Behavior Analysis of Malware by Rewriting-based Abstraction - Extended Version

Philippe Beaucamps 1 Isabelle Gnaedig 1 Jean-Yves Marion 1
1 CARTE - Theoretical adverse computations, and safety
Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
Abstract : We propose a formal approach for the detection of high-level program behaviors. These behaviors, defined as combinations of patterns in a signature, are detected by model-checking on abstracted forms of program traces. Our approach works on unbounded sets of traces, which makes our technique useful not only for dynamic analysis, considering one trace at a time, but also for static analysis, considering a set of traces inferred from a control flow graph. Our technique uses a rewriting-based abstraction mechanism, producing a high-level representation of the program behavior, independent of the program implementation. It allows us to handle similar behaviors in a generic way and thus to be robust with respect to variants. Successfully applied to malware detection, our approach allows us in particular to model and detect information leak.
Document type :
Reports
[Research Report] 2011
Liste complète des métadonnées

https://hal.inria.fr/inria-00594396
Contributor : Isabelle Gnaedig <>
Submitted on : Friday, May 20, 2011 - 4:34:21 PM
Last modification on : Thursday, September 22, 2016 - 2:32:01 PM
Document(s) archivé(s) le : Friday, November 9, 2012 - 11:46:22 AM

File

fmcad-extended.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : inria-00594396, version 1

Collections

Citation

Philippe Beaucamps, Isabelle Gnaedig, Jean-Yves Marion. Behavior Analysis of Malware by Rewriting-based Abstraction - Extended Version. [Research Report] 2011. <inria-00594396>

Share

Metrics

Record views

278

Document downloads

134