Estruturas Virtuais e Diferenciação de Vértices em Grafos de Dependência para Detecção de Malware Metamórfico
Abstract
This paper presents a methodology for identifying metamorphic malware based on the comparison of dependency graphs stored in a reference. On the strength of the structural differentiation of the vertices and the addition of virtual structures, the proposed methodology is able to identify and eliminate non-relevant elements of the original reference graph, reducing the size of the reference database and improving the results obtained during the comparison of the graphs. To validate this, is presented the comparison of results generated by the proposed approach with those from a reference method in the identification of W32.Evol and W32.Polip metamorphic malwares.
References
Baker, W. Hutton, A. Hylender, C. D. Pamula, J. Porter, C. e Spitler, M. (2011). 2011 data breach investigations report. Verizon RISK Team. [link].
Bomze, I. M. Budinich, M. Paradalos, P. M. e Pelillo, M. (1999). “The maximum clique problem”. Handbook of combinatorial optimization. Springer US, p. 1-74.
Borello, J. e Mé, L. (2008). “Code obfuscation techniques for metamorphic viruses”, Journal in Computer Virology, vol. 4, núm. 3, pág. 211-220.
Bruschi, D. Martignoni, L. e Monga, M. (2007). "Code Normalization for Self-Mutating Malware", IEEE Security & Privacy, v. 5, n. 2, p. 46-54.
Conte, D. Foggia, P. e Vento, M. (2007). “Challenging Complexity of Maximum Common Subgraph Detection Algorithms: A Performance Analysis of Three Algorithms on a Wide Database of Graphs”,J. Graph Algorithms Appl, v. 11,n. 1, p. 99-143.
Cozzolino, M. Martins, G. Souto, E. e Deus, F. (2012). “Detecção de Variações de Malware Polimórfico por Meio de Normalização de Código e Identificação de Subfluxos”, Anais do XII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais. Curitiba. Sociedade Brasileira de Computação, p. 30-43.
Ferrante, J. Ottenstein, K. J. e Warren, J. D. (1987). “The program dependence graph and its use in optimization”, ACM Transactions on Programming Languages and Systems (TOPLAS), v. 9, n. 3, p. 319-349.
Floyd, R. (1962). “Algorithm 97: shortest path”. Communications of the ACM 5.6, 5:345.
Garey, M. R. e Johnson, D. (1979). “Computers and Intractability: A Guide to the Theory of NPCompleteness”, W. H. Freeman & Co.
Griffin, K. Schneider, S. Hu, X. e Chiueh, T. C. (2009). “Automatic Generation of String Signatures for Malware Detection”. Proceedings of the 12th Symposium on Recent Advances in Intrusion Detection (RAID2009 ), Brittany, França, p. 101-120.
Hsiao, S.-W. Sun, Y. S. Chen, M. C. e Zhang, H. (2010). "Behavior Profiling for Robust Anomaly Detection," IEEE International Conference on Wireless Communications, Networking and Information Security, p. 465-471.
Hu, X. Chiueh, T.-c. e Shin, KG. (2009). “Large-scale malware indexing using function-call graphs”. Proceedings of the 16th ACM conference on Computer and communications security, p. 611-620.
Jacob, G. Debar, H. e Filiol, E. (2009). “Malware Detection using Attribute-Automata to parse Abstract Behavioral Descriptions”, CoRR, abs/0902.0322.
Karin, A. (2006). “Automatic Malware Signature Generation”. 16 de Outubro, 2006. Disponível em http://web.it.kth.se/~cschulte/teaching/theses/ICT-ECS-2006-122.pdf.
Kim, K. e Moon, B. (2010). “Malware Detection based on Dependency Graph using Hybrid Genetic Algorithm”. Proceedings of the 12th Annual Conference on Genetic and Evolutionary Computation, p. 1211-1218.
Konc, J. e Janezic, D. (2007). “An improved branch and bound algorithm for the maximum clique problem”. Communications in Mathematical and in Computer Chemistry, n. 58, p. 569-590.
Liu, C. Chen, C. Han, J. e Yu, P. S. (2006). “GPLAG: detection of software plagiarism by program dependence graph analysis”. Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, p. 872-881.
Moura, A. V. e Rebiha, R. (2009). “Automated Malware Invariant Generation”, International Conference on Forensic Computer Science (ICoFCS), p. 7.
Notoatmodjo, G. (2010). “Detection of Self-Mutating Computer Viruses”, Disponível em [link], Department of Computer Science, University of Auckland, New Zealand.
Offensive Computing. (2013). “Offensive Computing”. http://www.offensivecomputing.net/. Nov. 2013.
