Skip to main content
SpringerLink
Log in

Malware as interaction machines: a new framework for behavior modelling

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Several semantic-based malware analyzers have recently been put forward, each one defining its own model to capture the code behavior. All these semantic models, and abstract virology models likewise, fundamentally rely on formalisms equivalent to Turing Machines. However, as stated by recent advances in computer theory, these same formalisms do not capture appropriately interactions and concurrency. Unfortunately, malware, adaptable and resilient by essence, are likely to use these mechanisms intensively. In this paper, we thus extend the malware models to the specifically designed Interaction Machines. We first introduce two formal definitions for the interactive and the distributed viruses. According to different classes of interactions, their detection complexity is strongly impacted. Based on interactive languages, we then design an operational framework to describe malicious behaviors. Descriptions for some representative behaviors are given to complete and assess this framework.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Filiol, E.: Computer Viruses: From Theory to Applications. Springer, Berlin, IRIS Collection, ISBN:2-287-23939-1 (2005)

  2. von Neumann, J.: Theory of Self-Reproducing Automata. University of Illinois Press, ISBN:0-598-37798-0 (1966)

  3. Cohen, F.: Computer Viruses. Ph.D. Thesis, University of South California (1986)

  4. Adleman, L.M.: An abstract theory of computer viruses. In: CRYPTO ’88: Proceedings on Advances in cryptology, pp. 354–374 (1990)

  5. Zuo Z. and Zhou M. (2004). Some further theoretical results about computer viruses. Comput. J. 47(6): 627–633

    Article  Google Scholar 

  6. Bonfante G., Kaczmarek M. and Marion J.-Y. (2006). On abstract computer virology from a recursion-theoretic perspective. J. Comput. Virol. 1(3–4): 45–54

    Article  Google Scholar 

  7. Wegner P. (1997). Why interaction is more powerful than algorithms. Commun. ACM 40(5): 80–91

    Article  Google Scholar 

  8. Filiol, E.: Formalisation and implementation aspects of k-ary (malicious) codes. J. Comput. Virol., vol. 3, no. 3, EICAR 2007 Special Issue. Broucek, V., Turner, P. (eds) (2007)

  9. Filiol, E.: Techniques Virales avancTes. Springer, Berlin, IRIS Collection, ISBN:2-287-33887-8 (2007)

  10. Milner R. (1993). Elements of interaction: Turing award lecture. Commun. ACM 36(1): 78–89

    Article  Google Scholar 

  11. Manna Z. and Pnueli A. (1992). The Temporal Logic of Reactive and Concurrent Systems. Springer, New York, ISBN:0-387-97664-7

    Google Scholar 

  12. Leitold, F.: Mathematical model of computer viruses. In: Best Paper Proceedings of EICAR, pp. 194–217 (2000)

  13. Webster, M.: Algebraic specification of computer viruses and their environments. In: Selected Papers from the First Conference on Algebra and Coalgebra in Computer Science, Young Researchers Workshop (CALCO-jnr), University of Wales Swansea Computer Science Report Series CSR 18-2005, Mosses, P., Power, J., Seisenberger, M. (eds) pp. 99–113 (2005)

  14. Wegner P. (1998). Interactive foundations of computing. Theor. Comput. Sci. 192(2): 315–351

    Article  MATH  MathSciNet  Google Scholar 

  15. Wegner P. (1995). Interaction as a basis for empirical computer science. ACM Comput. Surv. 27(1): 45–48

    Article  Google Scholar 

  16. Atallah M.J. (2000). Algorithms and Theory of Computation Handbook. CRC Press LLC, West Palm Beach, FL

    Google Scholar 

  17. Thomas, W.: Automata on infinite objects. In: Handbook of Theoretical Computer. Elsevier, Amsterdam (1990)

  18. Rogers, H.: Theory of Recursive Functions and Effective Computability. MIT Press, Cambridge, MA, ISBN:0-262-68052-1 (1987)

  19. Cohen F.B. (1987). Computer viruses: theory and experiments. Comput. Secur. 6(1): 22–35

    Article  Google Scholar 

  20. Hopcroft J., Motwani R. and Ullman J. (1995). Introduction to Automata Theory, Languages and Computation, 2nd edn. Addison-Wesley, Reading, MA, ISBN:0-201-44124-1

    Google Scholar 

  21. Manual reference pages—ipsend. http://www.gsp.com/cgi-bin/man.cgi?section=5&topic=ipsend

  22. Bonfante, G., Kaczmarek, M., Marion, J.-Y.: A classification of viruses through recursion theorems In: Computation and Logic in the Real World, CIE’07, vol. 4497 of Lecture Notes in Computer Science, pp. 73–82. Springer, Berlin (2007)

  23. Schmall, M.: Classification and Identification of Malicious Code Based on Heuristic Techniques Utilizing Meta-languages. Ph.D. Thesis, University of Hamburg (2002)

  24. Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 2–16 (2006)

  25. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantic-aware malware detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 32–46 (2005)

  26. Filiol, E., Jacob, G., Liard, M.L.: Evaluation methodology and theoretical model for antiviral behavioural detection strategies. J. Comput. Virol., vol. 3, no. 1, WTCV’06 Special Issue, G. Bonfante and J-Y. Marion Eds., pp. 23–37 (2007)

  27. Fortinet observatory. http://www.fortinet.com/FortiGuardCenter/

  28. Rozinov, K.: Reverse code engineering: An in-depth analysis of the bagle virus. In: Proceedings of the 2005 IEEE Workshop on Information Assurance, pp. 178–184 (2005)

  29. Filiol, E.: Le ver mydoom. MISC—Le magazine de la sTcuritT informatique, vol. 13 (2004)

  30. Ferrie, P.: Magisterium abraxas. In: Proceedings of Virus Bulletin, pp. 6–7 (2001)

  31. Ferrie, P., Shannon, H.: It’s zell(d)ome the one you expect—w32/zellome. In: Proceedings of Virus Bulletin, pp. 7–11 (2005)

  32. Kinder J., Katzenbeisser S., Schallhart C. and Veith H. (2005). Detecting malicious code by model checking. Lect. Notes Comput. Sci. 3548: 74–187

    Google Scholar 

  33. Shin, J., Spears, D.: The Basic Building Blocks of Malware. Technical Report, University of Wyoming (2006)

  34. Driller, T.M.: Advanced polymorphic engine construction. 29A E-zine, vol. 5 (2003)

  35. Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. In: Proceedings of the International Conference on Computational Intelligence (ICCI), Published in the International Journal in Computer Science, vol. 2, issue 1, pp. 70–75 (2007)

  36. Qozah, Polymorphism and grammars, 29A E-zine, vol. 4 (1999)

  37. Rutkowska, J.: Red pill...or how to detect vmm using (almost) one cpu instruction (2005). http://invisiblethings.org/papers/redpill.html

Download references

Author information

Authors and Affiliations

  1. France Télécom R&D, Caen, France

    Grégoire Jacob & Hervé Debar

  2. Virology and Cryptology Lab., French Army Signals Academy, Rennes, France

    Grégoire Jacob & Eric Filiol

Authors
  1. Grégoire Jacob
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Filiol
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Grégoire Jacob.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Jacob, G., Filiol, E. & Debar, H. Malware as interaction machines: a new framework for behavior modelling. J Comput Virol 4, 235–250 (2008). https://doi.org/10.1007/s11416-008-0085-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0085-1

Keywords

Search

Navigation