Abstract
With regards to the known shortcomings suffered by form-based detection, an increasing number of antivirus products considers behavioral detection. Following this trend, form-based mutations could become function-based with the apparition of functional polymorphism: a third generation of mutation mechanism, specially designed to address behavioral detection. In effect, a same global behavior or purpose (replication, propagation, residency, etc.) can be achieved through different functional solutions, thus leaving space for possible mutations. Whereas actual form-based mutation techniques mainly modify the code structure of malware, functional mutations modify the code functionality, and more particularly the resulting interaction scheme with the operating system and other software. These functional mutations could not be achieved without reaching a semantic level of interpretation, higher than actual techniques remaining purely syntactic. Drawing a parallel, this article underlines the consequent relation existing between functional polymorphic engines and compilers. By studying the associated mutation properties, we prove that these engines exhibit logarithmic entropy and result in a NP-complete complexity for behavioral detection. The implementation of a prototype is finally addressed as well as its possible use for antivirus testing and software protection.
Similar content being viewed by others
References
Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: from a survey towards an established taxonomy (WTCV’07 special issue). J. Comput. Virol. 4(3) (2008)
Fortinet Observatory. http://www.fortinet.com/FortiGuardCenter/
Virus Construction Tools From viruslist.com. http://www.viruslist.com/en/virusesdescribed?chapter=153318618
Vx heaven: virus creation tools repository. http://vx.netlux.org/vx.php?id=tidx
Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (2002)
Gao, M.K.R.D., Song, D.: On gray-box program tracking for anomaly detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 103–118 (2004)
Driller, T.M.: Metamorphism in practice, 29A E-zine, vol. 6 (2002)
Filiol, E.: Techniques Virales Avancées. Springer, IRIS Collection, ISBN: 2-287-33887-8 (2007)
Ször P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005) ISBN:0-321-30454-3
Beaucamps P.: Advanced polymorphic techniques. Int. J. Comput. Sci. 2(3), 194–205 (2007)
Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. In: Proceedings of the International Conference on Computational Intelligence (ICCI), Published in Int. J. Comput. Sci. 2(1) 70–75 (2007)
Spinellis D.: Reliable identification of boundedlength viruses is np-complete. IEEE Trans. Inf. Theory 49(1), 280–284 (2003)
Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantic-based approach to malware detection. In: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) (2007)
Filiol E., Jacob G., Liard M.L.: Evaluation methodology and theoretical model for antiviral behavioural detection strategies (WTCV’06 special issue). J. Comput. Virol. 3(1), 23–37 (2007)
Hopcroft J., Motwani R., Ullman J.: Introduction to Automata Theory, Languages and Computation, 2nd edn. Addison Wesley, New York (1995) ISBN:0-201-44124-1
Knuth D.E.: Semantics of context-free grammars. Theory Comput. Syst. 2(2), 127–145 (1968)
Noll, T.: Compiler construction, lectures 15 to 18: Semantic analysis. RWTH Aachen University (2006). http://www-i2.informatik.rwth-aachen.de/Teaching/Course/CB/2006/Slides/
Shannon, C.E.: A mathematical theory of communications. Bell Syst. Tech. J. 27, 379–423, 623–656 (1948)
Filiol, E.: Malware pattern scanning schemes secure against black-box analysis (EICAR 2006 special issue). J. Comput. Virol. 2(1), pp. 35–50, (2006)
Papadimitirou C.H.: Computational Complexity. Addison Wesley, Reading (1995) ISBN:0-201-53082-1
Jacob, G., Filiol, E., Debar, H.: Malwares as interactive machines: a new framework for behavior modelling (WTCV’07 special issue). J. Comput. Virol. 4(3) (2008)
Charlier, B.L., Mounji, A., Swimmer, M.: Dynamic detection and classification of computer viruses using general behaviour patterns. In: Proceedings of the 5th Virus Bulletin Conference (1995)
Ford, R., Wagner, M., Michalske, J.: Gatekeeper ii: new approaches to generic virus prevention. In: Proceedings of the 14th Virus Bulletin Conference (2004)
Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of ACM SIGSOFT: Internatinal Symposium on Software Testing and Analysis (ISSTA 04), pp. 34–44 (2004)
Qemu: open source processor emulator. http://fabrice.bellard.free.fr/qemu/
Wang, C., Hill, J., Knight, J., Davidson, J.: Software tamper resistance: obstructing static analysis of programs. Tech. Rep. CS-2000–2012 (2000)
Horne, B., Matheson, L.R., Sheehan, C., Tarjan, R.E.: Dynamic self-checking techniques for improved tamper resistance. In: Proceeding of the Digital Rights Management Workshop pp. 141–159 (2001)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Jacob, G., Filiol, E. & Debar, H. Functional polymorphic engines: formalisation, implementation and use cases. J Comput Virol 5, 247–261 (2009). https://doi.org/10.1007/s11416-008-0095-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0095-z