海报:识别恶意软件中的动态数据结构

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2016-10-24 DOI:10.1145/2976749.2989041

Thomas Rupprecht, Xi Chen, D. H. White, J. Mühlberg, H. Bos, Gerald Lüttgen

{"title":"海报:识别恶意软件中的动态数据结构","authors":"Thomas Rupprecht, Xi Chen, D. H. White, J. Mühlberg, H. Bos, Gerald Lüttgen","doi":"10.1145/2976749.2989041","DOIUrl":null,"url":null,"abstract":"As the complexity of malware grows, so does the necessity of employing program structuring mechanisms during development. While control flow structuring is often obfuscated, the dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits this weakness to identify dynamic data structures present in malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be employed for malware classification. Using a prototype implementation, which combines the type recovery tool Howard and the identification tool Data Structure Investigator (DSI), we analyze data structures in Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we propose a new type recovery for binaries based on machine learning, which uses Howard's types to guide the search and DSI's memory abstraction for hypothesis evaluation.","PeriodicalId":432261,"journal":{"name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","volume":"81 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"POSTER: Identifying Dynamic Data Structures in Malware\",\"authors\":\"Thomas Rupprecht, Xi Chen, D. H. White, J. Mühlberg, H. Bos, Gerald Lüttgen\",\"doi\":\"10.1145/2976749.2989041\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"As the complexity of malware grows, so does the necessity of employing program structuring mechanisms during development. While control flow structuring is often obfuscated, the dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits this weakness to identify dynamic data structures present in malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be employed for malware classification. Using a prototype implementation, which combines the type recovery tool Howard and the identification tool Data Structure Investigator (DSI), we analyze data structures in Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we propose a new type recovery for binaries based on machine learning, which uses Howard's types to guide the search and DSI's memory abstraction for hypothesis evaluation.\",\"PeriodicalId\":432261,\"journal\":{\"name\":\"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security\",\"volume\":\"81 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-10-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2976749.2989041\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2976749.2989041","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

随着恶意软件复杂性的增长，在开发过程中采用程序结构机制的必要性也在增加。虽然控制流结构经常被混淆，但程序所使用的动态数据结构通常是不变的。我们报告了正在进行的工作，利用这一弱点来识别恶意软件样本中存在的动态数据结构，以帮助逆向工程和构建恶意软件签名，这些签名可能用于恶意软件分类。通过结合类型恢复工具Howard和识别工具Data Structure Investigator (DSI)的原型实现，我们分析了Carberp和AgoBot恶意软件中的数据结构。确定它们的数据结构说明了一个具有挑战性的问题。为了解决这个问题，我们提出了一种基于机器学习的二进制文件的新类型恢复，它使用霍华德的类型来指导搜索，并使用DSI的内存抽象来进行假设评估。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

POSTER: Identifying Dynamic Data Structures in Malware

As the complexity of malware grows, so does the necessity of employing program structuring mechanisms during development. While control flow structuring is often obfuscated, the dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits this weakness to identify dynamic data structures present in malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be employed for malware classification. Using a prototype implementation, which combines the type recovery tool Howard and the identification tool Data Structure Investigator (DSI), we analyze data structures in Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we propose a new type recovery for binaries based on machine learning, which uses Howard's types to guide the search and DSI's memory abstraction for hypothesis evaluation.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量