Malware behaviour analysis
Identifieur interne : 004C33 ( Main/Exploration ); précédent : 004C32; suivant : 004C34Malware behaviour analysis
Auteurs : Gérard Wagener [France] ; Radu State [France] ; Alexandre Dulaunoy [Luxembourg (pays), Belgique]Source :
- Journal in Computer Virology [ 1772-9890 ] ; 2008-11-01.
Abstract
Abstract: Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.
Url:
DOI: 10.1007/s11416-007-0074-9
Affiliations:
Links toward previous steps (curation, corpus...)
- to stream Istex, to step Corpus: 003262
- to stream Istex, to step Curation: 003221
- to stream Istex, to step Checkpoint: 001018
- to stream Main, to step Merge: 004D67
- to stream Main, to step Curation: 004C33
Le document en format XML
<record><TEI wicri:istexFullTextTei="biblStruct"><teiHeader><fileDesc><titleStmt><title xml:lang="en">Malware behaviour analysis</title><author><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name></author><author><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name></author><author><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name></author></titleStmt><publicationStmt><idno type="wicri:source">ISTEX</idno><idno type="RBID">ISTEX:D478A0F873D565DA931BEA45AC50395FB3674583</idno><date when="2007" year="2007">2007</date><idno type="doi">10.1007/s11416-007-0074-9</idno><idno type="url">https://api.istex.fr/ark:/67375/VQC-RCSJCS7V-3/fulltext.pdf</idno><idno type="wicri:Area/Istex/Corpus">003262</idno><idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Corpus" wicri:corpus="ISTEX">003262</idno><idno type="wicri:Area/Istex/Curation">003221</idno><idno type="wicri:Area/Istex/Checkpoint">001018</idno><idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Checkpoint">001018</idno><idno type="wicri:doubleKey">1772-9890:2007:Wagener G:malware:behaviour:analysis</idno><idno type="wicri:Area/Main/Merge">004D67</idno><idno type="wicri:Area/Main/Curation">004C33</idno><idno type="wicri:Area/Main/Exploration">004C33</idno></publicationStmt><sourceDesc><biblStruct><analytic><title level="a" type="main" xml:lang="en">Malware behaviour analysis</title><author><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name><affiliation wicri:level="1"><country xml:lang="fr">France</country><wicri:regionArea>LORIA-INRIA, Vandoeuvre</wicri:regionArea><wicri:noRegion>Vandoeuvre</wicri:noRegion><wicri:noRegion>Vandoeuvre</wicri:noRegion></affiliation><affiliation></affiliation></author><author><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name><affiliation wicri:level="1"><country xml:lang="fr">France</country><wicri:regionArea>INRIA, Le Chesnay Cedex</wicri:regionArea><wicri:noRegion>Le Chesnay Cedex</wicri:noRegion><wicri:noRegion>Le Chesnay Cedex</wicri:noRegion></affiliation><affiliation wicri:level="1"><country wicri:rule="url">France</country></affiliation></author><author><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name><affiliation wicri:level="1"><country xml:lang="fr">Luxembourg (pays)</country><wicri:regionArea>CSRRT-LU, Luxembourg</wicri:regionArea><wicri:noRegion>Luxembourg</wicri:noRegion></affiliation><affiliation wicri:level="1"><country wicri:rule="url">Belgique</country></affiliation></author></analytic><monogr></monogr><series><title level="j">Journal in Computer Virology</title><title level="j" type="abbrev">J Comput Virol</title><idno type="ISSN">1772-9890</idno><idno type="eISSN">1772-9904</idno><imprint><publisher>Springer-Verlag</publisher><pubPlace>Paris</pubPlace><date type="published" when="2008-11-01">2008-11-01</date><biblScope unit="volume">4</biblScope><biblScope unit="issue">4</biblScope><biblScope unit="page" from="279">279</biblScope><biblScope unit="page" to="287">287</biblScope></imprint><idno type="ISSN">1772-9890</idno></series></biblStruct></sourceDesc><seriesStmt><idno type="ISSN">1772-9890</idno></seriesStmt></fileDesc><profileDesc><textClass></textClass><langUsage><language ident="en">en</language></langUsage></profileDesc></teiHeader><front><div type="abstract" xml:lang="en">Abstract: Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</div></front></TEI><affiliations><list><country><li>Belgique</li><li>France</li><li>Luxembourg (pays)</li></country></list><tree><country name="France"><noRegion><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name></noRegion><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name></country><country name="Luxembourg (pays)"><noRegion><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name></noRegion></country><country name="Belgique"><noRegion><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name></noRegion></country></tree></affiliations></record>Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/Main/Exploration
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 004C33 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/Main/Exploration/biblio.hfd -nk 004C33 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien
|wiki= Wicri/Lorraine
|area= InforLorV4
|flux= Main
|étape= Exploration
|type= RBID
|clé= ISTEX:D478A0F873D565DA931BEA45AC50395FB3674583
|texte= Malware behaviour analysis
}}
| This area was generated with Dilib version V0.6.33. |  |