A semantics-based approach to malware detection

Mila Dalla Preda, Mihai Christodorescu, Somesh Jha, Saumya K Debray

Research output: Contribution to journalArticle

15 Citations (Scopus)

Abstract

Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior. This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

Original languageEnglish (US)
Pages (from-to)376-388
Number of pages13
JournalACM SIGPLAN Notices
Volume42
Issue number1
StatePublished - Jan 2007

Fingerprint

Semantics
Detectors
Syntactics
Malware
Concretes

Keywords

  • Abstract interpretation
  • Malware detection
  • Obfuscation
  • Trace semantics

ASJC Scopus subject areas

  • Computer Graphics and Computer-Aided Design
  • Software

Cite this

Dalla Preda, M., Christodorescu, M., Jha, S., & Debray, S. K. (2007). A semantics-based approach to malware detection. ACM SIGPLAN Notices, 42(1), 376-388.

A semantics-based approach to malware detection. / Dalla Preda, Mila; Christodorescu, Mihai; Jha, Somesh; Debray, Saumya K.

In: ACM SIGPLAN Notices, Vol. 42, No. 1, 01.2007, p. 376-388.

Research output: Contribution to journalArticle

Dalla Preda, M, Christodorescu, M, Jha, S & Debray, SK 2007, 'A semantics-based approach to malware detection', ACM SIGPLAN Notices, vol. 42, no. 1, pp. 376-388.
Dalla Preda M, Christodorescu M, Jha S, Debray SK. A semantics-based approach to malware detection. ACM SIGPLAN Notices. 2007 Jan;42(1):376-388.
Dalla Preda, Mila ; Christodorescu, Mihai ; Jha, Somesh ; Debray, Saumya K. / A semantics-based approach to malware detection. In: ACM SIGPLAN Notices. 2007 ; Vol. 42, No. 1. pp. 376-388.
@article{a7ed800c37da4645ab523be6d047843f,
title = "A semantics-based approach to malware detection",
abstract = "Malware detection is a crucial aspect of software security. Current malware detectors work by checking for {"}signatures,{"} which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior. This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to {"}hide{"} irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.",
keywords = "Abstract interpretation, Malware detection, Obfuscation, Trace semantics",
author = "{Dalla Preda}, Mila and Mihai Christodorescu and Somesh Jha and Debray, {Saumya K}",
year = "2007",
month = "1",
language = "English (US)",
volume = "42",
pages = "376--388",
journal = "ACM SIGPLAN Notices",
issn = "1523-2867",
publisher = "Association for Computing Machinery (ACM)",
number = "1",

}

TY - JOUR

T1 - A semantics-based approach to malware detection

AU - Dalla Preda, Mila

AU - Christodorescu, Mihai

AU - Jha, Somesh

AU - Debray, Saumya K

PY - 2007/1

Y1 - 2007/1

N2 - Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior. This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

AB - Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior. This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

KW - Abstract interpretation

KW - Malware detection

KW - Obfuscation

KW - Trace semantics

UR - http://www.scopus.com/inward/record.url?scp=33846554869&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33846554869&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:33846554869

VL - 42

SP - 376

EP - 388

JO - ACM SIGPLAN Notices

JF - ACM SIGPLAN Notices

SN - 1523-2867

IS - 1

ER -