah, H., Kumar, N.N.: Checking malware behaviour via quarantining (abstract). In: Int. Conf. on Information Security and Digital Forensics, vol. City University of London, Full manuscript under submission process (September 2009)
Walker, D.: A type system for expressive security policies. In: POPL 2000: Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 254–267. ACM, New York (2000)
www.computereconomics.com 2007 malware report: The economic impact of viruses, spyware, adware, botnets, and other malicious code, http://www.computereconomics.com/page.cfm?name=Malware%20Report
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shyamasundar, R.K., Shah, H., Kumar, N.V.N. (2010). Malware: From Modelling to Practical Detection. In: Janowski, T., Mohanty, H. (eds) Distributed Computing and Internet Technology. ICDCIT 2010. Lecture Notes in Computer Science, vol 5966. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11659-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-11659-9_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11658-2
Online ISBN: 978-3-642-11659-9
eBook Packages: Computer ScienceComputer Science (R0)