Warshall, S. (1962). “A theorem on boolean matrices”. Journal of the ACM (JACM), n. 9, p. 11-12.
Bomze, I. M. Budinich, M. Paradalos, P. M. e Pelillo, M. (1999). “The maximum clique problem”. Handbook of combinatorial optimization. Springer US, p. 1-74.
Borello, J. e Mé, L. (2008). “Code obfuscation techniques for metamorphic viruses”, Journal in Computer Virology, vol. 4, núm. 3, pág. 211-220.
Bruschi, D. Martignoni, L. e Monga, M. (2007). "Code Normalization for Self-Mutating Malware", IEEE Security & Privacy, v. 5, n. 2, p. 46-54.
Conte, D. Foggia, P. e Vento, M. (2007). “Challenging Complexity of Maximum Common Subgraph Detection Algorithms: A Performance Analysis of Three Algorithms on a Wide Database of Graphs”,J. Graph Algorithms Appl, v. 11,n. 1, p. 99-143.
Cozzolino, M. Martins, G. Souto, E. e Deus, F. (2012). “Detecção de Variações de Malware Polimórfico por Meio de Normalização de Código e Identificação de Subfluxos”, Anais do XII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais. Curitiba. Sociedade Brasileira de Computação, p. 30-43.
Ferrante, J. Ottenstein, K. J. e Warren, J. D. (1987). “The program dependence graph and its use in optimization”, ACM Transactions on Programming Languages and Systems (TOPLAS), v. 9, n. 3, p. 319-349.
Floyd, R. (1962). “Algorithm 97: shortest path”. Communications of the ACM 5.6, 5:345.
Garey, M. R. e Johnson, D. (1979). “Computers and Intractability: A Guide to the Theory of NPCompleteness”, W. H. Freeman & Co.
Griffin, K. Schneider, S. Hu, X. e Chiueh, T. C. (2009). “Automatic Generation of String Signatures for Malware Detection”. Proceedings of the 12th Symposium on Recent Advances in Intrusion Detection (RAID2009 ), Brittany, França, p. 101-120.
Hsiao, S.-W. Sun, Y. S. Chen, M. C. e Zhang, H. (2010). "Behavior Profiling for Robust Anomaly Detection," IEEE International Conference on Wireless Communications, Networking and Information Security, p. 465-471.
Hu, X. Chiueh, T.-c. e Shin, KG. (2009). “Large-scale malware indexing using function-call graphs”. Proceedings of the 16th ACM conference on Computer and communications security, p. 611-620.
Jacob, G. Debar, H. e Filiol, E. (2009). “Malware Detection using Attribute-Automata to parse Abstract Behavioral Descriptions”, CoRR, abs/0902.0322.
Karin, A. (2006). “Automatic Malware Signature Generation”. 16 de Outubro, 2006. Disponível em http://web.it.kth.se/~cschulte/teaching/theses/ICT-ECS-2006-122.pdf.
Kim, K. e Moon, B. (2010). “Malware Detection based on Dependency Graph using Hybrid Genetic Algorithm”. Proceedings of the 12th Annual Conference on Genetic and Evolutionary Computation, p. 1211-1218.
Konc, J. e Janezic, D. (2007). “An improved branch and bound algorithm for the maximum clique problem”. Communications in Mathematical and in Computer Chemistry, n. 58, p. 569-590.
Liu, C. Chen, C. Han, J. e Yu, P. S. (2006). “GPLAG: detection of software plagiarism by program dependence graph analysis”. Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, p. 872-881.
Moura, A. V. e Rebiha, R. (2009). “Automated Malware Invariant Generation”, International Conference on Forensic Computer Science (ICoFCS), p. 7.
Notoatmodjo, G. (2010). “Detection of Self-Mutating Computer Viruses”, Disponível em [link], Department of Computer Science, University of Auckland, New Zealand.
Offensive Computing. (2013). “Offensive Computing”. http://www.offensivecomputing.net/. Nov. 2013.
Warshall, S. (1962). “A theorem on boolean matrices”. Journal of the ACM (JACM), n. 9, p. 11-12.
Published
2014-11-03
How to Cite
MARTINS, Gilbert B.; SOUTO, Eduardo; FREITAS, Rosiane de; FEITOSA, Eduardo.
Estruturas Virtuais e Diferenciação de Vértices em Grafos de Dependência para Detecção de Malware Metamórfico. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 14. , 2014, Belo Horizonte.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2014
.
p. 237-250.
DOI: https://doi.org/10.5753/sbseg.2014.20134.
