Checkpoint
Hal
Racine
Checkpoint
Hal
Exploration
Accueil
Racine
Racine

Serveur d'exploration sur la recherche en informatique en Lorraine

Attention, ce site est en cours de développement !
Attention, site généré par des moyens informatiques à partir de corpus bruts.
Les informations ne sont donc pas validées.

Analysis of Malware by Behavior Abstraction

Identifieur interne : 001A54 ( Hal/Checkpoint ); précédent : 001A53; suivant : 001A55

Analysis of Malware by Behavior Abstraction

Auteurs : Philippe Beaucamps [France]

Source :

RBID : Hal:tel-00646395

Descripteurs français

English descriptors

Abstract

Traditional behavior analysis usually operates at the implementation level of a malicious behavior. Yet, it is mostly concerned with the identification of a given behavior, independently of its technical implementation, and is therefore more naturally defined at a functional level. In this thesis, we define a form of program behavior analysis which operates on the function realized by a program rather than on its elementary interactions with the system. This function is extracted from program traces, a process we call abstraction. We define in a simple, intuitive and formal way the basic functionalities to abstract and the behaviors to detect, then we propose an abstraction mechanism applicable both to a static or to a dynamic analysis setting, with practical algorithms of reasonable complexity, finally we describe a behavior analysis technique integrating this abstraction mechanism. Our method is particularly suited to the analysis of programs written in high level languages or with a known source code, for which static analysis is facilitated: programs intended for virtual machines like Java or .NET, Web scripts, browser addons, off-the-shelf components. The formalism we propose for behavior analysis by abstraction relies on the theory of string and terms rewriting, word and tree languages and model checking. It allows an efficient identification of functionalities in traces and thus the construction of a representation of traces at a functional level; it defines functionalities and behaviors in a natural way, using temporal logic formulas, which assure their simplicity and their flexibility and enables the use of model checking techniques for behavior detection; it operates on an unrestricted set of execution traces; it handles the data flow in execution traces; and it allows the consideration of uncertainty in the identification of functionalities, with no complexity overhead. We validate our results on a set of experiments, which we conducted on existing malicious codes, whose traces are obtained either by dynamic binary instrumentation or by static analysis.

Url:

Links toward previous steps (curation, corpus...)

