Modern social infrastructure relies on computer security and privacy. As a result, there are many opportunities for individuals with malicious intent to cause great harm. This work aims to provide a theoretical basis for the design of static and dynamic software platforms that can create a suitable architecture for automatic malware detection and analysis. We demonstrate how formal methods involving programs static and dynamic analysis can be used to build such architectures, and propose automatic semantic malware detection and model extraction methods, circumventing difficulties met by other recent approaches. Our new technique for identifying malware involves automatically extracting invariant elements found in specific malware codes. These "malware-invariants," which remain unchanged even in obfuscated virus strains, can be used by semantic analysis programs as signatures that define the malicious code. We propose a host-based intrusion detection system using automatically generated models, where system calls are guarded by verification with pre-computed invariants. In this way, we can to identify deviations during the execution of applications. Our method also provides a way to detect software bugs and application vulnerabilities. We also show that any malware or intrusion detection system based on a static analysis method will be strongly reinforced by the possession of a database of precompiled invariants.
To return to the Volume/Number webpage, click here.
THE INTERNATIONAL JOURNAL OF FORENSIC COMPUTER SCIENCE - IJoFCS
Volume 5, Number 1, pp 38-48, DOI: 10.5769/J201001005 or http://dx.doi.org/10.5769/J201001005
Semantic Malware Resistance Using Inductive Invariants
By Rachid Rebiha and Arnaldo Moura
To download this paper, click here