TY - GEN
T1 - Fast discovery of VM-sensitive divergence points with basic block comparison
AU - Liu, Yen Ju
AU - Chen, Chong Kuan
AU - Cho, Michael Cheng Yi
AU - Shieh, Shiuhpyng
PY - 2014/1/1
Y1 - 2014/1/1
N2 - To evade VM-based malware analysis systems, VM-aware malware equipped with the ability to detect the presence of virtual machine has appeared. To cope with the problem, detecting VM-aware malware and locating VM-sensitive divergence points of VM-aware malware is in urgent need. In this paper, we propose a novel block-based divergence locator. In contrast to the conventional instruction-based schemes, the block-based divergence locator divides malware program into basic blocks, instead of binary instructions, and uses them as the analysis unit. The block-based divergence locator significantly decrease the cost of behavior logging and trace comparison, as well as the size of behavior traces. As the evaluation showed, behavior logging is 23.87-39.49 times faster than the conventional schemes. The total number of analysis unit, which is highly related to the cost of trace comparisons, is 11.95%-16.00% of the conventional schemes. Consequently, VM-sensitive divergence points can be discovered more efficiently. The correctness of our divergence point discovery algorithm is also proved formally in this paper.
AB - To evade VM-based malware analysis systems, VM-aware malware equipped with the ability to detect the presence of virtual machine has appeared. To cope with the problem, detecting VM-aware malware and locating VM-sensitive divergence points of VM-aware malware is in urgent need. In this paper, we propose a novel block-based divergence locator. In contrast to the conventional instruction-based schemes, the block-based divergence locator divides malware program into basic blocks, instead of binary instructions, and uses them as the analysis unit. The block-based divergence locator significantly decrease the cost of behavior logging and trace comparison, as well as the size of behavior traces. As the evaluation showed, behavior logging is 23.87-39.49 times faster than the conventional schemes. The total number of analysis unit, which is highly related to the cost of trace comparisons, is 11.95%-16.00% of the conventional schemes. Consequently, VM-sensitive divergence points can be discovered more efficiently. The correctness of our divergence point discovery algorithm is also proved formally in this paper.
KW - Malware behavior analysis
KW - VM-aware malware
KW - Virtual machine
UR - http://www.scopus.com/inward/record.url?scp=84910100416&partnerID=8YFLogxK
U2 - 10.1109/SERE.2014.33
DO - 10.1109/SERE.2014.33
M3 - Conference contribution
AN - SCOPUS:84910100416
T3 - Proceedings - 8th International Conference on Software Security and Reliability, SERE 2014
SP - 196
EP - 205
BT - Proceedings - 8th International Conference on Software Security and Reliability, SERE 2014
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 8th International Conference on Software Security and Reliability, SERE 2014
Y2 - 30 June 2014 through 2 July 2014
ER -