Skip to main content
Springer Nature Link
Log in

Dynamic Binary Instrumentation-Based Framework for Malware Defense

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5137))

Abstract

Malware is at the root of a large number of information security breaches. Despite widespread effort devoted to combating malware, current techniques have proven to be insufficient in stemming the incessant growth in malware attacks. In this paper, we describe a tool that exploits a combination of virtualized (isolated) execution environments and dynamic binary instrumentation (DBI) to detect malicious software and prevent its execution. We define two isolated environments: (i) a Testing environment, wherein an untrusted program is traced during execution using DBI and subjected to rigorous checks against extensive security policies that express behavioral patterns of malicious software, and (ii) a Real environment, wherein a program is subjected to run-time monitoring using a behavioral model (in place of the security policies), along with a continuous learning process, in order to prevent non-permissible behavior.

We have evaluated the proposed methodology on both Linux and Windows XP operating systems, using several virus benchmarks as well as obfuscated versions thereof. Experiments demonstrate that our approach achieves almost complete coverage for original and obfuscated viruses. Average execution times go up to 28.57X and 1.23X in the Testing and Real environments, respectively. The high overhead imposed in the Testing environment does not create a severe impediment since it occurs only once and is transparent to the user. Users are only affected by the overhead imposed in the Real environment. We believe that our approach has the potential to improve on the state-of-the-art in malware detection, offering improved accuracy with low performance penalty.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Computer Security Institute, CSI Survey 2007 (2007), http://www.gocsi.com

  2. Virus Bulletin (2007), http://www.virusbtn.com/news/2007

  3. Symantec Security Response (2007), http://www.symantec.com

  4. The difference between a virus, worm and trojan horse (2004), http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp

  5. Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005)

    Google Scholar 

  6. Norman SandBox Pro-active virus protection (2004), http://lan-aces.com/Norman_Sandbox.pdf

  7. Gordon, S., Howard, F.: Antivirus software testing for the new millenium. In: Proc. National Information Systems Security Conf., pp. 125–139 (October 2000)

    Google Scholar 

  8. Westcoast labs: Checkmark certification (2007), http://www.westcoastlabs.com/checkmark

  9. Zhou, Q.: A service-oriented solution framework for distributed virus detection and vulnerability remediation (VDVR) system. In: Proc. Int. Cryptology Conf. Services Computing, pp. 569–573 (July 2007)

    Google Scholar 

  10. Shin-Jia, H., Kuang-Hsi, C.: A proxy automatic signature scheme using a compiler in distributed systems for unknown virus detection. In: Proc. Int. Conf. Advanced Information Networking and Applications, pp. 649–654 (March 2005)

    Google Scholar 

  11. Yoo, I., Ultes-Nitsche, U.: Adaptive detection of worms/viruses in firewalls. In: Proc. Int. Conf. Security Technology (October 2004)

    Google Scholar 

  12. Henchiri, O., Japkowicz, N.: A feature selection and evaluation scheme for computer virus detection. In: Proc. Int. Conf. Data Mining, pp. 891–895 (December 2006)

    Google Scholar 

  13. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proc. ACM Conf. Computer and Communication Security, pp. 116–127 (October 2007)

    Google Scholar 

  14. Rozinov, K.: Reverse code engineering: An in-depth analysis of the Bagle virus. In: Proc. Wkshp. Information Assurance and Security, pp. 380–387 (June 2005)

    Google Scholar 

  15. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proc. IEEE Symp. Security and Privacy, pp. 32–46 (May 2005)

    Google Scholar 

  16. Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantics-based approach to malware detection. In: Proc. Conf. Principles of Programming Languages, pp. 377–388 (January 2007)

    Google Scholar 

  17. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proc. IEEE Symp. Security and Privacy, pp. 231–245 (May 2007)

    Google Scholar 

  18. Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A secure environment for untrusted helper applications confining the wily hacker. In: Proc. Conf. USENIX Security Symp., pp. 1–13 (July 1996)

    Google Scholar 

  19. Peterson, D.S., Bishop, M., Pandey, R.: A flexible containment mechanism for executing untrusted code. In: Proc. Conf. USENIX Security Symp., pp. 207–225 (August 2002)

    Google Scholar 

  20. Lam, L.-C., Yu, Y., Chiueh, T.-C.: Secure mobile code execution service. In: Proc. Conf. Large Installation System Administration, pp. 53–62 (December 2006)

    Google Scholar 

  21. VMWare Inc., Palo Alto, VMWare browser appliance (2006), http://www.vmware.com/appliances/directory/browserapp.html

  22. Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley, Reading (2007)

    Google Scholar 

  23. Intel vPro Processor Technology (2007), http://www.intel.com/business/vpro

  24. Aaraj, N., Raghunathan, A., Jha, N.K.: Virtualization-assisted framework for prevention of software vulnerability based security attacks. Tech. Rep. CE-J07-001, Dept. of Electrical Engineering, Princeton University (December 2007)

    Google Scholar 

  25. Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proc. Programming Language Design and Implementation Forum, pp. 190–200 (June 2005)

    Google Scholar 

  26. Hangal, S., Lam, M.S.: Tracking down software bugs using automatic anomaly detection. In: Proc. Int. Conf. Software Engineering, pp. 291–301 (May 2002)

    Google Scholar 

  27. Ernst, M.D., Cockrell, J., Griswold, W.G., Notkin, D.: Dynamically discovering likely program invariants to support program evolution. In: Proc. Int. Conf. Software Engineering, pp. 213–224 (May 1999)

    Google Scholar 

  28. Symantec corporation, Cupertino, The digital immune system (2007), http://www.symantec.com/avcenter/reference/dis.tech.brief.pdf

  29. STP: A decision procedure for bitvectors and arrays (2007), http://theory.stanford.edu/~vganesh/stp.html

  30. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: Automatically generating inputs of death. In: Proc. ACM Conf. Computer and Communications Security, pp. 322–335 (November 2006)

    Google Scholar 

  31. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware (2007), http://bitblaze.cs.berkeley.edu/papers/botnet_book-2007.pdf

  32. XenSource: Delivering the Power of Xen (2007), http://www.xensource.com

  33. VMWare Inc., Palo Alto, Virtual Appliance Marketplace (2007), http://www.vmware.com/appliances

  34. VX Heavens (2007), http://vx.netlux.org

  35. Computer Virus Codes (2007), http://virus-codes.blogspot.com

  36. ELFCrypt (2005), http://www.infogreg.com/source-code/public-domain/elfcrypt-v1.0.html

  37. UPX: the Ultimate Packer for eXecutables (2007), http://upx.sourceforge.net

  38. Obfuscator download (2006), http://www.soft32.com/download_186322.html

Download references

Author information

Authors and Affiliations

  1. Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA

    Najwa Aaraj & Niraj K. Jha

  2. NEC Laboratories America, Princeton, NJ 08540,  

    Anand Raghunathan

Authors
  1. Najwa Aaraj
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anand Raghunathan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Niraj K. Jha
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Aaraj, N., Raghunathan, A., Jha, N.K. (2008). Dynamic Binary Instrumentation-Based Framework for Malware Defense. In: Zamboni, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70542-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-70542-0_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-70541-3

  • Online ISBN: 978-3-540-70542-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics