University of Limerick Institutional Repository

Evasion-resistant malware signature based on profiling kernel data structure objects

DSpace Repository

Show simple item record

dc.contributor.author Shosha, Ahmed F
dc.contributor.author Chen-Ching, Liu
dc.contributor.author Gladyshev, Pavel
dc.contributor.author Matten, Marcus
dc.date.accessioned 2013-02-15T16:30:00Z
dc.date.available 2013-02-15T16:30:00Z
dc.date.issued 2012
dc.identifier.uri http://hdl.handle.net/10344/2899
dc.description peer-reviewed en_US
dc.description.abstract Malware authors attempt in an endless effort to find new methods to evade the malware detection engines. A popular method is the use of obfuscation technologies that change the syntax of malicious code while preserving the execution semantics. This leads to the evasion of signatures that are built based on the code syntax. In this paper, we propose a novel approach to develop an evasion-resistant malware signature. This signature is based on the malware’s execution profiles extracted from kernel data structure objects and neither uses malicious code syntax specific information code execution flow information. Thus, proposed signature is more resistant to obfuscation methods and resilient in detecting malicious code variants. To evaluate the effectiveness of the proposed approach, a prototype signature generation tool called SigGENE is developed. The effectiveness of signatures generated by SigGENE evaluated using an experimental root kit-simulation tool that employs techniques commonly found in rootkits. This simulation-tool is obfuscated using several different methods. In further experiments, real-world malware samples that have different variants with the same behavior used to verify the real-world applicability of the approach. The experiments show that the proposed approach is effective, not only in generating a signature that detects the malware and its variants and defeats different obfuscation methods, but also, in producing an execution profiles that can be used to characterize different malicious attacks. en_US
dc.language.iso eng en_US
dc.publisher IEEE Computer Society en_US
dc.relation AFTER en_US
dc.relation.ispartofseries 7th International Conference on Risks and Security of Internet Systems (CRiSIS) 2012;pp. 1-8
dc.relation.uri http://dx.doi.org/10.1109/CRISIS.2012.6378949
dc.rights “© 2012 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.” en_US
dc.subject malware behaviour profiling en_US
dc.subject malware signature en_US
dc.subject signature based detection en_US
dc.subject kernel data structure en_US
dc.title Evasion-resistant malware signature based on profiling kernel data structure objects en_US
dc.type info:eu-repo/semantics/conferenceObject en_US
dc.type.supercollection all_ul_research en_US
dc.type.supercollection ul_published_reviewed en_US
dc.contributor.sponsor ERC en_US
dc.rights.accessrights info:eu-repo/semantics/openAccess en_US


Files in this item

This item appears in the following Collection(s)

Show simple item record

Search ULIR


Browse

My Account

Statistics