SlideShare a Scribd company logo

Model-checking for efficient malware detection

Pôle Systematic Paris-Region
Pôle Systematic Paris-Region

Tayssir Touili, LIPN

Technology
1 of 52
Download to read offline
Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13
Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware
Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware Malware detection is important!!
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Solution: Check the behavior (not the syntax) of the program without executing it
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Solution: Check the behavior (not the syntax) of the program without executing it Model Checking is a good candidate
Goal: Model-checking for malware detection
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model?
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism?
Goal: Model-checking for malware detection Existing works: use finite automata to model the programs Binary code ╞ Malicious behavior ? Model? Specification formalism?
Goal: Model-checking for malware detection Existing works: use finite automata to model the programs Stack? Binary code ╞ Malicious behavior ? Model? Specification formalism?
Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls.
Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f
Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f Important to analyse the program’s stack
Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f Important to analyse the program’s stack Solution: Use pushdown systems to model programs
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?
Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA
Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA How to describe this specification?
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA)
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) EX p: there is a path where p holds at the next state p EX p
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p Huge!
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables +
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) CTPL cannot describe the stack: needed for malicious behaviors description
Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations.
Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations.
Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. Our solution: Consider predicates over the stack
Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. Our solution: Consider predicates over the stack In SCTPL: EF ( call GetModuleHandleA ˄ (head_stack = 0) ) EF p: there is a path where p holds in the future
Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f
Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L)))
Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L1 L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L))) L is not a return address of a function call
Expressing Obfuscated returns in SCTPL L0 : call f a : … … f: … … pop eax jmp eax h_s= a h_s= a h_s : head-stack !
Expressing Appending Viruses in SCTPL L0 : call f a : … f: pop eax An appending virus append itself at the end of the host file The virus has to compute its address in memory h_s = a h_s = a h_s : head-stack
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL Pushdown System╞ SCTPL ?
SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded
SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded Theorem: Given a Pushdown System P and a SCTPL formula ᵠ, whether P satisfies ᵠ can be effectively decided.
Implementation We implemented our techniques in a tool for virus detection IdaPro + Jakstab CFGBinary Code Translator PDS Model-checking engine Malware behaviors as SCTPL formulas YES/NO
Experiments of POMMADE 1. Our tool was able to detect more than 800 malwares 2.We checked 400 real benign programs from Windows XP system. Benign programs are proved benign with only three false positives. 3.Our tool was able to detect all the 200 new malwares generated by two malware creators 4.Analyze the Flame malware that was not detected for more than 5 years by any anti-virus
Our tool vs. known anti-viruses NGVCK and VCL32 malware generators 1.generate 200 new malwares 2.the best malware generators 3.generate complex malwares Gener ator No. Of Vari ant s PO MM ADE Avi ra Kasp ersk y Ava st Qiho o 360 McA fee AVG BitDef ender Eset Nod3 2 F- Sec ure Nort on Pan da Tre nd Micr o NGVC K 100 100 % 0% 23% 18 % 68% 100 % 11% 97% 81% 0% 46% 0% 0% VCL32 100 100 % 0% 2% 100 % 99% 0% 100 % 100% 76% 0% 30% 0% 0%
Analyze The Flame Malware Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on It was not detected by any anti-virus for 5 years
Analyze The Flame Malware Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on It was not detected by any anti-virus for 5 years Our tool can detect this malware Flame
Conclusion • We introduced a new logic SCTPL to precisely specify malicious behaviors • We proposed efficient SCTPL model-checking algorithms for pushdown systems. • We implemented our techniques in a tool for malware detection: POMMADE •POMMADE was able to detect more than 800 malwares, several of them cannot be detected by well-known anti-viruses, such as, Avast, Kaspersky, McAfee, Norton, Avira, etc
Questions?

