Replacement attacks

Automatically impeding behavior-based malware specifications

Jiang Ming, Zhi Xin, Pengwei Lan, Dinghao Wu, Peng Liu, Bing Mao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)

Abstract

As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and clearly stand out from other programs. It is evident that the classical syntactic signatures are insufficient to defeat state-of-the art malware. Behavior-based specifications which capture real malicious characteristics during runtime, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from system call dependence graphs that a malware sample invokes. In this paper we present replacement attacks to poison behavior-based specifications by concealing similar behaviors among malware variants. The essence of the attacks is to replace a behavior specification to its semantically equivalent one, so that similar malware variants within one family turn out to be different. As a result, malware analysts have to put more efforts to re-analyze similar samples. We distill general attacking strategies by mining more than 5,000 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate effectiveness of our approach to impede multiple malware analyses based on behavior specifications, such as similarity comparison and malware clustering. In the end, we provide possible counter-measures to strengthen behavior-based malware analysis.

Original languageEnglish (US)
Title of host publicationApplied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers
EditorsTal Malkin, Allison Bishop Lewko, Vladimir Kolesnikov, Michalis Polychronakis
PublisherSpringer Verlag
Pages497-517
Number of pages21
ISBN (Print)9783319281650
DOIs
StatePublished - Jan 1 2015
Event13th International Conference on Applied Cryptography and Network Security, ACNS 2015 - New York, United States
Duration: Jun 2 2015Jun 5 2015

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9092
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other13th International Conference on Applied Cryptography and Network Security, ACNS 2015
CountryUnited States
CityNew York
Period6/2/156/5/15

Fingerprint

Malware
Replacement
Attack
Specification
Specifications
Signature
Clustering
Countermeasures
Syntactics

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Ming, J., Xin, Z., Lan, P., Wu, D., Liu, P., & Mao, B. (2015). Replacement attacks: Automatically impeding behavior-based malware specifications. In T. Malkin, A. B. Lewko, V. Kolesnikov, & M. Polychronakis (Eds.), Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers (pp. 497-517). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9092). Springer Verlag. https://doi.org/10.1007/978-3-319-28166-7_24
Ming, Jiang ; Xin, Zhi ; Lan, Pengwei ; Wu, Dinghao ; Liu, Peng ; Mao, Bing. / Replacement attacks : Automatically impeding behavior-based malware specifications. Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers. editor / Tal Malkin ; Allison Bishop Lewko ; Vladimir Kolesnikov ; Michalis Polychronakis. Springer Verlag, 2015. pp. 497-517 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{be5b7f4ff5af4a3a8e327d2565aad0bb,
title = "Replacement attacks: Automatically impeding behavior-based malware specifications",
abstract = "As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and clearly stand out from other programs. It is evident that the classical syntactic signatures are insufficient to defeat state-of-the art malware. Behavior-based specifications which capture real malicious characteristics during runtime, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from system call dependence graphs that a malware sample invokes. In this paper we present replacement attacks to poison behavior-based specifications by concealing similar behaviors among malware variants. The essence of the attacks is to replace a behavior specification to its semantically equivalent one, so that similar malware variants within one family turn out to be different. As a result, malware analysts have to put more efforts to re-analyze similar samples. We distill general attacking strategies by mining more than 5,000 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate effectiveness of our approach to impede multiple malware analyses based on behavior specifications, such as similarity comparison and malware clustering. In the end, we provide possible counter-measures to strengthen behavior-based malware analysis.",
author = "Jiang Ming and Zhi Xin and Pengwei Lan and Dinghao Wu and Peng Liu and Bing Mao",
year = "2015",
month = "1",
day = "1",
doi = "10.1007/978-3-319-28166-7_24",
language = "English (US)",
isbn = "9783319281650",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "497--517",
editor = "Tal Malkin and Lewko, {Allison Bishop} and Vladimir Kolesnikov and Michalis Polychronakis",
booktitle = "Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers",
address = "Germany",

}

Ming, J, Xin, Z, Lan, P, Wu, D, Liu, P & Mao, B 2015, Replacement attacks: Automatically impeding behavior-based malware specifications. in T Malkin, AB Lewko, V Kolesnikov & M Polychronakis (eds), Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9092, Springer Verlag, pp. 497-517, 13th International Conference on Applied Cryptography and Network Security, ACNS 2015, New York, United States, 6/2/15. https://doi.org/10.1007/978-3-319-28166-7_24

Replacement attacks : Automatically impeding behavior-based malware specifications. / Ming, Jiang; Xin, Zhi; Lan, Pengwei; Wu, Dinghao; Liu, Peng; Mao, Bing.

Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers. ed. / Tal Malkin; Allison Bishop Lewko; Vladimir Kolesnikov; Michalis Polychronakis. Springer Verlag, 2015. p. 497-517 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9092).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Replacement attacks

T2 - Automatically impeding behavior-based malware specifications

AU - Ming, Jiang

AU - Xin, Zhi

AU - Lan, Pengwei

AU - Wu, Dinghao

AU - Liu, Peng

AU - Mao, Bing

PY - 2015/1/1

Y1 - 2015/1/1

N2 - As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and clearly stand out from other programs. It is evident that the classical syntactic signatures are insufficient to defeat state-of-the art malware. Behavior-based specifications which capture real malicious characteristics during runtime, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from system call dependence graphs that a malware sample invokes. In this paper we present replacement attacks to poison behavior-based specifications by concealing similar behaviors among malware variants. The essence of the attacks is to replace a behavior specification to its semantically equivalent one, so that similar malware variants within one family turn out to be different. As a result, malware analysts have to put more efforts to re-analyze similar samples. We distill general attacking strategies by mining more than 5,000 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate effectiveness of our approach to impede multiple malware analyses based on behavior specifications, such as similarity comparison and malware clustering. In the end, we provide possible counter-measures to strengthen behavior-based malware analysis.

AB - As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and clearly stand out from other programs. It is evident that the classical syntactic signatures are insufficient to defeat state-of-the art malware. Behavior-based specifications which capture real malicious characteristics during runtime, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from system call dependence graphs that a malware sample invokes. In this paper we present replacement attacks to poison behavior-based specifications by concealing similar behaviors among malware variants. The essence of the attacks is to replace a behavior specification to its semantically equivalent one, so that similar malware variants within one family turn out to be different. As a result, malware analysts have to put more efforts to re-analyze similar samples. We distill general attacking strategies by mining more than 5,000 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate effectiveness of our approach to impede multiple malware analyses based on behavior specifications, such as similarity comparison and malware clustering. In the end, we provide possible counter-measures to strengthen behavior-based malware analysis.

UR - http://www.scopus.com/inward/record.url?scp=84955319247&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84955319247&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-28166-7_24

DO - 10.1007/978-3-319-28166-7_24

M3 - Conference contribution

SN - 9783319281650

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 497

EP - 517

BT - Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers

A2 - Malkin, Tal

A2 - Lewko, Allison Bishop

A2 - Kolesnikov, Vladimir

A2 - Polychronakis, Michalis

PB - Springer Verlag

ER -

Ming J, Xin Z, Lan P, Wu D, Liu P, Mao B. Replacement attacks: Automatically impeding behavior-based malware specifications. In Malkin T, Lewko AB, Kolesnikov V, Polychronakis M, editors, Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers. Springer Verlag. 2015. p. 497-517. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-28166-7_24