Links to Exploration step

Hal:tel-00646395

Le document en format XML

<record>
<TEI>
<teiHeader>
<fileDesc>
<titleStmt>
<title xml:lang="en">Analysis of Malware by Behavior Abstraction</title>
<title xml:lang="fr">Analyse de Programmes Malveillants par Abstraction de Comportements</title>
<author>
<name sortKey="Beaucamps, Philippe" sort="Beaucamps, Philippe" uniqKey="Beaucamps P" first="Philippe" last="Beaucamps">Philippe Beaucamps</name>
<affiliation wicri:level="1">
<hal:affiliation type="researchteam" xml:id="struct-29797" status="VALID">
<idno type="RNSR">200918992J</idno>
<orgName>Theoretical adverse computations, and safety</orgName>
<orgName type="acronym">CARTE</orgName>
<desc>
<address>
<country key="FR"></country>
</address>
<ref type="url">http://www.inria.fr/equipes/carte</ref>
</desc>
<listRelation>
<relation active="#struct-129671" type="direct"></relation>
<relation active="#struct-300009" type="indirect"></relation>
<relation active="#struct-423084" type="direct"></relation>
<relation active="#struct-206040" type="indirect"></relation>
<relation active="#struct-413289" type="indirect"></relation>
<relation name="UMR7503" active="#struct-441569" type="indirect"></relation>
</listRelation>
<tutelles>
<tutelle active="#struct-129671" type="direct">
<org type="laboratory" xml:id="struct-129671" status="VALID">
<idno type="RNSR">198618246Y</idno>
<orgName>INRIA Nancy - Grand Est</orgName>
<desc>
<address>
<addrLine>615 rue du Jardin Botanique 54600 Villers-lès-Nancy</addrLine>
<country key="FR"></country>
</address>
<ref type="url">http://www.inria.fr/nancy</ref>
</desc>
<listRelation>
<relation active="#struct-300009" type="direct"></relation>
</listRelation>
</org>
</tutelle>
<tutelle active="#struct-300009" type="indirect">
<org type="institution" xml:id="struct-300009" status="VALID">
<orgName>Institut National de Recherche en Informatique et en Automatique</orgName>
<orgName type="acronym">Inria</orgName>
<desc>
<address>
<addrLine>Domaine de VoluceauRocquencourt - BP 10578153 Le Chesnay Cedex</addrLine>
<country key="FR"></country>
</address>
<ref type="url">http://www.inria.fr/en/</ref>
</desc>
</org>
</tutelle>
<tutelle active="#struct-423084" type="direct">
<org type="department" xml:id="struct-423084" status="VALID">
<orgName>Department of Formal Methods </orgName>
<orgName type="acronym">LORIA - FM</orgName>
<desc>
<address>
<country key="FR"></country>
</address>
<ref type="url">http://www.loria.fr/la-recherche-en/departements/formal-methods</ref>
</desc>
<listRelation>
<relation active="#struct-206040" type="direct"></relation>
<relation active="#struct-300009" type="indirect"></relation>
<relation active="#struct-413289" type="indirect"></relation>
<relation name="UMR7503" active="#struct-441569" type="indirect"></relation>
</listRelation>
</org>
</tutelle>
<tutelle active="#struct-206040" type="indirect">
<org type="laboratory" xml:id="struct-206040" status="VALID">
<idno type="IdRef">067077927</idno>
<idno type="RNSR">198912571S</idno>
<idno type="IdUnivLorraine">[UL]RSI--</idno>
<orgName>Laboratoire Lorrain de Recherche en Informatique et ses Applications</orgName>
<orgName type="acronym">LORIA</orgName>
<date type="start">2012-01-01</date>
<desc>
<address>
<addrLine>Campus Scientifique BP 239 54506 Vandoeuvre-lès-Nancy Cedex</addrLine>
<country key="FR"></country>
</address>
<ref type="url">http://www.loria.fr</ref>
</desc>
<listRelation>
<relation active="#struct-300009" type="direct"></relation>
<relation active="#struct-413289" type="direct"></relation>
<relation name="UMR7503" active="#struct-441569" type="direct"></relation>
</listRelation>
</org>
</tutelle>
<tutelle active="#struct-413289" type="indirect">
<org type="institution" xml:id="struct-413289" status="VALID">
<idno type="IdRef">157040569</idno>
<idno type="IdUnivLorraine">[UL]100--</idno>
<orgName>Université de Lorraine</orgName>
<orgName type="acronym">UL</orgName>
<date type="start">2012-01-01</date>
<desc>
<address>
<addrLine>34 cours Léopold - CS 25233 - 54052 Nancy cedex</addrLine>
<country key="FR"></country>
</address>
<ref type="url">http://www.univ-lorraine.fr/</ref>
</desc>
</org>
</tutelle>
<tutelle name="UMR7503" active="#struct-441569" type="indirect">
<org type="institution" xml:id="struct-441569" status="VALID">
<idno type="IdRef">02636817X</idno>
<idno type="ISNI">0000000122597504</idno>
<orgName>Centre National de la Recherche Scientifique</orgName>
<orgName type="acronym">CNRS</orgName>
<date type="start">1939-10-19</date>
<desc>
<address>
<country key="FR"></country>
</address>
<ref type="url">http://www.cnrs.fr/</ref>
