Abstraction-Based Malware Analysis Using Rewriting and Model Checking
read more
Citations
Semantic-based Malware Behavior Description: Past and Future
Classification of malware persistence mechanisms using low-artifact disk instrumentation
A Planning Approach to Monitoring Computer Programs’ Behavior
Behavior Analysis of Malicious Code by Weighted Behavior Abstraction
Malicious and Harmless Software in the Domain of System Utilities
References
A Temporal Logic of Nested Calls and Returns
The SPIN Model Checker: Primer and Reference Manual
Tree Automata Techniques and Applications
Analysis of Recursive Game Graphs Using Data Flow Equations
Analysis of recursive game graphs using data flow equations
Related Papers (5)
Frequently Asked Questions (12)
Q2. What is the function that allows on-the-fly model checking of formulas?
CADP features a verification tool, which allows on-the-fly model checking of formulas expressed in the MCL language, a fragment of the modal mu-calculus extended with data variables, whose FOLTL logic used in this paper is a subset.
Q3. What is the main idea behind the behavior analysis?
Underpinned by language theory, term rewriting and first-order temporal logic, it allows us to determine whether a program exhibits a high-level behavior.
Q4. What is the interesting application of static behavior analysis?
An interesting application of static behavior analysis is the audit of programs in high-level technologies, like mobile applications, browser extensions, web page scripts, .NET or Java programs.
Q5. What is the behavior pattern that is used to represent the data?
since the captured data must not be invalidated before being leaked, the authors define a behavior pattern λinval (x), which represents such an invalidation.
Q6. How do the authors describe a function by an FOLTL formula?
The authors describe a functionality by an FOLTL formula, such that traces satisfying this formula are traces carrying out the functionality.
Q7. What is the general definition of a behavior?
In general, a behavior is described by a sequence of system calls and recognition uses the formalism of finite state automata [22, 26, 24, 6].
Q8. What is the key to the problem of constructing the normal form trace set?
In order to address the general intractability of the problem of constructing the normal form trace set for a given program, the authors have identified a property of practical high-level behaviors allowing us to avoid computing normal forms and yielding a linear time detection algorithm.
Q9. How is the ping behavior pattern in Example 1 defined?
The ping behavior pattern in Example 1 is abstracted in traces by inserting the λping symbol after the send action or after the IcmpSendEcho action.
Q10. What is the purpose of the abstract behavior analysis framework?
Their abstraction framework can be used in two scenarios:– Detection of given behaviors: signatures of given high-level behaviors are expressed in terms of abstract functionalities.
Q11. What is the simplest way to prove that a tree transducer is a rational?
The authors show that this is sufficient, with termination of the set of rules, to ensure that the abstraction relation is realizable by a tree transducer, in other words that it is a rational tree transduction.
Q12. What is the motivation behind the behavior analysis approach?
This has motivated yet another approach where a malicious behavior is specified as a combination of high-level actions, in order to be independent from the way these actions are realized and to only consider their effect on a system.