Architecture of a morphological malware detector : EICAR 2008
Identifieur interne : 000253 ( PascalFrancis/Checkpoint ); précédent : 000252; suivant : 000254Architecture of a morphological malware detector : EICAR 2008
Auteurs : Guillaume Bonfante [France] ; Matthieu Kaczmarek [France] ; Jean-Yves Marion [France]Source :
- Journal in computer virology [ 1772-9890 ] ; 2009.
Descripteurs français
- Pascal (Inist)
English descriptors
- KwdEn :
Abstract
Most of malware detectors are based on syntactic signatures that identify known malicious programs. Up to now this architecture has been sufficiently efficient to overcome most of malware attacks. Nevertheless, the complexity of malicious codes still increase. As a result the time required to reverse engineer malicious programs and to forge new signatures is increasingly longer. This study proposes an efficient construction of a morphological malware detector, that is a detector which associates syntactic and semantic analysis. It aims at facilitating the task of malware analysts providing some abstraction on the signature representation which is based on control flow graphs. We build an efficient signature matching engine over tree automata techniques. Moreover we describe a generic graph rewriting engine in order to deal with classic mutations techniques. Finally, we provide a preliminary evaluation of the strategy detection carrying out experiments on a malware collection.
Affiliations:
Links toward previous steps (curation, corpus...)
Links to Exploration step
Pascal:10-0051671Le document en format XML
<record><TEI><teiHeader><fileDesc><titleStmt><title xml:lang="en" level="a">Architecture of a morphological malware detector : EICAR 2008</title><author><name sortKey="Bonfante, Guillaume" sort="Bonfante, Guillaume" uniqKey="Bonfante G" first="Guillaume" last="Bonfante">Guillaume Bonfante</name><affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1><s2>54506 Vandœuvre-lès-Nancy</s2><s3>FRA</s3><sZ>1 aut.</sZ><sZ>2 aut.</sZ><sZ>3 aut.</sZ></inist:fA14><country>France</country><placeName><region type="region" nuts="2">Grand Est</region><region type="old region" nuts="2">Lorraine (région)</region><settlement type="city">Vandœuvre-lès-Nancy</settlement></placeName><orgName type="university">Nancy-Université</orgName></affiliation></author><author><name sortKey="Kaczmarek, Matthieu" sort="Kaczmarek, Matthieu" uniqKey="Kaczmarek M" first="Matthieu" last="Kaczmarek">Matthieu Kaczmarek</name><affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1><s2>54506 Vandœuvre-lès-Nancy</s2><s3>FRA</s3><sZ>1 aut.</sZ><sZ>2 aut.</sZ><sZ>3 aut.</sZ></inist:fA14><country>France</country><placeName><region type="region" nuts="2">Grand Est</region><region type="old region" nuts="2">Lorraine (région)</region><settlement type="city">Vandœuvre-lès-Nancy</settlement></placeName><orgName type="university">Nancy-Université</orgName></affiliation></author><author><name sortKey="Marion, Jean Yves" sort="Marion, Jean Yves" uniqKey="Marion J" first="Jean-Yves" last="Marion">Jean-Yves Marion</name><affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1><s2>54506 Vandœuvre-lès-Nancy</s2><s3>FRA</s3><sZ>1 aut.</sZ><sZ>2 aut.</sZ><sZ>3 aut.