A semantics-based approach to malware detection

Mila Dalla Preda, Mihai Christodorescu, Somesh Jha, Saumya Debray

Research output: Chapter in Book/Report/Conference proceedingConference contribution

77 Scopus citations

Abstract

Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

Original languageEnglish (US)
Title of host publicationConference Record of POPL 2007
Subtitle of host publicationThe 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Papers Presented at the Symposium
Pages377-388
Number of pages12
DOIs
StatePublished - Sep 3 2007
Event34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Nice, France
Duration: Jan 17 2007Jan 19 2007

Publication series

NameConference Record of the Annual ACM Symposium on Principles of Programming Languages
ISSN (Print)0730-8566

Other

Other34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
CountryFrance
CityNice
Period1/17/071/19/07

Keywords

  • Abstract interpretation
  • Malware detection
  • Obfuscation
  • Trace semantics

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'A semantics-based approach to malware detection'. Together they form a unique fingerprint.

  • Cite this

    Preda, M. D., Christodorescu, M., Jha, S., & Debray, S. (2007). A semantics-based approach to malware detection. In Conference Record of POPL 2007: The 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Papers Presented at the Symposium (pp. 377-388). (Conference Record of the Annual ACM Symposium on Principles of Programming Languages). https://doi.org/10.1145/1190216.1190270