Malware behaviour analysis
Identifieur interne : 000288 ( PascalFrancis/Corpus ); précédent : 000287; suivant : 000289Malware behaviour analysis
Auteurs : Gérard Wagener ; Radu State ; Alexandre DulaunoySource :
- Journal in computer virology [ 1772-9890 ] ; 2008.
Descripteurs français
- Pascal (Inist)
English descriptors
- KwdEn :
Abstract
Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.
Notice en format standard (ISO 2709)
Pour connaître la documentation sur le format Inist Standard.
pA |
|
---|
Format Inist (serveur)
NO : | PASCAL 09-0007343 INIST |
---|---|
ET : | Malware behaviour analysis |
AU : | WAGENER (Gérard); STATE (Radu); DULAUNOY (Alexandre) |
AF : | LORIA-INRIA/Vandoeuvre/France (1 aut.); INRIA/Le Chesnay/France (2 aut.); CSRRT-LU/Luxembourg/Luxembourg (3 aut.) |
DT : | Publication en série; Niveau analytique |
SO : | Journal in computer virology; ISSN 1772-9890; France; Da. 2008; Vol. 4; No. 4; Pp. 279-287; Bibl. 28 ref. |
LA : | Anglais |
EA : | Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified. |
CC : | 001D02B07C; 001D02B07B |
FD : | Sécurité informatique; Similitude; Classification; Bioinformatique; Alignement séquence; Arbre phylogénétique |
ED : | Computer security; Similarity; Classification; Bioinformatics; Sequence alignment; Phylogenetic tree |
SD : | Seguridad informatica; Similitud; Clasificación; Bioinformática; Alineación secuencia; Arbol filogenético |
LO : | INIST-27849.354000183872830020 |
ID : | 09-0007343 |
Links to Exploration step
Pascal:09-0007343Le document en format XML
<record><TEI><teiHeader><fileDesc><titleStmt><title xml:lang="en" level="a">Malware behaviour analysis</title>
<author><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
<affiliation><inist:fA14 i1="01"><s1>LORIA-INRIA</s1>
<s2>Vandoeuvre</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
<author><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
<affiliation><inist:fA14 i1="02"><s1>INRIA</s1>
<s2>Le Chesnay</s2>
<s3>FRA</s3>
<sZ>2 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
<author><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
<affiliation><inist:fA14 i1="03"><s1>CSRRT-LU</s1>
<s2>Luxembourg</s2>
<s3>LUX</s3>
<sZ>3 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
</titleStmt>
<publicationStmt><idno type="wicri:source">INIST</idno>
<idno type="inist">09-0007343</idno>
<date when="2008">2008</date>
<idno type="stanalyst">PASCAL 09-0007343 INIST</idno>
<idno type="RBID">Pascal:09-0007343</idno>
<idno type="wicri:Area/PascalFrancis/Corpus">000288</idno>
</publicationStmt>
<sourceDesc><biblStruct><analytic><title xml:lang="en" level="a">Malware behaviour analysis</title>
<author><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
<affiliation><inist:fA14 i1="01"><s1>LORIA-INRIA</s1>
<s2>Vandoeuvre</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
<author><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
<affiliation><inist:fA14 i1="02"><s1>INRIA</s1>
<s2>Le Chesnay</s2>
<s3>FRA</s3>
<sZ>2 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
<author><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
<affiliation><inist:fA14 i1="03"><s1>CSRRT-LU</s1>
<s2>Luxembourg</s2>
<s3>LUX</s3>
<sZ>3 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
</analytic>
<series><title level="j" type="main">Journal in computer virology</title>
<title level="j" type="abbreviated">J. comput. virol.</title>
<idno type="ISSN">1772-9890</idno>
<imprint><date when="2008">2008</date>
</imprint>
</series>
</biblStruct>
</sourceDesc>
<seriesStmt><title level="j" type="main">Journal in computer virology</title>
<title level="j" type="abbreviated">J. comput. virol.</title>
<idno type="ISSN">1772-9890</idno>
</seriesStmt>
</fileDesc>
<profileDesc><textClass><keywords scheme="KwdEn" xml:lang="en"><term>Bioinformatics</term>
<term>Classification</term>
<term>Computer security</term>
<term>Phylogenetic tree</term>
<term>Sequence alignment</term>
<term>Similarity</term>
</keywords>
<keywords scheme="Pascal" xml:lang="fr"><term>Sécurité informatique</term>
<term>Similitude</term>
<term>Classification</term>
<term>Bioinformatique</term>
<term>Alignement séquence</term>
<term>Arbre phylogénétique</term>
</keywords>
</textClass>
</profileDesc>
</teiHeader>
<front><div type="abstract" xml:lang="en">Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</div>
