skip to main content
10.1145/948187.948201acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Detection of injected, dynamically generated, and obfuscated malicious code

Published:27 October 2003Publication History

ABSTRACT

This paper presents DOME, a host-based technique for detecting several general classes of malicious code in software executables. DOME uses static analysis to identify the locations (virtual addresses) of system calls within the software executables, and then monitors the executables at runtime to verify that every observed system call is made from a location identified using static analysis. The power of this technique is that it is simple, practical, applicable to real-world software, and highly effective against injected, dynamically generated, and obfuscated malicious code.

References

  1. Pietrek, M. Inside Windows: An In-Depth Look into the Win32 Portable Executable File Format (Part I). In www.msdn.microsoft.com. 2002.Google ScholarGoogle Scholar
  2. Bergeron, J., M. Debbabi, M.M. Erhioui, and B. Ktari. Static Analysis of Binary Code to Isolate Malicious Behaviours. In WET ICE 99. 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Wagner, and Dean. Intrusion Detection via Static Analysis. In IEEE Symposium on Research in Security and Privacy. 2001. Oakland, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Kaplan, Y. API Spying Techniques for Windows 9x, NT and 2000. http://www.internals.com/articles/apispy/apispy.htmGoogle ScholarGoogle Scholar
  5. G. Hunt, D.B., Detours: Binary Interception of Win32 Functions. 1999, Microsoft Research.Google ScholarGoogle Scholar
  6. Wagner, D., and P. Soto. Mimicry Attacks on Host Based Intrusion Detection Systems. In 9th ACM Conference on Computer and Communications Security. 2002. Washington, DC, USA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Data Rescue. IDA Pro Disassembler. http://www.datarescue.com/idabase/Google ScholarGoogle Scholar
  8. Frédéric Perriot, P.F., Péter Szür, Striking Similarities, in Virus Bulletin. 2002. p. 4--6.Google ScholarGoogle Scholar
  9. Tünnissen, J. Intrusion Detection, Honeypots & Incident Response resources. http://www.honeypots.net/Google ScholarGoogle Scholar
  10. Feng, H., O. Kolesnikov, P. Fogla, W. Lee, and W. Gong. Anomaly Detection Using Call Stack Information. In IEEE Security and Privacy. 2003. Oakland, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Sekar, R., A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou. Specification-Based Anomaly Detection: A New Approach for Detecting Network Intrusions. 2002. Washington, DC, USA.Google ScholarGoogle Scholar
  12. Giffin, J.T., S. Jha, and B.P. Miller. Detecting Manipulated Remote Call Streams. In 11th USENIX Security Symposium. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Ghosh, A.K., A. Schwartzbard, and M. Schatz. Learning Program Behavious Profiles for Intrusion Detection. In Usenix Workshop on Intrusion Detection and Network Monitoring. 1999. Santa Clara, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Warrender, C., S. Forrest, and B. Pearlmutter. Detecting Intrusions Using System Calls: Alternative Data Models. In IEEE Symposium on Security and Privacy. 1999.Google ScholarGoogle Scholar
  15. Axelsson, S. The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. In ACM Conference on Computer and Communications Security. 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Detection of injected, dynamically generated, and obfuscated malicious code

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader