SlideShare une entreprise Scribd logo

Model-checking for efficient malware detection

Pôle Systematic Paris-Region
Pôle Systematic Paris-Region

Tayssir Touili, LIPN

Technologie
1  sur  52
Télécharger pour lire hors ligne
Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13
Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware
Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware Malware detection is important!!
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Solution: Check the behavior (not the syntax) of the program without executing it
Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Solution: Check the behavior (not the syntax) of the program without executing it Model Checking is a good candidate
Goal: Model-checking for malware detection
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model?
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism?
Goal: Model-checking for malware detection Existing works: use finite automata to model the programs Binary code ╞ Malicious behavior ? Model? Specification formalism?
Goal: Model-checking for malware detection Existing works: use finite automata to model the programs Stack? Binary code ╞ Malicious behavior ? Model? Specification formalism?
Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls.
Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f
Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f Important to analyse the program’s stack
Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f Important to analyse the program’s stack Solution: Use pushdown systems to model programs
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?
Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA
Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA How to describe this specification?
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA)
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) EX p: there is a path where p holds at the next state p EX p
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p Huge!
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables +
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))
Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) CTPL cannot describe the stack: needed for malicious behaviors description
Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations.
Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations.
Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. Our solution: Consider predicates over the stack
Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. Our solution: Consider predicates over the stack In SCTPL: EF ( call GetModuleHandleA ˄ (head_stack = 0) ) EF p: there is a path where p holds in the future
Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f
Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L)))
Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L1 L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L))) L is not a return address of a function call
Expressing Obfuscated returns in SCTPL L0 : call f a : … … f: … … pop eax jmp eax h_s= a h_s= a h_s : head-stack !
Expressing Appending Viruses in SCTPL L0 : call f a : … f: pop eax An appending virus append itself at the end of the host file The virus has to compute its address in memory h_s = a h_s = a h_s : head-stack
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL
Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL Pushdown System╞ SCTPL ?
SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded
SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded Theorem: Given a Pushdown System P and a SCTPL formula ᵠ, whether P satisfies ᵠ can be effectively decided.
Implementation We implemented our techniques in a tool for virus detection IdaPro + Jakstab CFGBinary Code Translator PDS Model-checking engine Malware behaviors as SCTPL formulas YES/NO
Experiments of POMMADE 1. Our tool was able to detect more than 800 malwares 2.We checked 400 real benign programs from Windows XP system. Benign programs are proved benign with only three false positives. 3.Our tool was able to detect all the 200 new malwares generated by two malware creators 4.Analyze the Flame malware that was not detected for more than 5 years by any anti-virus
Our tool vs. known anti-viruses NGVCK and VCL32 malware generators 1.generate 200 new malwares 2.the best malware generators 3.generate complex malwares Gener ator No. Of Vari ant s PO MM ADE Avi ra Kasp ersk y Ava st Qiho o 360 McA fee AVG BitDef ender Eset Nod3 2 F- Sec ure Nort on Pan da Tre nd Micr o NGVC K 100 100 % 0% 23% 18 % 68% 100 % 11% 97% 81% 0% 46% 0% 0% VCL32 100 100 % 0% 2% 100 % 99% 0% 100 % 100% 76% 0% 30% 0% 0%
Analyze The Flame Malware Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on It was not detected by any anti-virus for 5 years
Analyze The Flame Malware Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on It was not detected by any anti-virus for 5 years Our tool can detect this malware Flame
Conclusion • We introduced a new logic SCTPL to precisely specify malicious behaviors • We proposed efficient SCTPL model-checking algorithms for pushdown systems. • We implemented our techniques in a tool for malware detection: POMMADE •POMMADE was able to detect more than 800 malwares, several of them cannot be detected by well-known anti-viruses, such as, Avast, Kaspersky, McAfee, Norton, Avira, etc
Questions?

