InforLorV4, PascalFrancis, Corpus, bibRecord, 000288

Malware behaviour analysis

Identifieur interne : 000288 ( PascalFrancis/Corpus ); précédent : 000287; suivant : 000289

Malware behaviour analysis

Auteurs : Gérard Wagener ; Radu State ; Alexandre Dulaunoy

Source :

Journal in computer virology [ 1772-9890 ] ; 2008.

RBID : Pascal:09-0007343

Descripteurs français

Pascal (Inist)
- Sécurité informatique, Similitude, Classification, Bioinformatique, Alignement séquence, Arbre phylogénétique.

English descriptors

KwdEn :
- Bioinformatics, Classification, Computer security, Phylogenetic tree, Sequence alignment, Similarity.

Abstract

Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.

Notice en format standard (ISO 2709)

Pour connaître la documentation sur le format Inist Standard.

A01	`01`	`1`		`@0 1772-9890`
A03		`1`		`@0 J. comput. virol.`
A05				`@2 4`
A06				`@2 4`
A08	`01`	`1`	`ENG`	`@1 Malware behaviour analysis`
A11	`01`	`1`		`@1 WAGENER (Gérard)`
A11	`02`	`1`		`@1 STATE (Radu)`
A11	`03`	`1`		`@1 DULAUNOY (Alexandre)`
A14	`01`			`@1 LORIA-INRIA @2 Vandoeuvre @3 FRA @Z 1 aut.`
A14	`02`			`@1 INRIA @2 Le Chesnay @3 FRA @Z 2 aut.`
A14	`03`			`@1 CSRRT-LU @2 Luxembourg @3 LUX @Z 3 aut.`
A20				`@1 279-287`
A21				`@1 2008`
A23	`01`			`@0 ENG`
A43	`01`			`@1 INIST @2 27849 @5 354000183872830020`
A44				`@0 0000 @1 © 2009 INIST-CNRS. All rights reserved.`
A45				`@0 28 ref.`
A47	`01`	`1`		`@0 09-0007343`
A60				`@1 P`
A61				`@0 A`
A64	`01`	`1`		`@0 Journal in computer virology`
A66	`01`			`@0 FRA`
C01	`01`		`ENG`	@0 Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.
C02	`01`	`X`		`@0 001D02B07C`
C02	`02`	`X`		`@0 001D02B07B`
C03	`01`	`X`	`FRE`	`@0 Sécurité informatique @5 06`
C03	`01`	`X`	`ENG`	`@0 Computer security @5 06`
C03	`01`	`X`	`SPA`	`@0 Seguridad informatica @5 06`
C03	`02`	`X`	`FRE`	`@0 Similitude @5 07`
C03	`02`	`X`	`ENG`	`@0 Similarity @5 07`
C03	`02`	`X`	`SPA`	`@0 Similitud @5 07`
C03	`03`	`X`	`FRE`	`@0 Classification @5 08`
C03	`03`	`X`	`ENG`	`@0 Classification @5 08`
C03	`03`	`X`	`SPA`	`@0 Clasificación @5 08`
C03	`04`	`X`	`FRE`	`@0 Bioinformatique @5 09`
C03	`04`	`X`	`ENG`	`@0 Bioinformatics @5 09`
C03	`04`	`X`	`SPA`	`@0 Bioinformática @5 09`
C03	`05`	`X`	`FRE`	`@0 Alignement séquence @5 18`
C03	`05`	`X`	`ENG`	`@0 Sequence alignment @5 18`
C03	`05`	`X`	`SPA`	`@0 Alineación secuencia @5 18`
C03	`06`	`X`	`FRE`	`@0 Arbre phylogénétique @5 19`
C03	`06`	`X`	`ENG`	`@0 Phylogenetic tree @5 19`
C03	`06`	`X`	`SPA`	`@0 Arbol filogenético @5 19`
N21				`@1 004`
N44	`01`			`@1 OTO`
N82				`@1 OTO`

Format Inist (serveur)