</desc>
</org>
</tutelle>
</tutelles>
</hal:affiliation>
<country>France</country>
<placeName>
<settlement type="city">Nancy</settlement>
<settlement type="city">Metz</settlement>
<region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
</placeName>
<orgName type="university">Université de Lorraine</orgName>
</affiliation>
</author>
</titleStmt>
<publicationStmt>
<idno type="wicri:source">HAL</idno>
<idno type="RBID">Hal:tel-00646395</idno>
<idno type="halId">tel-00646395</idno>
<idno type="halUri">https://tel.archives-ouvertes.fr/tel-00646395</idno>
<idno type="url">https://tel.archives-ouvertes.fr/tel-00646395</idno>
<date when="2011-11-14">2011-11-14</date>
<idno type="wicri:Area/Hal/Corpus">000E49</idno>
<idno type="wicri:Area/Hal/Curation">000E49</idno>
<idno type="wicri:Area/Hal/Checkpoint">001A54</idno>
<idno type="wicri:explorRef" wicri:stream="Hal" wicri:step="Checkpoint">001A54</idno>
</publicationStmt>
<sourceDesc>
<biblStruct>
<analytic>
<title xml:lang="en">Analysis of Malware by Behavior Abstraction</title>
<title xml:lang="fr">Analyse de Programmes Malveillants par Abstraction de Comportements</title>
<author>
<name sortKey="Beaucamps, Philippe" sort="Beaucamps, Philippe" uniqKey="Beaucamps P" first="Philippe" last="Beaucamps">Philippe Beaucamps</name>
<affiliation wicri:level="1">
<hal:affiliation type="researchteam" xml:id="struct-29797" status="VALID">
<idno type="RNSR">200918992J</idno>
<orgName>Theoretical adverse computations, and safety</orgName>
<orgName type="acronym">CARTE</orgName>
<desc>
<address>
<country key="FR"></country>
</address>
<ref type="url">http://www.inria.fr/equipes/carte</ref>
</desc>
<listRelation>
<relation active="#struct-129671" type="direct"></relation>
<relation active="#struct-300009" type="indirect"></relation>
<relation active="#struct-423084" type="direct"></relation>
<relation active="#struct-206040" type="indirect"></relation>
<relation active="#struct-413289" type="indirect"></relation>
<relation name="UMR7503" active="#struct-441569" type="indirect"></relation>
</listRelation>
<tutelles>
<tutelle active="#struct-129671" type="direct">
<org type="laboratory" xml:id="struct-129671" status="VALID">
<idno type="RNSR">198618246Y</idno>
<orgName>INRIA Nancy - Grand Est</orgName>
<desc>
<address>
<addrLine>615 rue du Jardin Botanique 54600 Villers-lès-Nancy</addrLine>
<country key="FR"></country>
</address>
<ref type="url">http://www.inria.fr/nancy</ref>
</desc>
<listRelation>
<relation active="#struct-300009" type="direct"></relation>
</listRelation>
</org>
</tutelle>
<tutelle active="#struct-300009" type="indirect">
<org type="institution" xml:id="struct-300009" status="VALID">
<orgName>Institut National de Recherche en Informatique et en Automatique</orgName>
<orgName type="acronym">Inria</orgName>
<desc>
<address>
<addrLine>Domaine de VoluceauRocquencourt - BP 10578153 Le Chesnay Cedex</addrLine>
<country key="FR"></country>
</address>
<ref type="url">http://www.inria.fr/en/</ref>
</desc>
</org>
</tutelle>
<tutelle active="#struct-423084" type="direct">
<org type="department" xml:id="struct-423084" status="VALID">
<orgName>Department of Formal Methods </orgName>
<orgName type="acronym">LORIA - FM</orgName>
<desc>
<address>
<country key="FR"></country>
</address>
<ref type="url">http://www.loria.fr/la-recherche-en/departements/formal-methods</ref>
</desc>
<listRelation>
<relation active="#struct-206040" type="direct"></relation>
<relation active="#struct-300009" type="indirect"></relation>
<relation active="#struct-413289" type="indirect"></relation>
<relation name="UMR7503" active="#struct-441569" type="indirect"></relation>
</listRelation>
</org>
</tutelle>
<tutelle active="#struct-206040" type="indirect">
<org type="laboratory" xml:id="struct-206040" status="VALID">
<idno type="IdRef">067077927</idno>
<idno type="RNSR">198912571S</idno>
<idno type="IdUnivLorraine">[UL]RSI--</idno>
<orgName>Laboratoire Lorrain de Recherche en Informatique et ses Applications</orgName>
<orgName type="acronym">LORIA</orgName>
<date type="start">2012-01-01</date>
<desc>
<address>
<addrLine>Campus Scientifique BP 239 54506 Vandoeuvre-lès-Nancy Cedex</addrLine>
<country key="FR"></country>
</address>
<ref type="url">http://www.loria.fr</ref>
</desc>
<listRelation>
<relation active="#struct-300009" type="direct"></relation>
<relation active="#struct-413289" type="direct"></relation>
<relation name="UMR7503" active="#struct-441569" type="direct"></relation>
</listRelation>
</org>
</tutelle>
<tutelle active="#struct-413289" type="indirect">
<org type="institution" xml:id="struct-413289" status="VALID">
