A framework for understanding dynamic anti-analysis defenses

Jing Qiu, Babak Yadegari, Brian Johannesmeyer, Saumya K Debray, Xiaohong Su

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

Original languageEnglish (US)
Title of host publicationProceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014
PublisherAssociation for Computing Machinery
Volume12-December-2014
ISBN (Electronic)9781605586373
DOIs
StatePublished - Dec 9 2014
Externally publishedYes
Event4th Program Protection and Reverse Engineering Workshop, PPREW 2014 - New Orleans, United States
Duration: Dec 9 2014 → …

Other

Other4th Program Protection and Reverse Engineering Workshop, PPREW 2014
CountryUnited States
CityNew Orleans
Period12/9/14 → …

Fingerprint

Malware

Keywords

  • Anti-analysis defense
  • Sefl-checksumming
  • Taint analysis
  • Timing defense

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Cite this

Qiu, J., Yadegari, B., Johannesmeyer, B., Debray, S. K., & Su, X. (2014). A framework for understanding dynamic anti-analysis defenses. In Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014 (Vol. 12-December-2014). [a2] Association for Computing Machinery. https://doi.org/10.1145/2689702.2689704

A framework for understanding dynamic anti-analysis defenses. / Qiu, Jing; Yadegari, Babak; Johannesmeyer, Brian; Debray, Saumya K; Su, Xiaohong.

Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014. Vol. 12-December-2014 Association for Computing Machinery, 2014. a2.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Qiu, J, Yadegari, B, Johannesmeyer, B, Debray, SK & Su, X 2014, A framework for understanding dynamic anti-analysis defenses. in Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014. vol. 12-December-2014, a2, Association for Computing Machinery, 4th Program Protection and Reverse Engineering Workshop, PPREW 2014, New Orleans, United States, 12/9/14. https://doi.org/10.1145/2689702.2689704
Qiu J, Yadegari B, Johannesmeyer B, Debray SK, Su X. A framework for understanding dynamic anti-analysis defenses. In Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014. Vol. 12-December-2014. Association for Computing Machinery. 2014. a2 https://doi.org/10.1145/2689702.2689704
Qiu, Jing ; Yadegari, Babak ; Johannesmeyer, Brian ; Debray, Saumya K ; Su, Xiaohong. / A framework for understanding dynamic anti-analysis defenses. Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014. Vol. 12-December-2014 Association for Computing Machinery, 2014.
@inproceedings{ec73af6aa2c54a7a863970e687d1bb38,
title = "A framework for understanding dynamic anti-analysis defenses",
abstract = "Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.",
keywords = "Anti-analysis defense, Sefl-checksumming, Taint analysis, Timing defense",
author = "Jing Qiu and Babak Yadegari and Brian Johannesmeyer and Debray, {Saumya K} and Xiaohong Su",
year = "2014",
month = "12",
day = "9",
doi = "10.1145/2689702.2689704",
language = "English (US)",
volume = "12-December-2014",
booktitle = "Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - A framework for understanding dynamic anti-analysis defenses

AU - Qiu, Jing

AU - Yadegari, Babak

AU - Johannesmeyer, Brian

AU - Debray, Saumya K

AU - Su, Xiaohong

PY - 2014/12/9

Y1 - 2014/12/9

N2 - Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

AB - Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

KW - Anti-analysis defense

KW - Sefl-checksumming

KW - Taint analysis

KW - Timing defense

UR - http://www.scopus.com/inward/record.url?scp=84984996380&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84984996380&partnerID=8YFLogxK

U2 - 10.1145/2689702.2689704

DO - 10.1145/2689702.2689704

M3 - Conference contribution

AN - SCOPUS:84984996380

VL - 12-December-2014

BT - Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014

PB - Association for Computing Machinery

ER -