</sZ></inist:fA14><country>France</country><placeName><region type="region" nuts="2">Grand Est</region><region type="old region" nuts="2">Lorraine (région)</region><settlement type="city">Vandœuvre-lès-Nancy</settlement></placeName><orgName type="university">Nancy-Université</orgName></affiliation></author></titleStmt><publicationStmt><idno type="wicri:source">INIST</idno><idno type="inist">10-0051671</idno><date when="2009">2009</date><idno type="stanalyst">PASCAL 10-0051671 INIST</idno><idno type="RBID">Pascal:10-0051671</idno><idno type="wicri:Area/PascalFrancis/Corpus">000244</idno><idno type="wicri:Area/PascalFrancis/Curation">000774</idno><idno type="wicri:Area/PascalFrancis/Checkpoint">000253</idno><idno type="wicri:explorRef" wicri:stream="PascalFrancis" wicri:step="Checkpoint">000253</idno></publicationStmt><sourceDesc><biblStruct><analytic><title xml:lang="en" level="a">Architecture of a morphological malware detector : EICAR 2008</title><author><name sortKey="Bonfante, Guillaume" sort="Bonfante, Guillaume" uniqKey="Bonfante G" first="Guillaume" last="Bonfante">Guillaume Bonfante</name><affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1><s2>54506 Vandœuvre-lès-Nancy</s2><s3>FRA</s3><sZ>1 aut.</sZ><sZ>2 aut.</sZ><sZ>3 aut.</sZ></inist:fA14><country>France</country><placeName><region type="region" nuts="2">Grand Est</region><region type="old region" nuts="2">Lorraine (région)</region><settlement type="city">Vandœuvre-lès-Nancy</settlement></placeName><orgName type="university">Nancy-Université</orgName></affiliation></author><author><name sortKey="Kaczmarek, Matthieu" sort="Kaczmarek, Matthieu" uniqKey="Kaczmarek M" first="Matthieu" last="Kaczmarek">Matthieu Kaczmarek</name><affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1><s2>54506 Vandœuvre-lès-Nancy</s2><s3>FRA</s3><sZ>1 aut.</sZ><sZ>2 aut.</sZ><sZ>3 aut.</sZ></inist:fA14><country>France</country><placeName><region type="region" nuts="2">Grand Est</region><region type="old region" nuts="2">Lorraine (région)</region><settlement type="city">Vandœuvre-lès-Nancy</settlement></placeName><orgName type="university">Nancy-Université</orgName></affiliation></author><author><name sortKey="Marion, Jean Yves" sort="Marion, Jean Yves" uniqKey="Marion J" first="Jean-Yves" last="Marion">Jean-Yves Marion</name><affiliation wicri:level="4"><inist:fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1><s2>54506 Vandœuvre-lès-Nancy</s2><s3>FRA</s3><sZ>1 aut.</sZ><sZ>2 aut.</sZ><sZ>3 aut.</sZ></inist:fA14><country>France</country><placeName><region type="region" nuts="2">Grand Est</region><region type="old region" nuts="2">Lorraine (région)</region><settlement type="city">Vandœuvre-lès-Nancy</settlement></placeName><orgName type="university">Nancy-Université</orgName></affiliation></author></analytic><series><title level="j" type="main">Journal in computer virology</title><title level="j" type="abbreviated">J. comput. virol.</title><idno type="ISSN">1772-9890</idno><imprint><date when="2009">2009</date></imprint></series></biblStruct></sourceDesc><seriesStmt><title level="j" type="main">Journal in computer virology</title><title level="j" type="abbreviated">J. comput. virol.</title><idno type="ISSN">1772-9890</idno></seriesStmt></fileDesc><profileDesc><textClass><keywords scheme="KwdEn" xml:lang="en"><term>Abstraction</term><term>Computer attack</term><term>Computer security</term><term>Graph transformation</term><term>Reverse engineering</term><term>Rewriting</term><term>Semantic analysis</term><term>Syntactic analysis</term><term>Tree automaton</term></keywords><keywords scheme="Pascal" xml:lang="fr"><term>Sécurité informatique</term><term>Analyse syntaxique</term><term>Attaque informatique</term><term>Analyse sémantique</term><term>Automate arbre</term><term>Rétroingénierie</term><term>Abstraction</term><term>Réécriture</term><term>Transformation graphe</term><term>.