Abstract
Several semantic-based malware analyzers have recently been put forward, each one defining its own model to capture the code behavior. All these semantic models, and abstract virology models likewise, fundamentally rely on formalisms equivalent to Turing Machines. However, as stated by recent advances in computer theory, these same formalisms do not capture appropriately interactions and concurrency. Unfortunately, malware, adaptable and resilient by essence, are likely to use these mechanisms intensively. In this paper, we thus extend the malware models to the specifically designed Interaction Machines. We first introduce two formal definitions for the interactive and the distributed viruses. According to different classes of interactions, their detection complexity is strongly impacted. Based on interactive languages, we then design an operational framework to describe malicious behaviors. Descriptions for some representative behaviors are given to complete and assess this framework.
Similar content being viewed by others
References
Filiol, E.: Computer Viruses: From Theory to Applications. Springer, Berlin, IRIS Collection, ISBN:2-287-23939-1 (2005)
von Neumann, J.: Theory of Self-Reproducing Automata. University of Illinois Press, ISBN:0-598-37798-0 (1966)
Cohen, F.: Computer Viruses. Ph.D. Thesis, University of South California (1986)
Adleman, L.M.: An abstract theory of computer viruses. In: CRYPTO ’88: Proceedings on Advances in cryptology, pp. 354–374 (1990)
Zuo Z. and Zhou M. (2004). Some further theoretical results about computer viruses. Comput. J. 47(6): 627–633
Bonfante G., Kaczmarek M. and Marion J.-Y. (2006). On abstract computer virology from a recursion-theoretic perspective. J. Comput. Virol. 1(3–4): 45–54
Wegner P. (1997). Why interaction is more powerful than algorithms. Commun. ACM 40(5): 80–91
Filiol, E.: Formalisation and implementation aspects of k-ary (malicious) codes. J. Comput. Virol., vol. 3, no. 3, EICAR 2007 Special Issue. Broucek, V., Turner, P. (eds) (2007)
Filiol, E.: Techniques Virales avancTes. Springer, Berlin, IRIS Collection, ISBN:2-287-33887-8 (2007)
Milner R. (1993). Elements of interaction: Turing award lecture. Commun. ACM 36(1): 78–89
Manna Z. and Pnueli A. (1992). The Temporal Logic of Reactive and Concurrent Systems. Springer, New York, ISBN:0-387-97664-7
Leitold, F.: Mathematical model of computer viruses. In: Best Paper Proceedings of EICAR, pp. 194–217 (2000)
Webster, M.: Algebraic specification of computer viruses and their environments. In: Selected Papers from the First Conference on Algebra and Coalgebra in Computer Science, Young Researchers Workshop (CALCO-jnr), University of Wales Swansea Computer Science Report Series CSR 18-2005, Mosses, P., Power, J., Seisenberger, M. (eds) pp. 99–113 (2005)
Wegner P. (1998). Interactive foundations of computing. Theor. Comput. Sci. 192(2): 315–351
Wegner P. (1995). Interaction as a basis for empirical computer science. ACM Comput. Surv. 27(1): 45–48
Atallah M.J. (2000). Algorithms and Theory of Computation Handbook. CRC Press LLC, West Palm Beach, FL
Thomas, W.: Automata on infinite objects. In: Handbook of Theoretical Computer. Elsevier, Amsterdam (1990)
Rogers, H.: Theory of Recursive Functions and Effective Computability. MIT Press, Cambridge, MA, ISBN:0-262-68052-1 (1987)
Cohen F.B. (1987). Computer viruses: theory and experiments. Comput. Secur. 6(1): 22–35
Hopcroft J., Motwani R. and Ullman J. (1995). Introduction to Automata Theory, Languages and Computation, 2nd edn. Addison-Wesley, Reading, MA, ISBN:0-201-44124-1
Manual reference pages—ipsend. http://www.gsp.com/cgi-bin/man.cgi?section=5&topic=ipsend
Bonfante, G., Kaczmarek, M., Marion, J.-Y.: A classification of viruses through recursion theorems In: Computation and Logic in the Real World, CIE’07, vol. 4497 of Lecture Notes in Computer Science, pp. 73–82. Springer, Berlin (2007)
Schmall, M.: Classification and Identification of Malicious Code Based on Heuristic Techniques Utilizing Meta-languages. Ph.D. Thesis, University of Hamburg (2002)
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 2–16 (2006)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantic-aware malware detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 32–46 (2005)
Filiol, E., Jacob, G., Liard, M.L.: Evaluation methodology and theoretical model for antiviral behavioural detection strategies. J. Comput. Virol., vol. 3, no. 1, WTCV’06 Special Issue, G. Bonfante and J-Y. Marion Eds., pp. 23–37 (2007)
Fortinet observatory. http://www.fortinet.com/FortiGuardCenter/
Rozinov, K.: Reverse code engineering: An in-depth analysis of the bagle virus. In: Proceedings of the 2005 IEEE Workshop on Information Assurance, pp. 178–184 (2005)
Filiol, E.: Le ver mydoom. MISC—Le magazine de la sTcuritT informatique, vol. 13 (2004)
Ferrie, P.: Magisterium abraxas. In: Proceedings of Virus Bulletin, pp. 6–7 (2001)
Ferrie, P., Shannon, H.: It’s zell(d)ome the one you expect—w32/zellome. In: Proceedings of Virus Bulletin, pp. 7–11 (2005)
Kinder J., Katzenbeisser S., Schallhart C. and Veith H. (2005). Detecting malicious code by model checking. Lect. Notes Comput. Sci. 3548: 74–187
Shin, J., Spears, D.: The Basic Building Blocks of Malware. Technical Report, University of Wyoming (2006)
Driller, T.M.: Advanced polymorphic engine construction. 29A E-zine, vol. 5 (2003)
Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. In: Proceedings of the International Conference on Computational Intelligence (ICCI), Published in the International Journal in Computer Science, vol. 2, issue 1, pp. 70–75 (2007)
Qozah, Polymorphism and grammars, 29A E-zine, vol. 4 (1999)
Rutkowska, J.: Red pill...or how to detect vmm using (almost) one cpu instruction (2005). http://invisiblethings.org/papers/redpill.html
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Jacob, G., Filiol, E. & Debar, H. Malware as interaction machines: a new framework for behavior modelling. J Comput Virol 4, 235–250 (2008). https://doi.org/10.1007/s11416-008-0085-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0085-1