Recommended

Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012Jaime Restrepo
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Test Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTest Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTerry Yin
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019Olivera Milenkovic
 
Static Code Analysis: Keeping the Cost of Bug Fixing Down
Static Code Analysis: Keeping the Cost of Bug Fixing DownStatic Code Analysis: Keeping the Cost of Bug Fixing Down
Static Code Analysis: Keeping the Cost of Bug Fixing DownAndrey Karpov
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...Software Guru
 
Challenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionChallenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionMuhammad Najmi Ahmad Zabidi
 

Recommended

Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012Jaime Restrepo
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Test Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTest Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTerry Yin
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019Olivera Milenkovic
 
Static Code Analysis: Keeping the Cost of Bug Fixing Down
Static Code Analysis: Keeping the Cost of Bug Fixing DownStatic Code Analysis: Keeping the Cost of Bug Fixing Down
Static Code Analysis: Keeping the Cost of Bug Fixing DownAndrey Karpov
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...Software Guru
 
Challenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionChallenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionMuhammad Najmi Ahmad Zabidi
 
Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationUltraUploader
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...Silvio Cesare
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Seminar
SeminarSeminar
SeminarKevin ITian
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple FeaturesMuhammad Najmi Ahmad Zabidi
 
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionMuhammad Najmi Ahmad Zabidi
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Carlos Laorden
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
µfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming Consultingµfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming ConsultingLes Interconnectés
 
Les Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Interconnectés
 
ExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeEnerGaïa
 
Pays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesPays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesLes Interconnectés
 
Rando jeu
Rando jeuRando jeu
Rando jeuLes Interconnectés
 
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteHabitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteLes Interconnectés
 
Outil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueOutil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueLes Interconnectés
 
Minalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesMinalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesLes Interconnectés
 
Wizway
WizwayWizway
WizwayLes Interconnectés
 
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...EnerGaïa
 
Amienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleAmienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleLes Interconnectés
 
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...Lionel Briand
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
 

More Related Content

Viewers also liked

Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationUltraUploader
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...Silvio Cesare
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionMuhammad Najmi Ahmad Zabidi
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Carlos Laorden
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
µfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming Consultingµfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming ConsultingLes Interconnectés
 
Les Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Interconnectés
 
ExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeEnerGaïa
 
Pays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesPays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesLes Interconnectés
 
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteHabitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteLes Interconnectés
 
Outil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueOutil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueLes Interconnectés
 
Minalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesMinalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesLes Interconnectés
 
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...EnerGaïa
 
Amienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleAmienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleLes Interconnectés
 

Viewers also liked (20)

Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creation
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Seminar
SeminarSeminar
Seminar
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
µfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming Consultingµfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming Consulting
 
Les Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'Argent
 
ExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborative
 
Pays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesPays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaboratives
 
Rando jeu
Rando jeuRando jeu
Rando jeu
 
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteHabitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
 
Outil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueOutil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays Basque
 
Minalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesMinalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villes
 
Wizway
WizwayWizway
Wizway
 
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
 
Amienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleAmienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens Métropole
 

Similar to Model-checking for efficient malware detection

A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...Lionel Briand
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
CISC 879 - Machine Learning for Solving Systems Problems
CISC 879 - Machine Learning for Solving Systems Problems CISC 879 - Machine Learning for Solving Systems Problems
CISC 879 - Machine Learning for Solving Systems Problems butest
 
Viruses and Anti-Viruses
Viruses and Anti-VirusesViruses and Anti-Viruses
Viruses and Anti-VirusesAyman Hussein
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...Wayne Huang
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...Marcus Botacin
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...Rouven Weßling
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...UltraUploader
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guideintertelinvestigations
 

Similar to Model-checking for efficient malware detection (20)

A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
CISC 879 - Machine Learning for Solving Systems Problems
CISC 879 - Machine Learning for Solving Systems Problems CISC 879 - Machine Learning for Solving Systems Problems
CISC 879 - Machine Learning for Solving Systems Problems
 
Viruses and Anti-Viruses
Viruses and Anti-VirusesViruses and Anti-Viruses
Viruses and Anti-Viruses
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
 
