Malicious Code Detection Model Based on Behavior Association

Lansheng Han; Mengxiao Qian; Xingbo Xu; Cai Fu; Hamza Kwisaba

doi:10.1109/TST.2014.6919827

| Sign up

PDF (777.3 KB)

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

Show Outline

Figures (4)

Fig. 1

Fig. 2

Fig. 3

Fig. 4

Tables (3)

Table 1

Table 2

Table 3

Open Access

Malicious Code Detection Model Based on Behavior Association

Lansheng Han, Mengxiao Qian(), Xingbo Xu, Cai Fu, Hamza Kwisaba

Lab. of Information Security, School of Computer Science, Huazhong University of Science and Technology, Wuhan 430074, China.

Show Author Information

Abstract

Malicious applications can be introduced to attack users and services so as to gain financial rewards, individuals’ sensitive information, company and government intellectual property, and to gain remote control of systems. However, traditional methods of malicious code detection, such as signature detection, behavior detection, virtual machine detection, and heuristic detection, have various weaknesses which make them unreliable. This paper presents the existing technologies of malicious code detection and a malicious code detection model is proposed based on behavior association. The behavior points of malicious code are first extracted through API monitoring technology and integrated into the behavior; then a relation between behaviors is established according to data dependence. Next, a behavior association model is built up and a discrimination method is put forth using pushdown automation. Finally, the exact malicious code is taken as a sample to carry out an experiment on the behavior’s capture, association, and discrimination, thus proving that the theoretical model is viable.

Keywords

malicious code behavior monitor behavior association pushdown automation

References

[1]

Cohen

, Computer viruses: Theory and experiments, Computers $&$ Security, vol. 6, no. 1, pp. 22-35, 1987.

Crossref Google Scholar

[2]

Spinellis

, Reliable identification of bounded-length viruses is NP-complete, IEEE Transactions on Information Theory, vol. 49, no. 1, pp. 280-284, 2003.

Crossref Google Scholar

[3]

Stone-Gross

, M.

Cova

, B.

Gilbert

, R.

Kemmerer

, C.

Kruegel

, and G.

Vigna

, Analysis of a botnet takeover, IEEE Security $&$ Privacy, vol. 9, no. 1, pp. 64-72, 2011.

Crossref Google Scholar

[4]

Feng

and R.

Gupta

, Detecting virus mutations via dynamic matching, in IEEE International Conference on Software Maintenance, Edmonton, Alberta, Canada, 2009, pp. 105-114.

Crossref

[5]

J. R.

Harrald

, S. A.

Schmitt

, and S.

Shrestha

, The effect of computer virus occurrence and virusthreat level on antivirus companies’ financial performance, in Engineering Management Conf., 2004. Proceedings. IEEE International, 2004, vol. 2, pp. 780-784.

Crossref

[6]

Z.-P.

Kang

, H.

Xiang

, and L.

, Attack and defence on API hook technology of trojan horse, Information Security and Communications Privacy, vol. 2, pp.145-148, 2007.

Google Scholar

[7]

Wang

, Y.

, and Z.

, A novel technique of recognising multi-stage attack behavior, Int. J. of High Performance Computing and Networking, vol. 6, no. 3/4, pp. 174-180, 2010.

Crossref Google Scholar

[8]

J. E.

Smith

and R.

Nair

, The architecture of virtual machines, Computer., vol. 38, no. 5, pp. 32-38, 2005.

Crossref Google Scholar

[9]

L. C.

Briand

, J.

Feng

, and Y.

Labiche

, Experimenting with genetic algorithms and coupling measures to devise optimal integration test orders, in Software Engineering with Computational Intelligence, T. M.

Khoshgoftaar

, Ed. Kluwer Academic Publishers, 2003, pp. 204-234.

Crossref

[10]

M. G.

Schultz

, E.

Eskin

, E.

Zadok

, and S. J.

Stolfo

, Data mining methods for detection of new malicious executables, in IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2001, pp. 38-49.

[11]

Porikli

and O.

Tuzel

, Multi-kernel object tracking, in IEEE International Conference on Multimedia and Expo, Amsterdam, Holland, 2005, pp. 1234-1237.

[12]

Boulif

and K.

Atif

, Multiobjective cell formation with routing flexibility: A graph partitioning approach, Int. Journal of Computational Science and Engineering, http://www.inderscience.com/info/ingeneral/forthcoming.php?jcode=ijcse, forthcoming articles.

Google Scholar

[13]

Sakakibara

, Grammatical inference in bioinformatics, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 27, no. 7, pp. 1051-1062, 2005.

Crossref Google Scholar

[14]

D. E.

Muller

and P. E.

Schupp

, Groups, the theory of ends and context-free languages, Journal of Computer and System Sciences, vol. 26, no. 3, pp. 295-310, 1983.

Crossref Google Scholar

[15]

Plicka

, J.

Janousek

, and B.

