A semantics-based approach to malware detection

Mila Dalla Preda, Mihai Christodorescu, Somesh Jha, Saumya K Debray

Research output: Chapter in Book/Report/Conference proceedingConference contribution

76 Citations (Scopus)

Abstract

Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

Original languageEnglish (US)
Title of host publicationConference Record of the Annual ACM Symposium on Principles of Programming Languages
Pages377-388
Number of pages12
DOIs
StatePublished - 2007
Event34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Nice, France
Duration: Jan 17 2007Jan 19 2007

Other

Other34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
CountryFrance
CityNice
Period1/17/071/19/07

Fingerprint

Semantics
Detectors
Syntactics
Malware
Concretes

Keywords

  • Abstract interpretation
  • Malware detection
  • Obfuscation
  • Trace semantics

ASJC Scopus subject areas

  • Software

Cite this

Preda, M. D., Christodorescu, M., Jha, S., & Debray, S. K. (2007). A semantics-based approach to malware detection. In Conference Record of the Annual ACM Symposium on Principles of Programming Languages (pp. 377-388) https://doi.org/10.1145/1190216.1190270

A semantics-based approach to malware detection. / Preda, Mila Dalla; Christodorescu, Mihai; Jha, Somesh; Debray, Saumya K.

Conference Record of the Annual ACM Symposium on Principles of Programming Languages. 2007. p. 377-388.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Preda, MD, Christodorescu, M, Jha, S & Debray, SK 2007, A semantics-based approach to malware detection. in Conference Record of the Annual ACM Symposium on Principles of Programming Languages. pp. 377-388, 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Nice, France, 1/17/07. https://doi.org/10.1145/1190216.1190270
Preda MD, Christodorescu M, Jha S, Debray SK. A semantics-based approach to malware detection. In Conference Record of the Annual ACM Symposium on Principles of Programming Languages. 2007. p. 377-388 https://doi.org/10.1145/1190216.1190270
Preda, Mila Dalla ; Christodorescu, Mihai ; Jha, Somesh ; Debray, Saumya K. / A semantics-based approach to malware detection. Conference Record of the Annual ACM Symposium on Principles of Programming Languages. 2007. pp. 377-388
@inproceedings{69beb2768f254d71a1ee999ff2e6fd54,
title = "A semantics-based approach to malware detection",
abstract = "Malware detection is a crucial aspect of software security. Current malware detectors work by checking for {"}signatures,{"} which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to {"}hide{"} irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.",
keywords = "Abstract interpretation, Malware detection, Obfuscation, Trace semantics",
author = "Preda, {Mila Dalla} and Mihai Christodorescu and Somesh Jha and Debray, {Saumya K}",
year = "2007",
doi = "10.1145/1190216.1190270",
language = "English (US)",
isbn = "1595935754",
pages = "377--388",
booktitle = "Conference Record of the Annual ACM Symposium on Principles of Programming Languages",

}

TY - GEN

T1 - A semantics-based approach to malware detection

AU - Preda, Mila Dalla

AU - Christodorescu, Mihai

AU - Jha, Somesh

AU - Debray, Saumya K

PY - 2007

Y1 - 2007

N2 - Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

AB - Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

KW - Abstract interpretation

KW - Malware detection

KW - Obfuscation

KW - Trace semantics

UR - http://www.scopus.com/inward/record.url?scp=34548223126&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34548223126&partnerID=8YFLogxK

U2 - 10.1145/1190216.1190270

DO - 10.1145/1190216.1190270

M3 - Conference contribution

AN - SCOPUS:34548223126

SN - 1595935754

SN - 9781595935755

SP - 377

EP - 388

BT - Conference Record of the Annual ACM Symposium on Principles of Programming Languages

ER -