<idno type="IdRef">157040569</idno>
<idno type="IdUnivLorraine">[UL]100--</idno>
<orgName>Université de Lorraine</orgName>
<orgName type="acronym">UL</orgName>
<date type="start">2012-01-01</date>
<desc>
<address>
<addrLine>34 cours Léopold - CS 25233 - 54052 Nancy cedex</addrLine>
<country key="FR"></country>
</address>
<ref type="url">http://www.univ-lorraine.fr/</ref>
</desc>
</org>
</tutelle>
<tutelle name="UMR7503" active="#struct-441569" type="indirect">
<org type="institution" xml:id="struct-441569" status="VALID">
<idno type="IdRef">02636817X</idno>
<idno type="ISNI">0000000122597504</idno>
<orgName>Centre National de la Recherche Scientifique</orgName>
<orgName type="acronym">CNRS</orgName>
<date type="start">1939-10-19</date>
<desc>
<address>
<country key="FR"></country>
</address>
<ref type="url">http://www.cnrs.fr/</ref>
</desc>
</org>
</tutelle>
</tutelles>
</hal:affiliation>
<country>France</country>
<placeName>
<settlement type="city">Nancy</settlement>
<settlement type="city">Metz</settlement>
<region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
</placeName>
<orgName type="university">Université de Lorraine</orgName>
</affiliation>
</author>
</analytic>
</biblStruct>
</sourceDesc>
</fileDesc>
<profileDesc>
<textClass>
<keywords scheme="mix" xml:lang="en">
<term>behavioural analysis</term>
<term>rewriting</term>
<term>virology</term>
</keywords>
<keywords scheme="mix" xml:lang="fr">
<term>abstraction</term>
<term>analyse comportementale</term>
<term>model checking</term>
<term>réécriture</term>
<term>virologie</term>
</keywords>
</textClass>
</profileDesc>
</teiHeader>
<front>
<div type="abstract" xml:lang="en">Traditional behavior analysis usually operates at the implementation level of a malicious behavior. Yet, it is mostly concerned with the identification of a given behavior, independently of its technical implementation, and is therefore more naturally defined at a functional level. In this thesis, we define a form of program behavior analysis which operates on the function realized by a program rather than on its elementary interactions with the system. This function is extracted from program traces, a process we call abstraction. We define in a simple, intuitive and formal way the basic functionalities to abstract and the behaviors to detect, then we propose an abstraction mechanism applicable both to a static or to a dynamic analysis setting, with practical algorithms of reasonable complexity, finally we describe a behavior analysis technique integrating this abstraction mechanism. Our method is particularly suited to the analysis of programs written in high level languages or with a known source code, for which static analysis is facilitated: programs intended for virtual machines like Java or .NET, Web scripts, browser addons, off-the-shelf components. The formalism we propose for behavior analysis by abstraction relies on the theory of string and terms rewriting, word and tree languages and model checking. It allows an efficient identification of functionalities in traces and thus the construction of a representation of traces at a functional level; it defines functionalities and behaviors in a natural way, using temporal logic formulas, which assure their simplicity and their flexibility and enables the use of model checking techniques for behavior detection; it operates on an unrestricted set of execution traces; it handles the data flow in execution traces; and it allows the consideration of uncertainty in the identification of functionalities, with no complexity overhead. We validate our results on a set of experiments, which we conducted on existing malicious codes, whose traces are obtained either by dynamic binary instrumentation or by static analysis.</div>
</front>
</TEI>
<hal api="V3">
<titleStmt>
<title xml:lang="en">Analysis of Malware by Behavior Abstraction</title>
<title xml:lang="fr">Analyse de Programmes Malveillants par Abstraction de Comportements</title>
<author role="aut">
<persName>
<forename type="first">Philippe</forename>
<surname>Beaucamps</surname>
</persName>
<email>philippe.beaucamps@loria.fr</email>
<idno type="halauthor">357781</idno>
<affiliation ref="#struct-29797"></affiliation>
</author>
<editor role="depositor">
<persName>
<forename>Isabelle</forename>
<surname>Gnaedig</surname>
</persName>
<email>Isabelle.Gnaedig@loria.fr</email>
</editor>
</titleStmt>
<editionStmt>
<edition n="v1" type="current">
<date type="whenSubmitted">2011-11-29 19:32:41</date>
<date type="whenModified">2015-09-22 01:13:13</date>
<date type="whenReleased">2011-11-30 09:13:04</date>
