Replacement attacks: Automatically impeding behavior-based malware specifications

Jiang Ming, Zhi Xin, Pengwei Lan, Dinghao Wu, Peng Liu, Bing Mao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

15 Scopus citations


As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and clearly stand out from other programs. It is evident that the classical syntactic signatures are insufficient to defeat state-of-the art malware. Behavior-based specifications which capture real malicious characteristics during runtime, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from system call dependence graphs that a malware sample invokes. In this paper we present replacement attacks to poison behavior-based specifications by concealing similar behaviors among malware variants. The essence of the attacks is to replace a behavior specification to its semantically equivalent one, so that similar malware variants within one family turn out to be different. As a result, malware analysts have to put more efforts to re-analyze similar samples. We distill general attacking strategies by mining more than 5,000 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate effectiveness of our approach to impede multiple malware analyses based on behavior specifications, such as similarity comparison and malware clustering. In the end, we provide possible counter-measures to strengthen behavior-based malware analysis.

Original languageEnglish (US)
Title of host publicationApplied Cryptography and Network Security - 13th International Conference, ACNS 2015, Revised Selected Papers
EditorsTal Malkin, Allison Bishop Lewko, Vladimir Kolesnikov, Michalis Polychronakis
PublisherSpringer Verlag
Number of pages21
ISBN (Print)9783319281650
StatePublished - 2015
Event13th International Conference on Applied Cryptography and Network Security, ACNS 2015 - New York, United States
Duration: Jun 2 2015Jun 5 2015

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other13th International Conference on Applied Cryptography and Network Security, ACNS 2015
Country/TerritoryUnited States
CityNew York

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Replacement attacks: Automatically impeding behavior-based malware specifications'. Together they form a unique fingerprint.

Cite this