NO :	PASCAL 09-0007343 INIST
ET :	Malware behaviour analysis
AU :	WAGENER (Gérard); STATE (Radu); DULAUNOY (Alexandre)
AF :	LORIA-INRIA/Vandoeuvre/France (1 aut.); INRIA/Le Chesnay/France (2 aut.); CSRRT-LU/Luxembourg/Luxembourg (3 aut.)
DT :	Publication en série; Niveau analytique
SO :	Journal in computer virology; ISSN 1772-9890; France; Da. 2008; Vol. 4; No. 4; Pp. 279-287; Bibl. 28 ref.
LA :	Anglais
EA :	Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.
CC :	001D02B07C; 001D02B07B
FD :	Sécurité informatique; Similitude; Classification; Bioinformatique; Alignement séquence; Arbre phylogénétique
ED :	Computer security; Similarity; Classification; Bioinformatics; Sequence alignment; Phylogenetic tree
SD :	Seguridad informatica; Similitud; Clasificación; Bioinformática; Alineación secuencia; Arbol filogenético
LO :	INIST-27849.354000183872830020
ID :	09-0007343

Links to Exploration step

Pascal:09-0007343

Le document en format XML

<record><TEI><teiHeader><fileDesc><titleStmt><title xml:lang="en" level="a">Malware behaviour analysis</title>
<author><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
<affiliation><inist:fA14 i1="01"><s1>LORIA-INRIA</s1>
<s2>Vandoeuvre</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
<author><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
<affiliation><inist:fA14 i1="02"><s1>INRIA</s1>
<s2>Le Chesnay</s2>
<s3>FRA</s3>
<sZ>2 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
<author><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
<affiliation><inist:fA14 i1="03"><s1>CSRRT-LU</s1>
<s2>Luxembourg</s2>
<s3>LUX</s3>
<sZ>3 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
</titleStmt>
<publicationStmt><idno type="wicri:source">INIST</idno>
<idno type="inist">09-0007343</idno>
<date when="2008">2008</date>
<idno type="stanalyst">PASCAL 09-0007343 INIST</idno>
<idno type="RBID">Pascal:09-0007343</idno>
<idno type="wicri:Area/PascalFrancis/Corpus">000288</idno>
</publicationStmt>
<sourceDesc><biblStruct><analytic><title xml:lang="en" level="a">Malware behaviour analysis</title>
<author><name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
<affiliation><inist:fA14 i1="01"><s1>LORIA-INRIA</s1>
<s2>Vandoeuvre</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
<author><name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
<affiliation><inist:fA14 i1="02"><s1>INRIA</s1>
<s2>Le Chesnay</s2>
<s3>FRA</s3>
<sZ>2 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
<author><name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
<affiliation><inist:fA14 i1="03"><s1>CSRRT-LU</s1>
<s2>Luxembourg</s2>
<s3>LUX</s3>
<sZ>3 aut.</sZ>
</inist:fA14>
</affiliation>
</author>
</analytic>
<series><title level="j" type="main">Journal in computer virology</title>
<title level="j" type="abbreviated">J. comput. virol.</title>
<idno type="ISSN">1772-9890</idno>
<imprint><date when="2008">2008</date>
</imprint>
</series>
</biblStruct>
</sourceDesc>
<seriesStmt><title level="j" type="main">Journal in computer virology</title>
<title level="j" type="abbreviated">J. comput. virol.</title>
<idno type="ISSN">1772-9890</idno>
</seriesStmt>
</fileDesc>
<profileDesc><textClass><keywords scheme="KwdEn" xml:lang="en"><term>Bioinformatics</term>
<term>Classification</term>
<term>Computer security</term>
<term>Phylogenetic tree</term>
<term>Sequence alignment</term>
<term>Similarity</term>
</keywords>
<keywords scheme="Pascal" xml:lang="fr"><term>Sécurité informatique</term>
<term>Similitude</term>
<term>Classification</term>
<term>Bioinformatique</term>
<term>Alignement séquence</term>
<term>Arbre phylogénétique</term>
</keywords>
</textClass>
</profileDesc>
</teiHeader>
<front><div type="abstract" xml:lang="en">Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</div>
</front>