Recommandé

Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012Jaime Restrepo
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Test Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTest Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTerry Yin
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019Olivera Milenkovic
 
Static Code Analysis: Keeping the Cost of Bug Fixing Down
Static Code Analysis: Keeping the Cost of Bug Fixing DownStatic Code Analysis: Keeping the Cost of Bug Fixing Down
Static Code Analysis: Keeping the Cost of Bug Fixing DownAndrey Karpov
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...Software Guru
 
Challenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionChallenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionMuhammad Najmi Ahmad Zabidi
 

Recommandé

Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012Jaime Restrepo
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Test Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTest Driven Development of A Static Code Analyzer
Test Driven Development of A Static Code AnalyzerTerry Yin
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019Olivera Milenkovic
 
Static Code Analysis: Keeping the Cost of Bug Fixing Down
Static Code Analysis: Keeping the Cost of Bug Fixing DownStatic Code Analysis: Keeping the Cost of Bug Fixing Down
Static Code Analysis: Keeping the Cost of Bug Fixing DownAndrey Karpov
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...Software Guru
 
Challenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionChallenges in High Accuracy of Malware Detection
Challenges in High Accuracy of Malware DetectionMuhammad Najmi Ahmad Zabidi
 
Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationUltraUploader
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...Silvio Cesare
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Seminar
SeminarSeminar
SeminarKevin ITian
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple FeaturesMuhammad Najmi Ahmad Zabidi
 
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionMuhammad Najmi Ahmad Zabidi
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Carlos Laorden
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
µfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming Consultingµfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming ConsultingLes Interconnectés
 
Les Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Interconnectés
 
ExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeEnerGaïa
 
Pays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesPays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesLes Interconnectés
 
Rando jeu
Rando jeuRando jeu
Rando jeuLes Interconnectés
 
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteHabitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteLes Interconnectés
 
Outil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueOutil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueLes Interconnectés
 
Minalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesMinalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesLes Interconnectés
 
Wizway
WizwayWizway
WizwayLes Interconnectés
 
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...EnerGaïa
 
Amienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleAmienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleLes Interconnectés
 
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...Lionel Briand
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
 

Contenu connexe

En vedette

Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationUltraUploader
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...Silvio Cesare
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionMuhammad Najmi Ahmad Zabidi
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Carlos Laorden
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
µfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming Consultingµfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming ConsultingLes Interconnectés
 
Les Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Interconnectés
 
ExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeEnerGaïa
 
Pays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesPays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesLes Interconnectés
 
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteHabitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteLes Interconnectés
 
Outil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueOutil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueLes Interconnectés
 
Minalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesMinalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesLes Interconnectés
 
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...EnerGaïa
 
Amienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleAmienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleLes Interconnectés
 

En vedette (20)

Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creation
 
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
FooCodeChu - Services for Software Analysis, Malware Detection, and Vulnerabi...
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Seminar
SeminarSeminar
Seminar
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware DetectionEnsembled Based Categorization and Adaptive Learning Model for Malware Detection
Ensembled Based Categorization and Adaptive Learning Model for Malware Detection
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
µfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming Consultingµfab lab par Serious Gaming Consulting
µfab lab par Serious Gaming Consulting
 
Les Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'ArgentLes Labs d'Argent - CC du Val d'Argent
Les Labs d'Argent - CC du Val d'Argent
 
ExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborativeExplorCamp #7 ilek : Plateforme d’énergie collaborative
ExplorCamp #7 ilek : Plateforme d’énergie collaborative
 
Pays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaborativesPays de Châteaubriant - Les pratiques collaboratives
Pays de Châteaubriant - Les pratiques collaboratives
 
Rando jeu
Rando jeuRando jeu
Rando jeu
 
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive DroiteHabitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
Habitants, Lieux, Mémoires (HLM) - Grand Projet des Villes Rive Droite
 
Outil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays BasqueOutil de déplacement pour les loisirs - CDT Béarn-Pays Basque
Outil de déplacement pour les loisirs - CDT Béarn-Pays Basque
 
Minalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villesMinalogic - Expériences digitales et dynamisation des centres-villes
Minalogic - Expériences digitales et dynamisation des centres-villes
 
Wizway
WizwayWizway
Wizway
 
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
Eolien Flottant #3 - Le déploiement de l’éolien offshore flottant en France C...
 
Amienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens MétropoleAmienscope (plateforme AppAwelty Agenda) - Amiens Métropole
Amienscope (plateforme AppAwelty Agenda) - Amiens Métropole
 

Similaire à Model-checking for efficient malware detection

A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...Lionel Briand
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
CISC 879 - Machine Learning for Solving Systems Problems
CISC 879 - Machine Learning for Solving Systems Problems CISC 879 - Machine Learning for Solving Systems Problems
CISC 879 - Machine Learning for Solving Systems Problems butest
 
Viruses and Anti-Viruses
Viruses and Anti-VirusesViruses and Anti-Viruses
Viruses and Anti-VirusesAyman Hussein
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...Wayne Huang
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...Marcus Botacin
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...Rouven Weßling
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...UltraUploader
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guideintertelinvestigations
 

Similaire à Model-checking for efficient malware detection (20)

A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
A Scalable Approach for Malware Detec2on through Bounded Feature Space Behavi...
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
CISC 879 - Machine Learning for Solving Systems Problems
CISC 879 - Machine Learning for Solving Systems Problems CISC 879 - Machine Learning for Solving Systems Problems
CISC 879 - Machine Learning for Solving Systems Problems
 
Viruses and Anti-Viruses
Viruses and Anti-VirusesViruses and Anti-Viruses
Viruses and Anti-Viruses
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
0box Analyzer--Afterdark Runtime Forensics for Automated Malware Analysis and...
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
 
Kali linux and hacking
Kali linux and hackingKali linux and hacking
Kali linux and hacking
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
 
Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...Are current antivirus programs able to detect complex metamorphic malware an ...
Are current antivirus programs able to detect complex metamorphic malware an ...
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 

Plus de Pôle Systematic Paris-Region

OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...Pôle Systematic Paris-Region
 
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...Pôle Systematic Paris-Region
 
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...Pôle Systematic Paris-Region
 
OSIS19_Cloud : Performance and power management in virtualized data centers, ...
OSIS19_Cloud : Performance and power management in virtualized data centers, ...OSIS19_Cloud : Performance and power management in virtualized data centers, ...
OSIS19_Cloud : Performance and power management in virtualized data centers, ...Pôle Systematic Paris-Region
 
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...Pôle Systematic Paris-Region
 
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...Pôle Systematic Paris-Region
 
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...Pôle Systematic Paris-Region
 
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick MoyOsis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick MoyPôle Systematic Paris-Region
 
Osis18_Cloud : Virtualisation efficace d’architectures NUMA
Osis18_Cloud : Virtualisation efficace d’architectures NUMAOsis18_Cloud : Virtualisation efficace d’architectures NUMA
Osis18_Cloud : Virtualisation efficace d’architectures NUMAPôle Systematic Paris-Region
 
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur BittorrentOsis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur BittorrentPôle Systematic Paris-Region
 
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...Pôle Systematic Paris-Region
 
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riotOSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riotPôle Systematic Paris-Region
 
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...Pôle Systematic Paris-Region
 
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...Pôle Systematic Paris-Region
 
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...Pôle Systematic Paris-Region
 
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)Pôle Systematic Paris-Region
 
PyParis 2017 / Un mooc python, by thierry parmentelat
PyParis 2017 / Un mooc python, by thierry parmentelatPyParis 2017 / Un mooc python, by thierry parmentelat
PyParis 2017 / Un mooc python, by thierry parmentelatPôle Systematic Paris-Region
 

Plus de Pôle Systematic Paris-Region (20)

OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
OSIS19_IoT :Transparent remote connectivity to short-range IoT devices, by Na...
 
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
OSIS19_Cloud : SAFC: Scheduling and Allocation Framework for Containers in a ...
 
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
OSIS19_Cloud : Qu’apporte l’observabilité à la gestion de configuration? par ...
 
OSIS19_Cloud : Performance and power management in virtualized data centers, ...
OSIS19_Cloud : Performance and power management in virtualized data centers, ...OSIS19_Cloud : Performance and power management in virtualized data centers, ...
OSIS19_Cloud : Performance and power management in virtualized data centers, ...
 
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
OSIS19_Cloud : Des objets dans le cloud, et qui y restent -- L'expérience du ...
 
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
OSIS19_Cloud : Attribution automatique de ressources pour micro-services, Alt...
 
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
OSIS19_IoT : State of the art in security for embedded systems and IoT, by Pi...
 
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick MoyOsis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
Osis19_IoT: Proof of Pointer Programs with Ownership in SPARK, by Yannick Moy
 
Osis18_Cloud : Pas de commun sans communauté ?
Osis18_Cloud : Pas de commun sans communauté ?Osis18_Cloud : Pas de commun sans communauté ?
Osis18_Cloud : Pas de commun sans communauté ?
 
