Malware behaviour analysis
Identifieur interne : 004454 ( Main/Exploration ); précédent : 004453; suivant : 004455Malware behaviour analysis
Auteurs : Gérard Wagener [France] ; Radu State [France] ; Alexandre Dulaunoy [Luxembourg (pays)]Source :
- Journal in computer virology [ 1772-9890 ] ; 2008.
Descripteurs français
- Pascal (Inist)
- Wicri :
- topic : Classification.
English descriptors
- KwdEn :
Abstract
Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.
Affiliations:
Links toward previous steps (curation, corpus...)
- to stream PascalFrancis, to step Corpus: 000288
- to stream PascalFrancis, to step Curation: 000732
- to stream PascalFrancis, to step Checkpoint: 000274
- to stream Main, to step Merge: 004569
- to stream Main, to step Curation: 004454
Le document en format XML
<record><TEI><teiHeader><fileDesc><titleStmt><title xml:lang="en" level="a">Malware behaviour analysis</title>
<author><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
<affiliation wicri:level="1"><inist:fA14 i1="01"><s1>LORIA-INRIA</s1>
<s2>Vandoeuvre</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
</inist:fA14>
<country>France</country>
<wicri:noRegion>Vandoeuvre</wicri:noRegion>
<wicri:noRegion>LORIA-INRIA</wicri:noRegion>
<wicri:noRegion>LORIA-INRIA</wicri:noRegion>
</affiliation>
</author>
<author><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
<affiliation wicri:level="1"><inist:fA14 i1="02"><s1>INRIA</s1>
<s2>Le Chesnay</s2>
<s3>FRA</s3>
<sZ>2 aut.</sZ>
</inist:fA14>
<country>France</country>
<wicri:noRegion>Le Chesnay</wicri:noRegion>
<wicri:noRegion>INRIA</wicri:noRegion>
<wicri:noRegion>INRIA</wicri:noRegion>
</affiliation>
</author>
<author><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
<affiliation wicri:level="1"><inist:fA14 i1="03"><s1>CSRRT-LU</s1>
<s2>Luxembourg</s2>
<s3>LUX</s3>
<sZ>3 aut.</sZ>
</inist:fA14>
<country>Luxembourg (pays)</country>
<wicri:noRegion>CSRRT-LU</wicri:noRegion>
</affiliation>
</author>
</titleStmt>
<publicationStmt><idno type="wicri:source">INIST</idno>
<idno type="inist">09-0007343</idno>
<date when="2008">2008</date>
<idno type="stanalyst">PASCAL 09-0007343 INIST</idno>
<idno type="RBID">Pascal:09-0007343</idno>
<idno type="wicri:Area/PascalFrancis/Corpus">000288</idno>
<idno type="wicri:Area/PascalFrancis/Curation">000732</idno>
<idno type="wicri:Area/PascalFrancis/Checkpoint">000274</idno>
<idno type="wicri:explorRef" wicri:stream="PascalFrancis" wicri:step="Checkpoint">000274</idno>
<idno type="wicri:doubleKey">1772-9890:2008:Wagener G:malware:behaviour:analysis</idno>
<idno type="wicri:Area/Main/Merge">004569</idno>
<idno type="wicri:Area/Main/Curation">004454</idno>
<idno type="wicri:Area/Main/Exploration">004454</idno>
</publicationStmt>
<sourceDesc><biblStruct><analytic><title xml:lang="en" level="a">Malware behaviour analysis</title>
<author><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
<affiliation wicri:level="1"><inist:fA14 i1="01"><s1>LORIA-INRIA</s1>
<s2>Vandoeuvre</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
</inist:fA14>
<country>France</country>
<wicri:noRegion>Vandoeuvre</wicri:noRegion>
<wicri:noRegion>LORIA-INRIA</wicri:noRegion>
<wicri:noRegion>LORIA-INRIA</wicri:noRegion>
</affiliation>
</author>
<author><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
<affiliation wicri:level="1"><inist:fA14 i1="02"><s1>INRIA</s1>
<s2>Le Chesnay</s2>
<s3>FRA</s3>
<sZ>2 aut.</sZ>
</inist:fA14>
<country>France</country>
<wicri:noRegion>Le Chesnay</wicri:noRegion>
<wicri:noRegion>INRIA</wicri:noRegion>
<wicri:noRegion>INRIA</wicri:noRegion>
</affiliation>
</author>
<author><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
<affiliation wicri:level="1"><inist:fA14 i1="03"><s1>CSRRT-LU</s1>
<s2>Luxembourg</s2>
<s3>LUX</s3>
<sZ>3 aut.</sZ>
</inist:fA14>
<country>Luxembourg (pays)</country>
<wicri:noRegion>CSRRT-LU</wicri:noRegion>
</affiliation>
</author>
</analytic>
<series><title level="j" type="main">Journal in computer virology</title>
<title level="j" type="abbreviated">J. comput. virol.</title>
<idno type="ISSN">1772-9890</idno>
<imprint><date when="2008">2008</date>
</imprint>
</series>
</biblStruct>
</sourceDesc>
<seriesStmt><title level="j" type="main">Journal in computer virology</title>
<title level="j" type="abbreviated">J. comput. virol.</title>
<idno type="ISSN">1772-9890</idno>
</seriesStmt>
</fileDesc>
<profileDesc><textClass><keywords scheme="KwdEn" xml:lang="en"><term>Bioinformatics</term>
<term>Classification</term>
<term>Computer security</term>
<term>Phylogenetic tree</term>
<term>Sequence alignment</term>
<term>Similarity</term>
</keywords>
<keywords scheme="Pascal" xml:lang="fr"><term>Sécurité informatique</term>
<term>Similitude</term>
<term>Classification</term>
<term>Bioinformatique</term>
<term>Alignement séquence</term>
<term>Arbre phylogénétique</term>
</keywords>
<keywords scheme="Wicri" type="topic" xml:lang="fr"><term>Classification</term>
</keywords>
</textClass>
</profileDesc>
</teiHeader>
<front><div type="abstract" xml:lang="en">Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</div>
</front>
</TEI>
<affiliations><list><country><li>France</li>
<li>Luxembourg (pays)</li>
</country>
</list>
<tree><country name="France"><noRegion><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
</noRegion>
<name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
</country>
<country name="Luxembourg (pays)"><noRegion><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
</noRegion>
</country>
</tree>
</affiliations>
</record>
Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/Main/Exploration
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 004454 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/Main/Exploration/biblio.hfd -nk 004454 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien |wiki= Wicri/Lorraine |area= InforLorV4 |flux= Main |étape= Exploration |type= RBID |clé= Pascal:09-0007343 |texte= Malware behaviour analysis }}
This area was generated with Dilib version V0.6.33. |