</term></keywords></textClass></profileDesc></teiHeader><front><div type="abstract" xml:lang="en">Most of malware detectors are based on syntactic signatures that identify known malicious programs. Up to now this architecture has been sufficiently efficient to overcome most of malware attacks. Nevertheless, the complexity of malicious codes still increase. As a result the time required to reverse engineer malicious programs and to forge new signatures is increasingly longer. This study proposes an efficient construction of a morphological malware detector, that is a detector which associates syntactic and semantic analysis. It aims at facilitating the task of malware analysts providing some abstraction on the signature representation which is based on control flow graphs. We build an efficient signature matching engine over tree automata techniques. Moreover we describe a generic graph rewriting engine in order to deal with classic mutations techniques. Finally, we provide a preliminary evaluation of the strategy detection carrying out experiments on a malware collection.</div></front></TEI><inist><standard h6="B"><pA><fA01 i1="01" i2="1"><s0>1772-9890</s0></fA01><fA03 i2="1"><s0>J. comput. virol.</s0></fA03><fA05><s2>5</s2></fA05><fA06><s2>3</s2></fA06><fA08 i1="01" i2="1" l="ENG"><s1>Architecture of a morphological malware detector : EICAR 2008</s1></fA08><fA11 i1="01" i2="1"><s1>BONFANTE (Guillaume)</s1></fA11><fA11 i1="02" i2="1"><s1>KACZMAREK (Matthieu)</s1></fA11><fA11 i1="03" i2="1"><s1>MARION (Jean-Yves)</s1></fA11><fA14 i1="01"><s1>Nancy-Université, Loria, INPL, Ecole Nationale Supérieure des Mines de Nancy, B.P. 239</s1><s2>54506 Vandœuvre-lès-Nancy</s2><s3>FRA</s3><sZ>1 aut.</sZ><sZ>2 aut.</sZ><sZ>3 aut.</sZ></fA14><fA20><s1>263-270</s1></fA20><fA21><s1>2009</s1></fA21><fA23 i1="01"><s0>ENG</s0></fA23><fA43 i1="01"><s1>INIST</s1><s2>27849</s2><s5>354000170957880070</s5></fA43><fA44><s0>0000</s0><s1>© 2010 INIST-CNRS. All rights reserved.</s1></fA44><fA45><s0>20 ref.</s0></fA45><fA47 i1="01" i2="1"><s0>10-0051671</s0></fA47><fA60><s1>P</s1></fA60><fA61><s0>A</s0></fA61><fA64 i1="01" i2="1"><s0>Journal in computer virology</s0></fA64><fA66 i1="01"><s0>FRA</s0></fA66><fC01 i1="01" l="ENG"><s0>Most of malware detectors are based on syntactic signatures that identify known malicious programs. Up to now this architecture has been sufficiently efficient to overcome most of malware attacks. Nevertheless, the complexity of malicious codes still increase. As a result the time required to reverse engineer malicious programs and to forge new signatures is increasingly longer. This study proposes an efficient construction of a morphological malware detector, that is a detector which associates syntactic and semantic analysis. It aims at facilitating the task of malware analysts providing some abstraction on the signature representation which is based on control flow graphs. We build an efficient signature matching engine over tree automata techniques. Moreover we describe a generic graph rewriting engine in order to deal with classic mutations techniques. Finally, we provide a preliminary evaluation of the strategy detection carrying out experiments on a malware collection.