<date type="whenProduced">2011-11-14</date>
<date type="whenEndEmbargoed">2011-11-29</date>
<ref type="file" target="https://tel.archives-ouvertes.fr/tel-00646395/document">
<date notBefore="2011-11-29"></date>
</ref>
<ref type="file" n="1" target="https://tel.archives-ouvertes.fr/tel-00646395/file/these-philippe.pdf">
<date notBefore="2011-11-29"></date>
</ref>
</edition>
<respStmt>
<resp>contributor</resp>
<name key="114249">
<persName>
<forename>Isabelle</forename>
<surname>Gnaedig</surname>
</persName>
<email>Isabelle.Gnaedig@loria.fr</email>
</name>
</respStmt>
</editionStmt>
<publicationStmt>
<distributor>CCSD</distributor>
<idno type="halId">tel-00646395</idno>
<idno type="halUri">https://tel.archives-ouvertes.fr/tel-00646395</idno>
<idno type="halBibtex">beaucamps:tel-00646395</idno>
<idno type="halRefHtml">Logique en informatique [cs.LO]. Institut National Polytechnique de Lorraine - INPL, 2011. Français</idno>
<idno type="halRef">Logique en informatique [cs.LO]. Institut National Polytechnique de Lorraine - INPL, 2011. Français</idno>
</publicationStmt>
<seriesStmt>
<idno type="stamp" n="CNRS">CNRS - Centre national de la recherche scientifique</idno>
<idno type="stamp" n="INRIA">INRIA - Institut National de Recherche en Informatique et en Automatique</idno>
<idno type="stamp" n="LORIA2">Publications du LORIA</idno>
<idno type="stamp" n="INRIA-NANCY-GRAND-EST">INRIA Nancy - Grand Est</idno>
<idno type="stamp" n="LORIA-FM" p="LORIA">Méthodes formelles</idno>
<idno type="stamp" n="LORIA">LORIA - Laboratoire Lorrain de Recherche en Informatique et ses Applications</idno>
<idno type="stamp" n="UNIV-LORRAINE">Université de Lorraine</idno>
<idno type="stamp" n="INRIA-LORRAINE">INRIA Nancy - Grand Est</idno>
<idno type="stamp" n="THESES-EN-LIGNE-DAGROCAMPUS-OUEST">Thèses d'AGROCAMPUS OUEST</idno>
<idno type="stamp" n="INRIA_TEST">INRIA - Institut National de Recherche en Informatique et en Automatique</idno>
</seriesStmt>
<notesStmt></notesStmt>
<sourceDesc>
<biblStruct>
<analytic>
<title xml:lang="en">Analysis of Malware by Behavior Abstraction</title>
<title xml:lang="fr">Analyse de Programmes Malveillants par Abstraction de Comportements</title>
<author role="aut">
<persName>
<forename type="first">Philippe</forename>
<surname>Beaucamps</surname>
</persName>
<email>philippe.beaucamps@loria.fr</email>
<idno type="halAuthorId">357781</idno>
<affiliation ref="#struct-29797"></affiliation>
</author>
</analytic>
<monogr>
<imprint>
<date type="dateDefended">2011-11-14</date>
</imprint>
<authority type="institution">Institut National Polytechnique de Lorraine - INPL</authority>
<authority type="school">Mathématiques, Sciences et Technologies de l'Information (Informatique)</authority>
<authority type="supervisor">Jean-Yves Marion(Jean-Yves.Marion@loria.fr)</authority>
<authority type="jury">Isabelle Gnaedig (co-directeur)</authority>
<authority type="jury">Sandrine Blazy (rapporteur)</authority>
<authority type="jury">Sophie Tison (rapporteur)</authority>
<authority type="jury">Roberto Giacobazzi (examinateur)</authority>
<authority type="jury">Hélène Kirchner (examinateur)</authority>
</monogr>
</biblStruct>
</sourceDesc>
<profileDesc>
<langUsage>
<language ident="fr">French</language>
</langUsage>
<textClass>
<keywords scheme="author">
<term xml:lang="en">virology</term>
<term xml:lang="en">behavioural analysis</term>
<term xml:lang="en">rewriting</term>
<term xml:lang="fr">virologie</term>
<term xml:lang="fr">analyse comportementale</term>
<term xml:lang="fr">abstraction</term>
<term xml:lang="fr">réécriture</term>
<term xml:lang="fr">model checking</term>
</keywords>
<classCode scheme="halDomain" n="info.info-lo">Computer Science [cs]/Logic in Computer Science [cs.LO]</classCode>
<classCode scheme="halDomain" n="info.info-cr">Computer Science [cs]/Cryptography and Security [cs.CR]</classCode>
<classCode scheme="halTypology" n="THESE">Theses</classCode>
</textClass>