Osis18_Cloud : Projet Wolphin
Osis18_Cloud : Projet Wolphin Osis18_Cloud : Projet Wolphin
Osis18_Cloud : Projet Wolphin
 
Osis18_Cloud : Virtualisation efficace d’architectures NUMA
Osis18_Cloud : Virtualisation efficace d’architectures NUMAOsis18_Cloud : Virtualisation efficace d’architectures NUMA
Osis18_Cloud : Virtualisation efficace d’architectures NUMA
 
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur BittorrentOsis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
Osis18_Cloud : DeepTorrent Stockage distribué perenne basé sur Bittorrent
 
Osis18_Cloud : Software-heritage
Osis18_Cloud : Software-heritageOsis18_Cloud : Software-heritage
Osis18_Cloud : Software-heritage
 
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
OSIS18_IoT: L'approche machine virtuelle pour les microcontrôleurs, le projet...
 
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riotOSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
OSIS18_IoT: La securite des objets connectes a bas cout avec l'os et riot
 
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
OSIS18_IoT : Solution de mise au point pour les systemes embarques, par Julio...
 
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
 
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
 
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
OSIS18_IoT : RTEMS pour l'IoT professionnel, par Pierre Ficheux (Smile ECS)
 
PyParis 2017 / Un mooc python, by thierry parmentelat
PyParis 2017 / Un mooc python, by thierry parmentelatPyParis 2017 / Un mooc python, by thierry parmentelat
PyParis 2017 / Un mooc python, by thierry parmentelat
 

Dernier

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Model-checking for efficient malware detection

