[我研究]7月第三周问题总结

第一篇 - 2007.malspecs.graph@FSE[]Mining specifications of malicious behavior.pdf

有兴趣细究的参考文献

1、Semantic-aware malware detection [7][16]

[7] M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proc. IEEE Symposium on Security and Privacy, pages 32–46, 2005.

[16] C. Kruegel, W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary analysis. In Proc. 20th Annual Computer Security Applications Conference (ACSAC’04), pages 91–100, 2004.

2、malicious code model checking [12]

[12] J. Kinder, S. Katzenbeisser, C. Schallhart, and H. Veith. Detecting malicious code by model checking. In Proc. 2nd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’05), pages 174–187, 2005.

关于model check这一说法，在semantic-aware malware detection的原型实现中，有一个collection的decision procedures，一共有四个decision procedure，最后两个就是model checking的原理。(2011.8.5)

Specification

dependence graph (用DAG，directed acyclic graph表示)，节点为system call，边为system call之间的依赖关系 - 用logic formular表示。

Detector

Semantic-aware malware detector （就是Semantic-aware malware detection里面用的工具，这个工具的输入是template，所以还需要讲dependence graph做一个映射到template之上），该工具的架构如下图：

实验方法

目标：validate the algrithm (MiniMal)

过程：从16个well-knowne的malware sample中mine malspecs，然后和Symantec的病毒分析师创建的specification作比较

第二篇 - 2008.automata@RAID[]A layered architecture for detecting malicious behaviors.pdf

问题

1、如何进行切实可行的specification分层行为，hierarchy怎么分出来?

文中说到，future direction可以是将specification各层自动产生——果然手动不给力啊

2、文中使用了Qemu，在其上进行包装，完成新的功能，那么源代码有没有下载瓦？

先看下本文的第一作者 Lorenzo Martignoni (http://martignlo.greyhats.it/)

He is currently a postdoctoral researcher at UC Berkeley, working with Prof. Dawn Song and her research group on system and application security.

From Sep 2006 to May 2008, He was a visiting research scholar at the Department of Computer Science department of the University of Wisconisn–Madison (USA) working on malware analysis and detection under the supervision of Prof. Somesh Jha.

3、KQemu[38]和Qemu之间的关系？

[38] Bellard, F.: QEMU Accelerator (KQEMU)
[39] Bellard, F.: QEMU, a Fast and Portable Dynamic Translator

Specification

Behavior graph (用AND-OR graph来表示)，节点为event，边表示event之间的transition，然后边上有label，label是通过该边需要满足的predicate。

Detector - Behavior Matcher

文中没有细说，可以考虑去作者网站查找

实验方法 - To be added

第三篇 - 2009.automata@RAID[]Malware behavioral detection by attribute-automata using abstraction from platform and language.pdf

问题

1、形式化语言的实现方式是什么？

Specification

attribute-grammar（由semantic attribute和rule增强过的CFG（上下文无关文法）），里面有两种东西：

syntax for operations and interactions & a type system for external object

Detector

Parsing Automata - 自动机的实现和原理已经忘得差不多了

实验方法 - To be added

待看的一篇文章 - 2010@SP[WISC.IBM.UCSB]Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors.pdf