</TEI>
<inist><standard h6="B"><pA><fA01 i1="01" i2="1"><s0>1772-9890</s0>
</fA01>
<fA03 i2="1"><s0>J. comput. virol.</s0>
</fA03>
<fA05><s2>4</s2>
</fA05>
<fA06><s2>4</s2>
</fA06>
<fA08 i1="01" i2="1" l="ENG"><s1>Malware behaviour analysis</s1>
</fA08>
<fA11 i1="01" i2="1"><s1>WAGENER (Gérard)</s1>
</fA11>
<fA11 i1="02" i2="1"><s1>STATE (Radu)</s1>
</fA11>
<fA11 i1="03" i2="1"><s1>DULAUNOY (Alexandre)</s1>
</fA11>
<fA14 i1="01"><s1>LORIA-INRIA</s1>
<s2>Vandoeuvre</s2>
<s3>FRA</s3>
<sZ>1 aut.</sZ>
</fA14>
<fA14 i1="02"><s1>INRIA</s1>
<s2>Le Chesnay</s2>
<s3>FRA</s3>
<sZ>2 aut.</sZ>
</fA14>
<fA14 i1="03"><s1>CSRRT-LU</s1>
<s2>Luxembourg</s2>
<s3>LUX</s3>
<sZ>3 aut.</sZ>
</fA14>
<fA20><s1>279-287</s1>
</fA20>
<fA21><s1>2008</s1>
</fA21>
<fA23 i1="01"><s0>ENG</s0>
</fA23>
<fA43 i1="01"><s1>INIST</s1>
<s2>27849</s2>
<s5>354000183872830020</s5>
</fA43>
<fA44><s0>0000</s0>
<s1>© 2009 INIST-CNRS. All rights reserved.</s1>
</fA44>
<fA45><s0>28 ref.</s0>
</fA45>
<fA47 i1="01" i2="1"><s0>09-0007343</s0>
</fA47>
<fA60><s1>P</s1>
</fA60>
<fA61><s0>A</s0>
</fA61>
<fA64 i1="01" i2="1"><s0>Journal in computer virology</s0>
</fA64>
<fA66 i1="01"><s0>FRA</s0>
</fA66>
<fC01 i1="01" l="ENG"><s0>Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</s0>
</fC01>
<fC02 i1="01" i2="X"><s0>001D02B07C</s0>
</fC02>
<fC02 i1="02" i2="X"><s0>001D02B07B</s0>
</fC02>
<fC03 i1="01" i2="X" l="FRE"><s0>Sécurité informatique</s0>
<s5>06</s5>
</fC03>
<fC03 i1="01" i2="X" l="ENG"><s0>Computer security</s0>
<s5>06</s5>
</fC03>
<fC03 i1="01" i2="X" l="SPA"><s0>Seguridad informatica</s0>
<s5>06</s5>
</fC03>
<fC03 i1="02" i2="X" l="FRE"><s0>Similitude</s0>
<s5>07</s5>
</fC03>
<fC03 i1="02" i2="X" l="ENG"><s0>Similarity</s0>
<s5>07</s5>
</fC03>
<fC03 i1="02" i2="X" l="SPA"><s0>Similitud</s0>
<s5>07</s5>
</fC03>
<fC03 i1="03" i2="X" l="FRE"><s0>Classification</s0>
<s5>08</s5>
</fC03>
<fC03 i1="03" i2="X" l="ENG"><s0>Classification</s0>
<s5>08</s5>
</fC03>
<fC03 i1="03" i2="X" l="SPA"><s0>Clasificación</s0>
<s5>08</s5>
</fC03>
<fC03 i1="04" i2="X" l="FRE"><s0>Bioinformatique</s0>
<s5>09</s5>
</fC03>
<fC03 i1="04" i2="X" l="ENG"><s0>Bioinformatics</s0>
<s5>09</s5>
</fC03>
<fC03 i1="04" i2="X" l="SPA"><s0>Bioinformática</s0>
<s5>09</s5>
</fC03>
<fC03 i1="05" i2="X" l="FRE"><s0>Alignement séquence</s0>
<s5>18</s5>
</fC03>
<fC03 i1="05" i2="X" l="ENG"><s0>Sequence alignment</s0>
<s5>18</s5>
</fC03>
<fC03 i1="05" i2="X" l="SPA"><s0>Alineación secuencia</s0>
<s5>18</s5>
</fC03>
<fC03 i1="06" i2="X" l="FRE"><s0>Arbre phylogénétique</s0>
<s5>19</s5>
</fC03>
<fC03 i1="06" i2="X" l="ENG"><s0>Phylogenetic tree</s0>
<s5>19</s5>
</fC03>
<fC03 i1="06" i2="X" l="SPA"><s0>Arbol filogenético</s0>
<s5>19</s5>
</fC03>
<fN21><s1>004</s1>
</fN21>
<fN44 i1="01"><s1>OTO</s1>
</fN44>
<fN82><s1>OTO</s1>
</fN82>
</pA>
</standard>
<server><NO>PASCAL 09-0007343 INIST</NO>
<ET>Malware behaviour analysis</ET>
<AU>WAGENER (Gérard); STATE (Radu); DULAUNOY (Alexandre)</AU>
<AF>LORIA-INRIA/Vandoeuvre/France (1 aut.); INRIA/Le Chesnay/France (2 aut.); CSRRT-LU/Luxembourg/Luxembourg (3 aut.)</AF>
<DT>Publication en série; Niveau analytique</DT>
<SO>Journal in computer virology; ISSN 1772-9890; France; Da. 2008; Vol. 4; No. 4; Pp. 279-287; Bibl. 28 ref.</SO>
<LA>Anglais</LA>
<EA>Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</EA>
<CC>001D02B07C; 001D02B07B</CC>
<FD>Sécurité informatique; Similitude; Classification; Bioinformatique; Alignement séquence; Arbre phylogénétique</FD>
<ED>Computer security; Similarity; Classification; Bioinformatics; Sequence alignment; Phylogenetic tree</ED>
<SD>Seguridad informatica; Similitud; Clasificación; Bioinformática; Alineación secuencia; Arbol filogenético</SD>
<LO>INIST-27849.354000183872830020</LO>
<ID>09-0007343</ID>
</server>
</inist>
</record>