</front>
</TEI>
<inist><standard h6="B"><pA><fA01 i1="01" i2="1"><s0>1772-9890</s0>
</fA01>
<fA03 i2="1"><s0>J. comput. virol.</s0>
</fA03>
<fA05><s2>4</s2>
</fA05>
<fA06><s2>4</s2>
</fA06>
<fA08 i1="01" i2="1" l="ENG"><s1>Malware behaviour analysis</s1>
</fA08>
<fA11 i1="01" i2="1"><s1>WAGENER (Gérard)</s1>
</fA11>
<fA11 i1="02" i2="1"><s1>STATE (Radu)</s1>
</fA11>
<fA11 i1="03" i2="1"><s1>DULAUNOY (Alexandre)</s1>
</fA11>
<fA14 i1="01"><s1>LORIA-INRIA</s1>
<s2>Vandoeuvre</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
</fA14>
<fA14 i1="02"><s1>INRIA</s1>
<s2>Le Chesnay</s2>
<s3>FRA</s3>
<sZ>2 aut.</sZ>
</fA14>
<fA14 i1="03"><s1>CSRRT-LU</s1>
<s2>Luxembourg</s2>
<s3>LUX</s3>
<sZ>3 aut.</sZ>
</fA14>
<fA20><s1>279-287</s1>
</fA20>
<fA21><s1>2008</s1>
</fA21>
<fA23 i1="01"><s0>ENG</s0>
</fA23>
<fA43 i1="01"><s1>INIST</s1>
<s2>27849</s2>
<s5>354000183872830020</s5>
</fA43>
<fA44><s0>0000</s0>
<s1>© 2009 INIST-CNRS. All rights reserved.</s1>
</fA44>
<fA45><s0>28 ref.</s0>
</fA45>
<fA47 i1="01" i2="1"><s0>09-0007343</s0>
</fA47>
<fA60><s1>P</s1>
</fA60>
<fA61><s0>A</s0>
</fA61>
<fA64 i1="01" i2="1"><s0>Journal in computer virology</s0>
</fA64>
<fA66 i1="01"><s0>FRA</s0>
</fA66>
<fC01 i1="01" l="ENG"><s0>Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</s0>
</fC01>
<fC02 i1="01" i2="X"><s0>001D02B07C</s0>
</fC02>
<fC02 i1="02" i2="X"><s0>001D02B07B</s0>
</fC02>
<fC03 i1="01" i2="X" l="FRE"><s0>Sécurité informatique</s0>
<s5>06</s5>
</fC03>
<fC03 i1="01" i2="X" l="ENG"><s0>Computer security</s0>
<s5>06</s5>
</fC03>
<fC03 i1="01" i2="X" l="SPA"><s0>Seguridad informatica</s0>
<s5>06</s5>
</fC03>
<fC03 i1="02" i2="X" l="FRE"><s0>Similitude</s0>
<s5>07</s5>
</fC03>
<fC03 i1="02" i2="X" l="ENG"><s0>Similarity</s0>
<s5>07</s5>
</fC03>
<fC03 i1="02" i2="X" l="SPA"><s0>Similitud</s0>
<s5>07</s5>
</fC03>
<fC03 i1="03" i2="X" l="FRE"><s0>Classification</s0>
<s5>08</s5>
</fC03>
<fC03 i1="03" i2="X" l="ENG"><s0>Classification</s0>
<s5>08</s5>
</fC03>
<fC03 i1="03" i2="X" l="SPA"><s0>Clasificación</s0>
<s5>08</s5>
</fC03>
<fC03 i1="04" i2="X" l="FRE"><s0>Bioinformatique</s0>
<s5>09</s5>
</fC03>
<fC03 i1="04" i2="X" l="ENG"><s0>Bioinformatics</s0>
<s5>09</s5>
</fC03>
<fC03 i1="04" i2="X" l="SPA"><s0>Bioinformática</s0>
<s5>09</s5>
</fC03>
<fC03 i1="05" i2="X" l="FRE"><s0>Alignement séquence</s0>
<s5>18</s5>
</fC03>
<fC03 i1="05" i2="X" l="ENG"><s0>Sequence alignment</s0>
<s5>18</s5>
</fC03>
<fC03 i1="05" i2="X" l="SPA"><s0>Alineación secuencia</s0>
<s5>18</s5>
</fC03>
<fC03 i1="06" i2="X" l="FRE"><s0>Arbre phylogénétique</s0>
<s5>19</s5>
</fC03>
<fC03 i1="06" i2="X" l="ENG"><s0>Phylogenetic tree</s0>
<s5>19</s5>
</fC03>
<fC03 i1="06" i2="X" l="SPA"><s0>Arbol filogenético</s0>
<s5>19</s5>
</fC03>
<fN21><s1>004</s1>
</fN21>
<fN44 i1="01"><s1>OTO</s1>
</fN44>
<fN82><s1>OTO</s1>
</fN82>
</pA>
</standard>
<server><NO>PASCAL 09-0007343 INIST</NO>
<ET>Malware behaviour analysis</ET>
<AU>WAGENER (Gérard); STATE (Radu); DULAUNOY (Alexandre)</AU>
<AF>LORIA-INRIA/Vandoeuvre/France (1 aut.); INRIA/Le Chesnay/France (2 aut.); CSRRT-LU/Luxembourg/Luxembourg (3 aut.)</AF>
<DT>Publication en série; Niveau analytique</DT>
<SO>Journal in computer virology; ISSN 1772-9890; France; Da. 2008; Vol. 4; No. 4; Pp. 279-287; Bibl. 28 ref.</SO>
<LA>Anglais</LA>
<EA>Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</EA>
<CC>001D02B07C; 001D02B07B</CC>
<FD>Sécurité informatique; Similitude; Classification; Bioinformatique; Alignement séquence; Arbre phylogénétique</FD>
<ED>Computer security; Similarity; Classification; Bioinformatics; Sequence alignment; Phylogenetic tree</ED>
<SD>Seguridad informatica; Similitud; Clasificación; Bioinformática; Alineación secuencia; Arbol filogenético</SD>
<LO>INIST-27849.354000183872830020</LO>
<ID>09-0007343</ID>
</server>
</inist>
</record>
Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/PascalFrancis/Corpus
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 000288 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/PascalFrancis/Corpus/biblio.hfd -nk 000288 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien |wiki= Wicri/Lorraine |area= InforLorV4 |flux= PascalFrancis |étape= Corpus |type= RBID |clé= Pascal:09-0007343 |texte= Malware behaviour analysis }}
This area was generated with Dilib version V0.6.33. |