Kali linux and hacking
Kali linux and hackingKali linux and hacking
Kali linux and hacking
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 

More from Pôle Systematic Paris-Region

OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...Pôle Systematic Paris-Region
 
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...Pôle Systematic Paris-Region
 
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...Pôle Systematic Paris-Region
 
OSIS19_Cloud : Performance and power management in virtualized data centers, ...
OSIS19_Cloud : Performance and power management in virtualized data centers, ...OSIS19_Cloud : Performance and power management in virtualized data centers, ...
OSIS19_Cloud : Performance and power management in virtualized data centers, ...Pôle Systematic Paris-Region
 
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...Pôle Systematic Paris-Region
 
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...Pôle Systematic Paris-Region
 
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...Pôle Systematic Paris-Region
 
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick MoyOsis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick MoyPôle Systematic Paris-Region
 
Osis18_Cloud : Virtualisation efficace d’architectures NUMA
Osis18_Cloud : Virtualisation efficace d’architectures NUMAOsis18_Cloud : Virtualisation efficace d’architectures NUMA
Osis18_Cloud : Virtualisation efficace d’architectures NUMAPôle Systematic Paris-Region
 
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur BittorrentOsis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur BittorrentPôle Systematic Paris-Region
 
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...Pôle Systematic Paris-Region
 
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riotOSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riotPôle Systematic Paris-Region
 
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...Pôle Systematic Paris-Region
 
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...Pôle Systematic Paris-Region
 
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...Pôle Systematic Paris-Region
 
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)Pôle Systematic Paris-Region
 
PyParis 2017 / Un mooc python, by thierry parmentelat
PyParis 2017 / Un mooc python, by thierry parmentelatPyParis 2017 / Un mooc python, by thierry parmentelat
PyParis 2017 / Un mooc python, by thierry parmentelatPôle Systematic Paris-Region
 

More from Pôle Systematic Paris-Region (20)

OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
 
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
 
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
 
OSIS19_Cloud : Performance and power management in virtualized data centers, ...
OSIS19_Cloud : Performance and power management in virtualized data centers, ...OSIS19_Cloud : Performance and power management in virtualized data centers, ...
OSIS19_Cloud : Performance and power management in virtualized data centers, ...
 
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
 
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
 
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
 
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick MoyOsis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
 
Osis18_Cloud : Pas de commun sans communauté ?
Osis18_Cloud : Pas de commun sans communauté ?Osis18_Cloud : Pas de commun sans communauté ?
Osis18_Cloud : Pas de commun sans communauté ?
 
Osis18_Cloud : Projet Wolphin
Osis18_Cloud : Projet Wolphin Osis18_Cloud : Projet Wolphin
Osis18_Cloud : Projet Wolphin
 
Osis18_Cloud : Virtualisation efficace d’architectures NUMA
Osis18_Cloud : Virtualisation efficace d’architectures NUMAOsis18_Cloud : Virtualisation efficace d’architectures NUMA
Osis18_Cloud : Virtualisation efficace d’architectures NUMA
 
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur BittorrentOsis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
 
Osis18_Cloud : Software-heritage
Osis18_Cloud : Software-heritageOsis18_Cloud : Software-heritage
Osis18_Cloud : Software-heritage
 
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
 
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riotOSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
 
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
 
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
 
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
 
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
 
PyParis 2017 / Un mooc python, by thierry parmentelat
PyParis 2017 / Un mooc python, by thierry parmentelatPyParis 2017 / Un mooc python, by thierry parmentelat
PyParis 2017 / Un mooc python, by thierry parmentelat
 

Recently uploaded

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 

Recently uploaded (20)

