A semantics-based approach to malware detection

Mila Dalla Preda; Mihai Christodorescu; Somesh Jha; Saumya Debray

doi:10.1145/1190216.1190270

A semantics-based approach to malware detection

Mila Dalla Preda, Mihai Christodorescu, Somesh Jha, Saumya Debray

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

84 Scopus citations

Abstract

Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

Original language	English (US)
Title of host publication	Conference Record of POPL 2007
Subtitle of host publication	The 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Papers Presented at the Symposium
Pages	377-388
Number of pages	12
DOIs	https://doi.org/10.1145/1190216.1190270
State	Published - 2007
Event	34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Nice, France Duration: Jan 17 2007 → Jan 19 2007

Publication series

Name	Conference Record of the Annual ACM Symposium on Principles of Programming Languages
ISSN (Print)	0730-8566

Other

Other	34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Country/Territory	France
City	Nice
Period	1/17/07 → 1/19/07

Keywords

Abstract interpretation
Malware detection
Obfuscation
Trace semantics

ASJC Scopus subject areas

Software

Access to Document

10.1145/1190216.1190270

Cite this

Preda, M. D., Christodorescu, M., Jha, S., & Debray, S. (2007). A semantics-based approach to malware detection. In Conference Record of POPL 2007: The 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Papers Presented at the Symposium (pp. 377-388). (Conference Record of the Annual ACM Symposium on Principles of Programming Languages). https://doi.org/10.1145/1190216.1190270

A semantics-based approach to malware detection. / Preda, Mila Dalla; Christodorescu, Mihai; Jha, Somesh et al.
Conference Record of POPL 2007: The 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Papers Presented at the Symposium. 2007. p. 377-388 (Conference Record of the Annual ACM Symposium on Principles of Programming Languages).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Preda, MD, Christodorescu, M, Jha, S & Debray, S 2007, A semantics-based approach to malware detection. in Conference Record of POPL 2007: The 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Papers Presented at the Symposium. Conference Record of the Annual ACM Symposium on Principles of Programming Languages, pp. 377-388, 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Nice, France, 1/17/07. https://doi.org/10.1145/1190216.1190270

Preda MD, Christodorescu M, Jha S, Debray S. A semantics-based approach to malware detection. In Conference Record of POPL 2007: The 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - Papers Presented at the Symposium. 2007. p. 377-388. (Conference Record of the Annual ACM Symposium on Principles of Programming Languages). doi: 10.1145/1190216.1190270

@inproceedings{69beb2768f254d71a1ee999ff2e6fd54,

title = "A semantics-based approach to malware detection",

abstract = "Malware detection is a crucial aspect of software security. Current malware detectors work by checking for {"}signatures,{"} which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to {"}hide{"} irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.",

keywords = "Abstract interpretation, Malware detection, Obfuscation, Trace semantics",

author = "Preda, {Mila Dalla} and Mihai Christodorescu and Somesh Jha and Saumya Debray",

year = "2007",

doi = "10.1145/1190216.1190270",

language = "English (US)",

isbn = "1595935754",

series = "Conference Record of the Annual ACM Symposium on Principles of Programming Languages",

pages = "377--388",

booktitle = "Conference Record of POPL 2007",

note = "34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages ; Conference date: 17-01-2007 Through 19-01-2007",

}

TY - GEN

T1 - A semantics-based approach to malware detection

AU - Preda, Mila Dalla

AU - Christodorescu, Mihai

AU - Jha, Somesh

AU - Debray, Saumya

PY - 2007

Y1 - 2007

N2 - Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

AB - Malware detection is a crucial aspect of software security. Current malware detectors work by checking for "signatures," which attempt to capture (syntactic) characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior.This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to "hide" irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semantics-aware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.

KW - Abstract interpretation

KW - Malware detection

KW - Obfuscation

KW - Trace semantics

UR - http://www.scopus.com/inward/record.url?scp=34548223126&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34548223126&partnerID=8YFLogxK

U2 - 10.1145/1190216.1190270

DO - 10.1145/1190216.1190270

M3 - Conference contribution

AN - SCOPUS:34548223126

SN - 1595935754

SN - 9781595935755

T3 - Conference Record of the Annual ACM Symposium on Principles of Programming Languages

SP - 377

EP - 388

BT - Conference Record of POPL 2007

T2 - 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

Y2 - 17 January 2007 through 19 January 2007

ER -

A semantics-based approach to malware detection

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this