</s0></fC01><fC02 i1="01" i2="X"><s0>001D02B07C</s0></fC02><fC03 i1="01" i2="X" l="FRE"><s0>Sécurité informatique</s0><s5>06</s5></fC03><fC03 i1="01" i2="X" l="ENG"><s0>Computer security</s0><s5>06</s5></fC03><fC03 i1="01" i2="X" l="SPA"><s0>Seguridad informatica</s0><s5>06</s5></fC03><fC03 i1="02" i2="X" l="FRE"><s0>Analyse syntaxique</s0><s5>07</s5></fC03><fC03 i1="02" i2="X" l="ENG"><s0>Syntactic analysis</s0><s5>07</s5></fC03><fC03 i1="02" i2="X" l="SPA"><s0>Análisis sintáxico</s0><s5>07</s5></fC03><fC03 i1="03" i2="X" l="FRE"><s0>Attaque informatique</s0><s5>08</s5></fC03><fC03 i1="03" i2="X" l="ENG"><s0>Computer attack</s0><s5>08</s5></fC03><fC03 i1="03" i2="X" l="SPA"><s0>Ataque informática</s0><s5>08</s5></fC03><fC03 i1="04" i2="X" l="FRE"><s0>Analyse sémantique</s0><s5>09</s5></fC03><fC03 i1="04" i2="X" l="ENG"><s0>Semantic analysis</s0><s5>09</s5></fC03><fC03 i1="04" i2="X" l="SPA"><s0>Análisis semántico</s0><s5>09</s5></fC03><fC03 i1="05" i2="X" l="FRE"><s0>Automate arbre</s0><s5>10</s5></fC03><fC03 i1="05" i2="X" l="ENG"><s0>Tree automaton</s0><s5>10</s5></fC03><fC03 i1="05" i2="X" l="SPA"><s0>Autómata árbol</s0><s5>10</s5></fC03><fC03 i1="06" i2="X" l="FRE"><s0>Rétroingénierie</s0><s5>18</s5></fC03><fC03 i1="06" i2="X" l="ENG"><s0>Reverse engineering</s0><s5>18</s5></fC03><fC03 i1="06" i2="X" l="SPA"><s0>Ingeniera inversa</s0><s5>18</s5></fC03><fC03 i1="07" i2="X" l="FRE"><s0>Abstraction</s0><s5>19</s5></fC03><fC03 i1="07" i2="X" l="ENG"><s0>Abstraction</s0><s5>19</s5></fC03><fC03 i1="07" i2="X" l="SPA"><s0>Abstracción</s0><s5>19</s5></fC03><fC03 i1="08" i2="X" l="FRE"><s0>Réécriture</s0><s5>20</s5></fC03><fC03 i1="08" i2="X" l="ENG"><s0>Rewriting</s0><s5>20</s5></fC03><fC03 i1="08" i2="X" l="SPA"><s0>Reescritura</s0><s5>20</s5></fC03><fC03 i1="09" i2="X" l="FRE"><s0>Transformation graphe</s0><s5>23</s5></fC03><fC03 i1="09" i2="X" l="ENG"><s0>Graph transformation</s0><s5>23</s5></fC03><fC03 i1="09" i2="X" l="SPA"><s0>Transformación grafo</s0><s5>23</s5></fC03><fC03 i1="10" i2="X" l="FRE"><s0>.</s0><s4>INC</s4><s5>82</s5></fC03><fN21><s1>032</s1></fN21><fN44 i1="01"><s1>OTO</s1></fN44><fN82><s1>OTO</s1></fN82></pA></standard></inist><affiliations><list><country><li>France</li></country><region><li>Grand Est</li><li>Lorraine (région)</li></region><settlement><li>Vandœuvre-lès-Nancy</li></settlement><orgName><li>Nancy-Université</li></orgName></list><tree><country name="France"><region name="Grand Est"><name sortKey="Bonfante, Guillaume" sort="Bonfante, Guillaume" uniqKey="Bonfante G" first="Guillaume" last="Bonfante">Guillaume Bonfante</name></region><name sortKey="Kaczmarek, Matthieu" sort="Kaczmarek, Matthieu" uniqKey="Kaczmarek M" first="Matthieu" last="Kaczmarek">Matthieu Kaczmarek</name><name sortKey="Marion, Jean Yves" sort="Marion, Jean Yves" uniqKey="Marion J" first="Jean-Yves" last="Marion">Jean-Yves Marion</name></country></tree></affiliations></record>Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/PascalFrancis/Checkpoint
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 000253 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/PascalFrancis/Checkpoint/biblio.hfd -nk 000253 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien
|wiki= Wicri/Lorraine
|area= InforLorV4
|flux= PascalFrancis
|étape= Checkpoint
|type= RBID
|clé= Pascal:10-0051671
|texte= Architecture of a morphological malware detector : EICAR 2008
}}
| This area was generated with Dilib version V0.6.33. |  |