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 

Model-checking for efficient malware detection

  • 1. Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13
  • 2. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware
  • 3. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware Malware detection is important!!
  • 4. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature
  • 5. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable
  • 6. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment
  • 7. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval
  • 8. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Solution: Check the behavior (not the syntax) of the program without executing it
  • 9. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Solution: Check the behavior (not the syntax) of the program without executing it Model Checking is a good candidate
  • 10. Goal: Model-checking for malware detection
  • 11. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?
  • 12. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model?
  • 13. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism?
  • 14. Goal: Model-checking for malware detection Existing works: use finite automata to model the programs Binary code ╞ Malicious behavior ? Model? Specification formalism?
  • 15. Goal: Model-checking for malware detection Existing works: use finite automata to model the programs Stack? Binary code ╞ Malicious behavior ? Model? Specification formalism?
  • 16. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls.
  • 17. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f
  • 18. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f Important to analyse the program’s stack
  • 19. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f Important to analyse the program’s stack Solution: Use pushdown systems to model programs
  • 20. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?
  • 21. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?
  • 22. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA
  • 23. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA How to describe this specification?
  • 24. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA)
  • 25. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) EX p: there is a path where p holds at the next state p EX p
  • 26. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p
  • 27. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p Huge!
  • 28. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables +
  • 29. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))
  • 30. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) CTPL cannot describe the stack: needed for malicious behaviors description
  • 31. Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations.
  • 32. Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations.
  • 33. Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. Our solution: Consider predicates over the stack
  • 34. Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. Our solution: Consider predicates over the stack In SCTPL: EF ( call GetModuleHandleA ˄ (head_stack = 0) ) EF p: there is a path where p holds in the future
  • 35. Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f
  • 36. Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L)))
  • 37. Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L1 L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L))) L is not a return address of a function call
  • 38. Expressing Obfuscated returns in SCTPL L0 : call f a : … … f: … … pop eax jmp eax h_s= a h_s= a h_s : head-stack !
  • 39. Expressing Appending Viruses in SCTPL L0 : call f a : … f: pop eax An appending virus append itself at the end of the host file The virus has to compute its address in memory h_s = a h_s = a h_s : head-stack
  • 40. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?
  • 41. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL
  • 42. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL Pushdown System╞ SCTPL ?
  • 43. SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded
  • 44. SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded Theorem: Given a Pushdown System P and a SCTPL formula ᵠ, whether P satisfies ᵠ can be effectively decided.
  • 45. Implementation We implemented our techniques in a tool for virus detection IdaPro + Jakstab CFGBinary Code Translator PDS Model-checking engine Malware behaviors as SCTPL formulas YES/NO
  • 46. Experiments of POMMADE 1. Our tool was able to detect more than 800 malwares 2.We checked 400 real benign programs from Windows XP system. Benign programs are proved benign with only three false positives. 3.Our tool was able to detect all the 200 new malwares generated by two malware creators 4.Analyze the Flame malware that was not detected for more than 5 years by any anti-virus
  • 47. Our tool vs. known anti-viruses NGVCK and VCL32 malware generators 1.generate 200 new malwares 2.the best malware generators 3.generate complex malwares Gener ator No. Of Vari ant s PO MM ADE Avi ra Kasp ersk y Ava st Qiho o 360 McA fee AVG BitDef ender Eset Nod3 2 F- Sec ure Nort on Pan da Tre nd Micr o NGVC K 100 100 % 0% 23% 18 % 68% 100 % 11% 97% 81% 0% 46% 0% 0% VCL32 100 100 % 0% 2% 100 % 99% 0% 100 % 100% 76% 0% 30% 0% 0%
  • 48. Analyze The Flame Malware Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on It was not detected by any anti-virus for 5 years
  • 49. Analyze The Flame Malware Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on It was not detected by any anti-virus for 5 years Our tool can detect this malware Flame
  • 50. Conclusion • We introduced a new logic SCTPL to precisely specify malicious behaviors • We proposed efficient SCTPL model-checking algorithms for pushdown systems. • We implemented our techniques in a tool for malware detection: POMMADE •POMMADE was able to detect more than 800 malwares, several of them cannot be detected by well-known anti-viruses, such as, Avast, Kaspersky, McAfee, Norton, Avira, etc
  • 51.