2. Contents
• Introduction
• Goals
• Technique
• Semantics of malware
• Malicious code detector
• Strengths and limitations
• Related work
• Conclusion
3. INTRODUCTION
• A malware detector is a system that attempts
to determine whether a program has
malicious intent.
• A malware instance is a program that has
malicious intent.
• Examples of malware instance viruses,
• trojans, and worms.
4. Goals
• The goal of a malware writer (hacker) is to
modify their malware to avoid detection by a
malware detector.
• The goal of this paper is to design a malware
detection algorithm that uses semantics of
instructions
5. Technique Aware Malware
Detection
• A common technique used by malware writers
to evade detection is program obfuscation
• Polymorphism and metamorphism
• A polymorphic virus obfuscates its decryption
loop using several transformations
• Metamorphic viruses attempt to evade
detection by obfuscating the entire virus.
6. Tanslation-validation techniques
• Translation-validation techniques determine
whether the two programs are semantically
equivalent.
• We use the observation that certain
malicious behaviors appear in all variants of a
certain malware.
• We use semantic algorithm to discover
malicious program.
7. Semantics of malware detection
• Specifying the malicious behavior.
• Templates
• Variables
• symbolic constants
8.
9. Formal semantics
• A template T = (IT , VT ,CT ) is a 3-tuple, where
IT is a sequence of instructions and VT and CT
are the set of variables and symbolic
constants.
Two types of symbolic constants.
• n-ary function F(n) and
n-ary predicate P(n)
11. Strengths and limitations
• Code reordering
• Register renaming
• Garbage insertion
• Equivalent instruction replacement
• same form needed
• the use of def-use chains for value
preservation checking.
13. Conclusion
• We observe that certain malicious behaviors
appear in all variants of a certain malware.
• We also presented a malware-detection
algorithm that is sound with respect to our
semantics.