Skip to Main content Skip to Navigation
Conference papers

Mining Malware Specifications through Static Reachability Analysis

Abstract : Abstract. The number of malicious software (malware) is growing out of control. Syntactic signature based detection cannot cope with such growth and manual construction of malware signature databases needs to be replaced by computer learning based approaches. Currently, a single modern signature capturing the semantics of a malicious behavior can be used to replace an arbitrarily large number of old-fashioned syntactical signatures. However teaching computers to learn such behaviors is a challenge. Existing work relies on dynamic analysis to extract malicious behaviors, but such technique does not guarantee the coverage of all behaviors. To sidestep this limitation we show how to learn malware signatures using static reachability analysis. The idea is to model binary programs using pushdown systems (that can be used to model the stack operations occurring during the binary code execution), use reachability analysis to extract behaviors in the form of trees, and use subtrees that are common among the trees extracted from a training set of malware files as signatures. To detect malware we propose to use a tree automaton to compactly store malicious behavior trees and check if any of the subtrees extracted from the file under analysis is malicious. Experimental data shows that our approach can be used to learn signatures from a training set of malware files and use them to detect a test set of malware that is 5 times the size of the training set.
Complete list of metadata

Cited literature [29 references]  Display  Hide  Download
Contributor : Hugo Daniel Macedo Connect in order to contact the contributor
Submitted on : Tuesday, December 17, 2013 - 12:15:07 PM
Last modification on : Friday, January 21, 2022 - 3:16:01 AM
Long-term archiving on: : Monday, March 17, 2014 - 11:10:09 PM


Files produced by the author(s)




Hugo Daniel Macedo, Tayssir Touili. Mining Malware Specifications through Static Reachability Analysis. ESORICS 2013 - 18th European Symposium on Research in Computer Security, Sep 2013, Egham, United Kingdom. pp.517-535, ⟨10.1007/978-3-642-40203-6_29⟩. ⟨hal-00919782⟩



Record views


Files downloads