Mining Specifications of Malicious Behavior

Mihai Christodorescu, Somesh Jha, Christopher Kruegel

September 5-7, 2007
Hide the Contact Info
Photo of Mihai Christodorescu
Mihai Christodorescu
Doctoral Candidate
1210 W Dayton St
Office 7372
Madison, WI 53706-1685
Curriculum vitæ: online PDF US letter (or A4)
[an error occurred while processing this directive]
Telephone: +1 608 262-6625
Fax: +1 608 262-9777
ICQ: 3954659
AIM: yodMihai
Yahoo! IM: warkda
Skype: warkdarrior
LinkedIn: view my profile
Google Chat/XMPP:

This paper is a result of research work on behavior-based malware detection and appears in the Proceedings of the 6th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2007), September 3-7, 2007, Dubrovnik, Croatia.

The work of Mihai Christodorescu and Somesh Jha was supported by the National Science Foundation under grant CNS-0627501.

Christopher Kruegel was supported by the Austrian Science Foundation (FWF) under grant P18157, the FIT-IT project Pathfinder, and the Secure Business Austria competence center.



Malware detectors require a specification of malicious behavior. Typically, these specifications are manually constructed by investigating known malware. We present an automatic technique to overcome this laborious manual process. Our technique derives such a specification by comparing the execution behavior of a known malware against the execution behaviors of a set of benign programs. In other words, we mine the malicious behavior present in a known malware that is not present in a set of benign programs. The output of our algorithm can be used by malware detectors to detect malware variants. Since our algorithm provides a succinct description of malicious behavior present in a malware, it can also be used by security analysts for understanding the malware. We have implemented a prototype based on our algorithm and tested it on several malware programs. Experimental results obtained from our prototype indicate that our algorithm is effective in extracting malicious behaviors that can be used to detect malware variants.

Valid CSS! Valid XHTML 1.0 Strict
Copyright © 2007 Mihai Christodorescu. All rights reserved.
Maintained by Mihai Christodorescu (
Created: Thu Jul 5 13:00:07 2007
Last modified: Tue Dec 18 10:56:09 EST 2007