Nguyen Thien Binh, Q. T. Tho, Ha Minh Ngoc, Nguyen Minh Hai
{"title":"Incremental verification of ω-regions on binary control flow graph for computer virus detection","authors":"Nguyen Thien Binh, Q. T. Tho, Ha Minh Ngoc, Nguyen Minh Hai","doi":"10.1109/NICS.2016.7725670","DOIUrl":null,"url":null,"abstract":"Generally, a computer virus, or virus, consists of two major parts, including a syntactic pattern of signature and code segment performing the core malicious actions. Currently, most of commercial security programs rely on signature matching techniques for virus detection, thus suffering difficulty from some advanced polymorphic viruses which can infinitely change their signatures. In research community, model checking has been proposed to overcome this problem. Representing core malicious actions as temporal logic formulas, a model checker can then verify presence of malicious actions on a control flow graph (CFG) extracted from a binary executable. However, model-checking-based approaches encounter the infamous state explosion problem. In this paper, we tackle this problem by suggesting to partition the binary-extracted CFG into specific sub-graphs, known as ω-regions. Based on empirical observation on real virus samples, we argue that the code segment corresponding for a viral core malicious action should not occupy more than one ω-region. The tactic for location of those ω-regions from a CFG is also presented. This approach allows us to reduce the verification complexity by means of an incremental verification strategy. As a result, we enjoy significant performance improvement when experimenting with real dataset of viruses.","PeriodicalId":347057,"journal":{"name":"2016 3rd National Foundation for Science and Technology Development Conference on Information and Computer Science (NICS)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2016-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 3rd National Foundation for Science and Technology Development Conference on Information and Computer Science (NICS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NICS.2016.7725670","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
Generally, a computer virus, or virus, consists of two major parts, including a syntactic pattern of signature and code segment performing the core malicious actions. Currently, most of commercial security programs rely on signature matching techniques for virus detection, thus suffering difficulty from some advanced polymorphic viruses which can infinitely change their signatures. In research community, model checking has been proposed to overcome this problem. Representing core malicious actions as temporal logic formulas, a model checker can then verify presence of malicious actions on a control flow graph (CFG) extracted from a binary executable. However, model-checking-based approaches encounter the infamous state explosion problem. In this paper, we tackle this problem by suggesting to partition the binary-extracted CFG into specific sub-graphs, known as ω-regions. Based on empirical observation on real virus samples, we argue that the code segment corresponding for a viral core malicious action should not occupy more than one ω-region. The tactic for location of those ω-regions from a CFG is also presented. This approach allows us to reduce the verification complexity by means of an incremental verification strategy. As a result, we enjoy significant performance improvement when experimenting with real dataset of viruses.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