<abstract xml:lang="en">Traditional behavior analysis usually operates at the implementation level of a malicious behavior. Yet, it is mostly concerned with the identification of a given behavior, independently of its technical implementation, and is therefore more naturally defined at a functional level. In this thesis, we define a form of program behavior analysis which operates on the function realized by a program rather than on its elementary interactions with the system. This function is extracted from program traces, a process we call abstraction. We define in a simple, intuitive and formal way the basic functionalities to abstract and the behaviors to detect, then we propose an abstraction mechanism applicable both to a static or to a dynamic analysis setting, with practical algorithms of reasonable complexity, finally we describe a behavior analysis technique integrating this abstraction mechanism. Our method is particularly suited to the analysis of programs written in high level languages or with a known source code, for which static analysis is facilitated: programs intended for virtual machines like Java or .NET, Web scripts, browser addons, off-the-shelf components. The formalism we propose for behavior analysis by abstraction relies on the theory of string and terms rewriting, word and tree languages and model checking. It allows an efficient identification of functionalities in traces and thus the construction of a representation of traces at a functional level; it defines functionalities and behaviors in a natural way, using temporal logic formulas, which assure their simplicity and their flexibility and enables the use of model checking techniques for behavior detection; it operates on an unrestricted set of execution traces; it handles the data flow in execution traces; and it allows the consideration of uncertainty in the identification of functionalities, with no complexity overhead. We validate our results on a set of experiments, which we conducted on existing malicious codes, whose traces are obtained either by dynamic binary instrumentation or by static analysis.</abstract>
<abstract xml:lang="fr">L'analyse comportementale traditionnelle opère en général au niveau de l'implantation du comportement malveillant. Pourtant, elle s'intéresse surtout à l'identification d'un comportement donné, indépendamment de sa mise en œuvre technique, et elle se situe donc plus naturellement à un niveau fonctionnel. Dans cette thèse, nous définissons une forme d'analyse comportementale de programmes qui opère non pas sur les interactions élémentaires d'un programme avec le système mais sur la fonction que le programme réalise. Cette fonction est extraite des traces d'un programme, un procédé que nous appelons abstraction. Nous définissons de façon simple, intuitive et formelle les fonctionnalités de base à abstraire et les comportements à détecter, puis nous proposons un mécanisme d'abstraction applicable à un cadre d'analyse statique ou dynamique, avec des algorithmes pratiques à complexité raisonnable, enfin nous décrivons une technique d'analyse comportementale intégrant ce mécanisme d'abstraction. Notre méthode est particulièrement adaptée à l'analyse des programmes dans des langages de haut niveau ou dont le code source est connu, pour lesquels l'analyse statique est facilitée : les programmes conçus pour des machines virtuelles comme Java ou .NET, les scripts Web, les extensions de navigateurs, les composants off-the-shelf. Le formalisme d'analyse comportementale par abstraction que nous proposons repose sur la théorie de la réécriture de mots et de termes, les langages réguliers de mots et de termes et le model checking. Il permet d'identifier efficacement des fonctionnalités dans des traces et ainsi d'obtenir une représentation des traces à un niveau fonctionnel ; il définit les fonctionnalités et les comportements de façon naturelle, à l'aide de formules de logique temporelle, ce qui garantit leur simplicité et leur flexibilité et permet l'utilisation de techniques de model checking pour la détection de ces comportements ; il opère sur un ensemble quelconque de traces d'exécution ; il prend en compte le flux de données dans les traces d'exécution ; et il permet, sans perte d'efficacité, de tenir compte de l'incertitude dans l'identification des fonctionnalités. Nous validons nos résultats par un ensemble d'expériences, menées sur des codes malicieux existants, dont les traces sont obtenues soit par instrumentation binaire dynamique, soit par analyse statique.</abstract>
</profileDesc>
</hal>
</record>

Pour manipuler ce document sous Unix (Dilib)

EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/Hal/Checkpoint

HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 001A54 | SxmlIndent | more

Ou

HfdSelect -h $EXPLOR_AREA/Data/Hal/Checkpoint/biblio.hfd -nk 001A54 | SxmlIndent | more

Pour mettre un lien sur cette page dans le réseau Wicri

{{Explor lien
   |wiki=    Wicri/Lorraine
   |area=    InforLorV4
   |flux=    Hal
   |étape=   Checkpoint
   |type=    RBID
   |clé=     Hal:tel-00646395
   |texte=   Analysis of Malware by Behavior Abstraction
}}
Wicri

This area was generated with Dilib version V0.6.33.
Data generation: Mon Jun 10 21:56:28 2019. Site generation: Fri Feb 25 15:29:27 2022