Abstract
Malware obfuscation obscures malware into a different form that’s functionally identical to the original one, and makes syntactic signature ineffective. Furthermore, malware samples are huge and growing at an exponential pace. Behavioral signature is an effective way to defeat obfuscation. However, state-of-the-art behavioral signature, behavior graph, is although very effective but unfortunately too complicated and not scalable to handle exponential growing malware samples; in addition, it is too slow to be used as real-time detectors. This paper proposes an anti-obfuscation and scalable behavioral signature generation system, DiffSig, which voids information-flow tracking which is the chief culprit for the complex and inefficiency of graph behavior, thus, losing some data dependencies, but describes handle dependencies more accurate than graph behavior by restrict the profile type of resource that each handle dependency can reference to. Our experiment results show that DiffSig is scalable and efficient, and can detect new malware samples effectively.
Chapter PDF
Similar content being viewed by others
Keywords
References
Wikipedia, http://en.wikipedia.org/wiki/Malware
Clemens, K., Paolo, M.C., Christopher, K., Engin, K., Xiaoyong, Z., Xiaofeng, W.: Effective and efficient malware detection at the end host. In: USENIX Security 2009, USENIX Press (2009)
Wikipedia, http://www.symantec.com/threatreport/
You, I., Yim, K.: Malware Obfuscation Techniques: A Brief Survey. In: 2010 International Conference on Broadband, Wireless Computing, Communication and Applications (2010)
Wikipedia, http://en.wikipedia.org/wiki/System_call
Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., Yan, X.: Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (2010)
Srivastava, A., Lanzi, A., Giffin, J.: System Call API Obfuscation (Extended Abstract). In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 421–422. Springer, Heidelberg (2008)
Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proc. of the 6th Joint Meeting of the European Software Engineering Conf. and the ACM SIGSOFT Symp. on The Foundations of Software Engineering (2007)
mwanalysis, http://mwanalysis.org/
Hoglund, G., Butler, J.: Rootkits: Subverting the Windows kernel. Addison Wesley Professional (2005)
Li, Z., Sanghi, M., Chen, Y., et al.: Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience. In: IEEE Symposium on Security and Privacy (2006)
Dreger, H., Feldmann, A., Mai, M., Paxson, V., Sommer, R.: Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection. In: 15th USENIX Security Symposium (2005)
Bayer, U., Habibi, I., Balzarotti, D.: A View on Current Malware Behaviors. In: 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET 2009 (2009)
Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: AccessMiner: Using System-Centric Models for Malware Protection. In: CCS 2010. ACM Press (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lu, H., Zhao, B., Wang, X., Su, J. (2013). DiffSig: Resource Differentiation Based Malware Behavioral Concise Signature Generation. In: Mustofa, K., Neuhold, E.J., Tjoa, A.M., Weippl, E., You, I. (eds) Information and Communication Technology. ICT-EurAsia 2013. Lecture Notes in Computer Science, vol 7804. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36818-9_28
Download citation
DOI: https://doi.org/10.1007/978-3-642-36818-9_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36817-2
Online ISBN: 978-3-642-36818-9
eBook Packages: Computer ScienceComputer Science (R0)