Pour manipuler ce document sous Unix (Dilib)

EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/PascalFrancis/Corpus

HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 000288 | SxmlIndent | more

HfdSelect -h $EXPLOR_AREA/Data/PascalFrancis/Corpus/biblio.hfd -nk 000288 | SxmlIndent | more

Pour mettre un lien sur cette page dans le réseau Wicri

{{Explor lien
   |wiki=    Wicri/Lorraine
   |area=    InforLorV4
   |flux=    PascalFrancis
   |étape=   Corpus
   |type=    RBID
   |clé=     Pascal:09-0007343
   |texte=   Malware behaviour analysis
}}

This area was generated with Dilib version V0.6.33.
Data generation: Mon Jun 10 21:56:28 2019. Site generation: Fri Feb 25 15:29:27 2022

	Serveur d'exploration sur la recherche en informatique en Lorraine
	Attention, ce site est en cours de développement ! Attention, site généré par des moyens informatiques à partir de corpus bruts. Les informations ne sont donc pas validées.

Serveur d'exploration sur la recherche en informatique en Lorraine

Malware behaviour analysis

Malware behaviour analysis

Source :

Descripteurs français

English descriptors

Abstract

Notice en format standard (ISO 2709)

Format Inist (serveur)

Links to Exploration step

Le document en format XML

Pour manipuler ce document sous Unix (Dilib)

Pour mettre un lien sur cette page dans le réseau Wicri