  • 1. Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13
  • 2. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware
  • 3. Motivation: Malware Detection • The number of new malware exceeds 75 million by the end of 2011, and is still increasing. • The number of malware that produced incidents in 2010 is more than 1.5 billion. • The worm MyDoom slowed down global internet access by 10% in 2004. • Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware Malware detection is important!!
  • 4. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature
  • 5. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable
  • 6. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment
  • 7. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval
  • 8. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Solution: Check the behavior (not the syntax) of the program without executing it
  • 9. Limitations of classic anti-virus techniques • Signature (pattern) matching: Every known malware has one signature o Easy to get around o New variants of viruses with the same behavior cannot be detected by these techniques o Nop insertion, code reordering, variable renaming, etc o Virus writers frequently update there viruses to make them undetectable • Code emulation: Executes binary code in a virtual environment o Checks program’s behavior only in a limited time interval Solution: Check the behavior (not the syntax) of the program without executing it Model Checking is a good candidate
  • 10. Goal: Model-checking for malware detection
  • 11. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?
  • 12. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model?
  • 13. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Model? Specification formalism?
  • 14. Goal: Model-checking for malware detection Existing works: use finite automata to model the programs Binary code ╞ Malicious behavior ? Model? Specification formalism?
  • 15. Goal: Model-checking for malware detection Existing works: use finite automata to model the programs Stack? Binary code ╞ Malicious behavior ? Model? Specification formalism?
  • 16. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls.
  • 17. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f
  • 18. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f Important to analyse the program’s stack
  • 19. Stack: important for malware detection • To achieve their goal, malware have to call functions of the operating system • Antiviruses determine malware by checking the calls to the operating systems. • Virus writers try to hide these calls. L0 : call f L1: … … … f : function f L0 : push L1 L’0: jmp f L1: … … … f : function f Important to analyse the program’s stack Solution: Use pushdown systems to model programs
  • 20. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?
  • 21. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems Specification formalism?
  • 22. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA
  • 23. Specification of malicious behaviors? Example: fragment of email worm Avron Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. mov eax, 0 push eax call GetModuleHandleA How to describe this specification?
  • 24. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA)
  • 25. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) EX p: there is a path where p holds at the next state p EX p
  • 26. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p
  • 27. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL (Branching-time temporal logic) : mov(eax,0)˄EX (push(eax)˄EX call GetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX call GetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX call GetModuleHandleA) ˅ ….. all the other registers EX p: there is a path where p holds at the next state p EX p Huge!
  • 28. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables +
  • 29. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA))
  • 30. Specification of malicious behaviors? Example: fragment of email worm Avron mov eax, 0 push eax call GetModuleHandleA In CTL: mov(eax,0)˄EX (push(eax)˄EX callGetModuleHandleA) ˅ mov(ebx,0)˄EX (push(ebx)˄EX callGetModuleHandleA) ˅ mov(ecx,0)˄EX (push(ecx)˄EX callGetModuleHandleA) ˅ ….. all the other registers ∀∃, CTPL = CTL + variables + In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) CTPL cannot describe the stack: needed for malicious behaviors description
  • 31. Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations.
  • 32. Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations.
  • 33. Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. Our solution: Consider predicates over the stack
  • 34. Specification of malicious behaviors? Example: fragment of email worm Avron In CTPL: ᴲ r (mov(r,0)˄EX (push(r)˄ EX call GetModuleHandleA)) mov eax, 0 push ebx pop ebx push eax call GetModuleHandleA Call the API GetModuleHandleA with 0 as parameter. This returns the entry address of its own executable. Copy itself to other locations. Our solution: Consider predicates over the stack In SCTPL: EF ( call GetModuleHandleA ˄ (head_stack = 0) ) EF p: there is a path where p holds in the future
  • 35. Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f
  • 36. Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L)))
  • 37. Expressing Obfuscated Calls in SCTPL L0 : call f L: … … … f : function f L0 : push L1 L’0: jmp f L: … … … f : function f ᴲL ( E !( ᴲ f call(f) ˄ AX (head_stack=L)) U (ret ˄ (head_stack= L))) L is not a return address of a function call
  • 38. Expressing Obfuscated returns in SCTPL L0 : call f a : … … f: … … pop eax jmp eax h_s= a h_s= a h_s : head-stack !
  • 39. Expressing Appending Viruses in SCTPL L0 : call f a : … f: pop eax An appending virus append itself at the end of the host file The virus has to compute its address in memory h_s = a h_s = a h_s : head-stack
  • 40. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ?
  • 41. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL
  • 42. Goal: Model-checking for malware detection Binary code ╞ Malicious behavior ? Pushdown Systems SCTPL Pushdown System╞ SCTPL ?
  • 43. SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded
  • 44. SCTPL model-checking for Pushdown Systems Non trivial: stack can be unbounded Theorem: Given a Pushdown System P and a SCTPL formula ᵠ, whether P satisfies ᵠ can be effectively decided.
  • 45. Implementation We implemented our techniques in a tool for virus detection IdaPro + Jakstab CFGBinary Code Translator PDS Model-checking engine Malware behaviors as SCTPL formulas YES/NO
  • 46. Experiments of POMMADE 1. Our tool was able to detect more than 800 malwares 2.We checked 400 real benign programs from Windows XP system. Benign programs are proved benign with only three false positives. 3.Our tool was able to detect all the 200 new malwares generated by two malware creators 4.Analyze the Flame malware that was not detected for more than 5 years by any anti-virus
  • 47. Our tool vs. known anti-viruses NGVCK and VCL32 malware generators 1.generate 200 new malwares 2.the best malware generators 3.generate complex malwares Gener ator No. Of Vari ant s PO MM ADE Avi ra Kasp ersk y Ava st Qiho o 360 McA fee AVG BitDef ender Eset Nod3 2 F- Sec ure Nort on Pan da Tre nd Micr o NGVC K 100 100 % 0% 23% 18 % 68% 100 % 11% 97% 81% 0% 46% 0% 0% VCL32 100 100 % 0% 2% 100 % 99% 0% 100 % 100% 76% 0% 30% 0% 0%
  • 48. Analyze The Flame Malware Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on It was not detected by any anti-virus for 5 years
  • 49. Analyze The Flame Malware Flame is being used for targeted cyber espionage in Middle Eastern countries. It can 1.sniff the network traffic 2.take screenshots 3.record audio conversations 4.intercept the keyboard 5.and so on It was not detected by any anti-virus for 5 years Our tool can detect this malware Flame
  • 50. Conclusion • We introduced a new logic SCTPL to precisely specify malicious behaviors • We proposed efficient SCTPL model-checking algorithms for pushdown systems. • We implemented our techniques in a tool for malware detection: POMMADE •POMMADE was able to detect more than 800 malwares, several of them cannot be detected by well-known anti-viruses, such as, Avast, Kaspersky, McAfee, Norton, Avira, etc
  • 51.