ABSTRACT
This paper presents DOME, a host-based technique for detecting several general classes of malicious code in software executables. DOME uses static analysis to identify the locations (virtual addresses) of system calls within the software executables, and then monitors the executables at runtime to verify that every observed system call is made from a location identified using static analysis. The power of this technique is that it is simple, practical, applicable to real-world software, and highly effective against injected, dynamically generated, and obfuscated malicious code.
- Pietrek, M. Inside Windows: An In-Depth Look into the Win32 Portable Executable File Format (Part I). In www.msdn.microsoft.com. 2002.Google Scholar
- Bergeron, J., M. Debbabi, M.M. Erhioui, and B. Ktari. Static Analysis of Binary Code to Isolate Malicious Behaviours. In WET ICE 99. 1999. Google ScholarDigital Library
- Wagner, and Dean. Intrusion Detection via Static Analysis. In IEEE Symposium on Research in Security and Privacy. 2001. Oakland, CA. Google ScholarDigital Library
- Kaplan, Y. API Spying Techniques for Windows 9x, NT and 2000. http://www.internals.com/articles/apispy/apispy.htmGoogle Scholar
- G. Hunt, D.B., Detours: Binary Interception of Win32 Functions. 1999, Microsoft Research.Google Scholar
- Wagner, D., and P. Soto. Mimicry Attacks on Host Based Intrusion Detection Systems. In 9th ACM Conference on Computer and Communications Security. 2002. Washington, DC, USA. Google ScholarDigital Library
- Data Rescue. IDA Pro Disassembler. http://www.datarescue.com/idabase/Google Scholar
- Frédéric Perriot, P.F., Péter Szür, Striking Similarities, in Virus Bulletin. 2002. p. 4--6.Google Scholar
- Tünnissen, J. Intrusion Detection, Honeypots & Incident Response resources. http://www.honeypots.net/Google Scholar
- Feng, H., O. Kolesnikov, P. Fogla, W. Lee, and W. Gong. Anomaly Detection Using Call Stack Information. In IEEE Security and Privacy. 2003. Oakland, CA. Google ScholarDigital Library
- Sekar, R., A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou. Specification-Based Anomaly Detection: A New Approach for Detecting Network Intrusions. 2002. Washington, DC, USA.Google Scholar
- Giffin, J.T., S. Jha, and B.P. Miller. Detecting Manipulated Remote Call Streams. In 11th USENIX Security Symposium. 2002. Google ScholarDigital Library
- Ghosh, A.K., A. Schwartzbard, and M. Schatz. Learning Program Behavious Profiles for Intrusion Detection. In Usenix Workshop on Intrusion Detection and Network Monitoring. 1999. Santa Clara, CA. Google ScholarDigital Library
- Warrender, C., S. Forrest, and B. Pearlmutter. Detecting Intrusions Using System Calls: Alternative Data Models. In IEEE Symposium on Security and Privacy. 1999.Google Scholar
- Axelsson, S. The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. In ACM Conference on Computer and Communications Security. 1999. Google ScholarDigital Library
Index Terms
Detection of injected, dynamically generated, and obfuscated malicious code
Recommendations
JSOD: JavaScript obfuscation detector
JavaScript obfuscation is a deliberate act of making a script difficult to understand by concealing its purpose. The prevalent use of obfuscation techniques to hide malicious codes and to preserve copyrights of benign scripts resulted in i missing ...
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Early detection of malicious behavior in JavaScript code
AISec '12: Proceedings of the 5th ACM workshop on Security and artificial intelligenceMalicious JavaScript code is widely used for exploiting vulnerabilities in web browsers and infecting users with malicious software. Static detection methods fail to protect from this threat, as they are unable to cope with the complexity and dynamics ...
Comments