A framework for understanding dynamic anti-analysis defenses

Jing Qiu, Babak Yadegari, Brian Johannesmeyer, Saumya Debray, Xiaohong Su

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations


Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

Original languageEnglish (US)
Title of host publicationProceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781605586373
StatePublished - Dec 9 2014
Event4th Program Protection and Reverse Engineering Workshop, PPREW 2014 - New Orleans, United States
Duration: Dec 9 2014 → …

Publication series

NameACM International Conference Proceeding Series


Other4th Program Protection and Reverse Engineering Workshop, PPREW 2014
Country/TerritoryUnited States
CityNew Orleans
Period12/9/14 → …


  • Anti-analysis defense
  • Sefl-checksumming
  • Taint analysis
  • Timing defense

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'A framework for understanding dynamic anti-analysis defenses'. Together they form a unique fingerprint.

Cite this