HERO: A novel malware detection framework based on binary translation

2010 IEEE International Conference on Intelligent Computing and Intelligent Systems Pub Date : 2010-12-06 DOI:10.1109/ICICISYS.2010.5658586

Haoran Guo, J. Pang, Yichi Zhang, F. Yue, Rongcai Zhao

{"title":"HERO: A novel malware detection framework based on binary translation","authors":"Haoran Guo, J. Pang, Yichi Zhang, F. Yue, Rongcai Zhao","doi":"10.1109/ICICISYS.2010.5658586","DOIUrl":null,"url":null,"abstract":"Malware has become one of the most serious threats to computer information system. In this paper, we describe HERO (Hybrid security extension of binary translation), a novel framework that exploits static and dynamic binary translation features to detect broad spectrum malware and prevent its execution. By operating directly on binary code without any assumption on the availability of source code, HERO is appropriate for translating low-level binary code to high-level proper representation, obtaining CFG (Control Flow Graph) and other high-level Control Structure by static binary translation-based analyzer. Then Critical API Graph based on CFG is generated to do sub-graph matching with the defined Malware Behavior Template. If static analysis cannot finish generating CFG because of code obfuscation used in malware, the dynamic binary translation based analyzer in HERO is called to undertake the process to take on the remaining code analysis. Compared with other detection approaches, HERO is found to be very efficient in terms of detection capability and false alarm rate.","PeriodicalId":339711,"journal":{"name":"2010 IEEE International Conference on Intelligent Computing and Intelligent Systems","volume":"6 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"29","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 IEEE International Conference on Intelligent Computing and Intelligent Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICICISYS.2010.5658586","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 29

Abstract

Malware has become one of the most serious threats to computer information system. In this paper, we describe HERO (Hybrid security extension of binary translation), a novel framework that exploits static and dynamic binary translation features to detect broad spectrum malware and prevent its execution. By operating directly on binary code without any assumption on the availability of source code, HERO is appropriate for translating low-level binary code to high-level proper representation, obtaining CFG (Control Flow Graph) and other high-level Control Structure by static binary translation-based analyzer. Then Critical API Graph based on CFG is generated to do sub-graph matching with the defined Malware Behavior Template. If static analysis cannot finish generating CFG because of code obfuscation used in malware, the dynamic binary translation based analyzer in HERO is called to undertake the process to take on the remaining code analysis. Compared with other detection approaches, HERO is found to be very efficient in terms of detection capability and false alarm rate.

查看原文本刊更多论文

HERO:一种基于二进制翻译的新型恶意软件检测框架

恶意软件已成为计算机信息系统最严重的威胁之一。在本文中，我们描述了HERO(二进制翻译的混合安全扩展)，这是一个利用静态和动态二进制翻译特性来检测广谱恶意软件并阻止其执行的新框架。HERO直接对二进制代码进行操作，无需对源代码的可用性做任何假设，适合将低级二进制代码转换为高级适当表示，通过基于静态二进制翻译的分析器获得CFG (Control Flow Graph)等高级控制结构。然后生成基于CFG的关键API图，与定义的恶意行为模板进行子图匹配。如果静态分析由于恶意软件中使用的代码混淆而无法完成CFG的生成，则调用HERO中基于动态二进制翻译的分析器来执行该过程，以承担剩余的代码分析。与其他检测方法相比，HERO在检测能力和虚警率方面都是非常有效的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2010 IEEE International Conference on Intelligent Computing and Intelligent Systems

自引率

0.00%

发文量