[我研究]7月第三周问题总结
第一篇 - 2007.malspecs.graph@FSE[]Mining specifications of malicious behavior.pdf
有兴趣细究的参考文献
1、Semantic-aware malware detection [7][16]
[7] M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proc. IEEE Symposium on Security and Privacy, pages 32–46, 2005.
[16] C. Kruegel, W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary analysis. In Proc. 20th Annual Computer Security Applications Conference (ACSAC’04), pages 91–100, 2004.
2、malicious code model checking [12]
[12] J. Kinder, S. Katzenbeisser, C. Schallhart, and H. Veith. Detecting malicious code by model checking. In Proc. 2nd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’05), pages 174–187, 2005.
关于model check这一说法,在semantic-aware malware detection的原型实现中,有一个collection的decision procedures,一共有四个decision procedure,最后两个就是model checking的原理。(2011.8.5)
Specification
dependence graph (用DAG,directed acyclic graph表示),节点为system call,边为system call之间的依赖关系 - 用logic formular表示。
Detector
Semantic-aware malware detector (就是Semantic-aware malware detection里面用的工具,这个工具的输入是template,所以还需要讲dependence graph做一个映射到template之上),该工具的架构如下图:
实验方法
目标:validate the algrithm (MiniMal)
过程:从16个well-knowne的malware sample中mine malspecs,然后和Symantec的病毒分析师创建的specification作比较
第二篇 - 2008.automata@RAID[]A layered architecture for detecting malicious behaviors.pdf
问题
1、如何进行切实可行的specification分层行为,hierarchy怎么分出来?
文中说到,future direction可以是将specification各层自动产生——果然手动不给力啊
2、文中使用了Qemu,在其上进行包装,完成新的功能,那么源代码有没有下载瓦?
先看下本文的第一作者 Lorenzo Martignoni (http://martignlo.greyhats.it/)
He is currently a postdoctoral researcher at UC Berkeley, working with Prof. Dawn Song and her research group on system and application security.
From Sep 2006 to May 2008, He was a visiting research scholar at the Department of Computer Science department of the University of Wisconisn–Madison (USA) working on malware analysis and detection under the supervision of Prof. Somesh Jha.
3、KQemu[38]和Qemu之间的关系?
[38] Bellard, F.: QEMU Accelerator (KQEMU)
[39] Bellard, F.: QEMU, a Fast and Portable Dynamic Translator
Specification
Behavior graph (用AND-OR graph来表示),节点为event,边表示event之间的transition,然后边上有label,label是通过该边需要满足的predicate。
Detector - Behavior Matcher
文中没有细说,可以考虑去作者网站查找
实验方法 - To be added
第三篇 - 2009.automata@RAID[]Malware behavioral detection by attribute-automata using abstraction from platform and language.pdf
问题
1、形式化语言的实现方式是什么?
Specification
attribute-grammar(由semantic attribute和rule增强过的CFG(上下文无关文法)),里面有两种东西:
syntax for operations and interactions & a type system for external object
Detector
Parsing Automata - 自动机的实现和原理已经忘得差不多了
实验方法 - To be added
待看的一篇文章 - 2010@SP[WISC.IBM.UCSB]Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors.pdf