 |
Mihai Christodorescu
Doctoral Candidate
1210 W Dayton St
Office 7372
Madison, WI 53706-1685
|
This paper is a result of research work on behavior-based malware detection and appeared in the Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005), May 8-11, 2005, Oakland, California, USA.
Mihai Christodorescu was supported in part by the Office of Naval Research (ONR) under contracts N00014-01-1-0796 and N00014-01-1-0708, while working as a research assistant on the WiSA project. Sanjit A. Seshia was supported in part by the Army Research Office under grant DAAD19-01-1-0485.
Downloads:
- Version suitable for printing: PDF Postscript
- Citation: BibTeX
Abstract
A malware detector is a system that attempts to determine whether a program has malicious intent. In order to evade detection, malware writers (hackers) frequently use obfuscation to morph malware. Malware detectors that use a pattern-matching approach (such as commercial virus scanners) are susceptible to obfuscations used by hackers. The fundamental deficiency in the pattern-matching approach to malware detection is that it is purely syntactic and ignores the semantics of instructions. In this paper, we present a malware-detection algorithm that addresses this deficiency by incorporating instruction semantics to detect malicious program traits. Experimental evaluation demonstrates that our malware-detection algorithm can detect variants of malware with a relatively low run-time overhead. Moreover, our semantics-aware malware detection algorithm is resilient to common obfuscations used by hackers.