Employing Program Semantics for Malware Detection

Naval, S., Laxmi, V., Rajarajan, M., Gaur, M. S. & Conti, M. (2015). Employing Program Semantics for Malware Detection. IEEE Transactions on Information Forensics and Security, 10(12), pp. 2591-2604. doi: 10.1109/TIFS.2015.2469253

Text - Accepted Version
Download (304kB) | Preview


In recent years, malware has emerged as a critical security threat. Additionally, malware authors continue to embed numerous anti–detection features to evade existing malware detection approaches. Against this advanced class of malicious programs, dynamic behavior–based malware detection approaches outperform the traditional signature–based approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on system–calls to model the infection and propagation dynamics of malware. However, these approaches do not account an important anti–detection feature of modern malware, i.e., system–call injection attack. This attack allows the malicious binaries to inject irrelevant and independent system–calls during the program execution thus modifying the execution sequences defeating the existing system–call based detection. To address this problem, we propose an evasion–proof solution that is not vulnerable to system–call injection attacks. Our proposed approach precisely characterizes the program semantics using Asymptotic Equipartition Property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract the information–rich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to call–injection attacks as the discriminating components are not directly visible to malware authors. This particular characteristic of proposed approach hampers a malware author’s aim of defeating our approach. We run a thorough set of experiments to evaluate our solution and compare it with existing system-call based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances.

Item Type: Article
Additional Information: (c) IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.
Uncontrolled Keywords: Malware; Malware Detection; System–calls; Semantically-relevant paths; System–call injection attacks
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Divisions: School of Informatics > Department of Computing
URI: http://openaccess.city.ac.uk/id/eprint/12313

Actions (login required)

View Item View Item


Downloads per month over past year

View more statistics