Static Analysis of Executables to Detect Malicious Patterns

Abstract

Malicious code detection is a crucial component of any defense mechanism. In this paper, we present a unique viewpoint on malicious code detection. We regard malicious code detection as an obfuscation-deobfuscation game between malicious code writers and researchers working on malicious code detection. Malicious code writers attempt to obfuscate the malicious code to subvert the malicious code detectors, such as anti-virus software. We tested the resilience of three commercial virus scanners against code-obfuscation attacks. The results were surprising: the three commercial virus scanners could be subverted by very simple obfuscation transformations! We present an architecture for detecting malicious patterns in executables that is resilient to common obfuscation transformations. Experimental results demonstrate the efficacy of our prototype tool, SAFE (a static analyzer for executables).

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2006
Accession Number
ADA449067

Entities

People

  • Mihai Christodorescu
  • Somesh Jha

Organizations

  • University of Wisconsin Madison Department of Computer Science

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Abstracts
  • Algorithms
  • Analyzers
  • Anti-Virus Software
  • Assembly Languages
  • Automata
  • Computer Programs
  • Computer Science
  • Computer Viruses
  • Computers
  • Computing System Architectures
  • Detection
  • Detectors
  • Information Operations
  • Instructions
  • Language
  • Operating Systems

Fields of Study

  • Computer science

Readers

  • Computational Fluid Dynamics (CFD)
  • Cybersecurity.