Melichar

, Subtree oracle pushdown automata for ranked and unranked ordered trees, in Federated Conference on Computer Science and Information Systems (FedCSIS), Szczecin, Poland, 2011, pp. 903-906.

Tsinghua Science and Technology

Volume 19 Issue 5,
October 2014

Pages 508-515

DOI: 10.1109/TST.2014.6919827

Cite this article:

Han L, Qian M, Xu X, et al. Malicious Code Detection Model Based on Behavior Association. Tsinghua Science and Technology, 2014, 19(5): 508-515. https://doi.org/10.1109/TST.2014.6919827

Return

113745N-2014-05-508.T001Table 1Behavior and dependence relationship.

Behavior point	Behaviors extraction	Behavior association	Related parameter explanation
GetCurrentDirectoryA	V1: Get the directory	V1 $\to$ V2	Transmitted by buffer 0x0013FE30
CreateFileA	V2: Open the target file	V2 $\to$ V3	Transmitted by file handle 00000010
		V2 $\to$ V4	Transmitted by file handle 00000010
		V2 $\to$ V6	Transmitted by file handle 00000010
CreateFileMappingA	V3: Map file
MapViewOfFile	V3: Map file
SetFilePointer	V4: Require file pointer	V4 $\to$ V5	Transmitted by file buffer
WriteFile	V5: Write file	V5 $\to$ V6	Transmitted by file handle 00000010
SetEndOfFile	V6: Close file
FlushViewOfFile
UnmapViewOfFile
CloseHandle
GetCurrentDirectoryA	V7: Require system directory	V7 $\to$ V8	Transmitted by directory buffer 0013FC28
CopyFileA	V8: Copy file to system directory
CreateProcessA	V9: Create process	V9 $\to$ V10	Transmitted by process handle
GetModuleFileNameA	V10: Program self-detects
CloseHandle	V10: Program self-detects
ExitProcess	V11: Quit program	V11 $\to$ V10	Transmitted by process handle

113745N-2014-05-508.T002Table 2Description of pushdown automation.

State alphabet	Input alphabet	Stack alphabet	Transitive function	Explanation
Q0: starting program state	V1,V2	Z0	$δ$ (Q0,{V1,V2},Z1)={(Q1,Z1)}	Reaching opening file state by opening file
Q1:opening file state	V4,V5,V6	Z1	$δ$ (Q1,{V4,V5},Z1)={(Q2,Z2)}	Reaching writing file state by writing data into file
Q1:opening file state	V4,V5,V6	Z1	$δ$ (Q1,{V6},Z1)={(Q3,Z5)}	Reaching closing file state by closing file directly after opening the file
Q2:writing file state	V5,V6	Z2, Z3	$δ$ (Q2,{V5},Z2)={(Q2,Z3)}	Staying in writing file states by inputting writing file behavior
Q3:closing file state	V7,V8	Z4, Z5	$δ$ (Q3,{V7,V8},Z4)={(Q4,Z6)}	Copying by duplication grammar
Q4:copying file state	V9	Z6	$δ$ (Q4,{V9},Z6)={(Q5,Z7)}	Reaching creating process state by creating process
Q5:creating process state	V10,V11	Z7, Z8	$δ$ (Q5,{V10},Z7)={(Q5,Z8)}	Staying in creating state if the program self-detects
Q5:creating process state	V10,V11	Z7, Z8	$δ$ (Q5,{V11},Z7)={(Q6,Z9)}	Reaching the final state by quitting program
Q6:ending program state		Z9

113745N-2014-05-508.T003Table 3Comparison of behavior association method with existing antivirus methods.

Malicious code	Qihoo 360	King soft	Kasper sky	Behavior association method
Key.Trojan.a	?	?	?	$\sqrt$
Vidio.Trojan.win	!	?	?	$\sqrt$
Pswd.Trojan.t	?	?	!	$\sqrt$
Getkbd.Trojan.W	?	?	!	$\sqrt$
Cross.Trojan.net	!	!	!	$\sqrt$
Pswget.Trojan.b	!	!	!	$\sqrt$
IPget.Trojan.win	!	$\sqrt$	$\sqrt$	$\sqrt$
Fish.Trojan.net	!	!	!	$\sqrt$
Crem.Worm.b	!	$\sqrt$	!	$\sqrt$
Netloc.Worm.hns	?	?	?	$\sqrt$
Joke.Worm.wh	!	?	!	$\sqrt$
ZeuS	$\sqrt$	$\sqrt$	$\sqrt$	$\sqrt$
Reveton	$\sqrt$	$\sqrt$	$\sqrt$	!
Red October	$\sqrt$	$\sqrt$	$\sqrt$	$\sqrt$
Trojan.Generic	$\sqrt$	$\sqrt$	$\sqrt$	!

Notes: Symbols "?", "!", and " $\sqrt$ " denote "unknown", "warning", and "identified", respectively.