Similar articles

Abstract: Behavior-based malware analysis is an important technique for automatically analyzing and detecting malware, and it has received considerable attention from both academic and industrial communities. By considering how malware behaves, we can tackle the malware obfuscation problem, which cannot be processed by traditional static analysis approaches, and we can also derive the as-built behavior specifications and cover the entire behavior space of the malware samples. Although there have been several works focusing on malware behavior analysis, such research is far from mature, and no overviews have been put forward to date to investigate current developments and challenges. In this paper, we conduct a survey on malware behavior description and analysis considering three aspects: malware behavior description, behavior analysis methods, and visualization techniques. First, existing behavior data types and emerging techniques for malware behavior description are explored, especially the goals, principles, characteristics, and classifications of behavior analysis techniques proposed in the existing approaches. Second, the inadequacies and challenges in malware behavior analysis are summarized from different perspectives. Finally, several possible directions are discussed for future research.

恶意代码行为描述与分析综述

[1]Alam S, Horspool RN, Traore I, et al., 2015. A framework for metamorphic malware analysis and real-time detection. Comput Secur, 48:212-233.

[2]Alazab M, 2015. Profiling and classifying the behavior of malicious codes. J Syst Softw, 100:91-102.

[3]Alazab M, Venkataraman S, Watters P, 2010. Towards Understanding malware behaviour by the extraction of API calls. Proc 2^nd Cybercrime and Trustworthy Computing Workshop, p.52-59.

[4]Anderson B, Storlie C, Lane T, 2012. Improving malware classification: Bridging the static/dynamic gap. Proc 5^th ACM Workshop on Security and Artificial Intelligence, p.3-14.

[5]Anderson B, Lane T, Hash C, 2014. Malware phylogenetics based on the multiview graphical lasso. Proc 13^th Int Symposium on Advances in Intelligent Data Analysis XIII, p.1-12.

[6]Arp D, Spreitzenbarth M, Hübner M, et al., 2014. DREBIN: effective and explainable detection of Android malware in your pocket. Proc 17^th Network and Distributed System Security Symp, p.1-16.

[7]Babić D, Reynaud D, Song DW, 2011. Malware analysis with tree automata inference. Proc 23^rd Int Conf on Computer Aided Verification, p.116-131.

[8]Babić D, Reynaud D, Song DW, 2012. Recognizing malicious software behaviors with tree automata inference. Form Methods Syst Des, 41(1):107-128.

[9]Bailey M, Oberheide J, Andersen J, et al., 2007. Automated classification and analysis of Internet malware. Proc 10^th Int Symp on Recent Advances in Intrusion Detection, p.178-197.

[10]Barnum S, 2012. Standardizing cyber threat intelligence information with the structured threat information eXpression (STIX^TM). https://www.mitre.org/sites/default/ files/publications/stix.pdf

[11]Bauman E, Ayoade G, Lin ZQ, 2015. A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput Surv, 48(1), Article 10.

[12]Bayer U, Kruegel C, Kirda E, 2006. TTAnalyze: a tool for analyzing malware. Proc 15^th Annual Conf of the European Institute for Computer Antivirus Research, p.180-192.

[13]Bayer U, Comparetti PM, Hlauscheck C, et al., 2009. Scalable, behavior-based malware clustering. Proc 16^th Symp on Network and Distributed System Security, p.1-21.

[14]Bayer U, Habibi I, Balzarotti D, et al., 2014. A view on current malware behaviors. Proc 2^nd USENIX Conf on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, p.8.

[15]Beaucamps P, Gnaedig I, Marion JY, 2010. Behavior abstraction in malware analysis. Proc 1^st Int Conf on Runtime Verification, p.168-182.

[16]Beaucamps P, Gnaedig I, Marion JY, 2012. Abstraction-based malware analysis using rewriting and model checking. Proc 17^th European Symp on Research in Computer Security, p.806-823.

[17]Belaoued M, Mazouzi S, 2015. A real-time pe-malware detection system based on CHI-square test and pe-file features. Proc 5^th IFIP TC 5 Int Conf on Science and Its Applications, p.416-425.

[18]Biggio B, Rieck K, Ariu D, et al., 2014. Poisoning behavioral malware clustering. Proc Workshop on Artificial Intelligent and Security Workshop, p.27-36.

[19]Bos H, 2013. Analysis report of behavioral features. http://www.wombat-project.eu/2010/07/wombat-deliverable-d16d42-anal.html

[20]Brumley D, Hartwig C, Liang ZK, et al., 2008. Automatically identifying trigger-based behavior in malware. In: Lee W, Wang C, Dagon D (Eds.), Botet Detection. Springer, Boston, MA, p.65-88.

[21]Canfora G, Mercaldo F, Visaggio CA, 2016. An hmm and structural entropy based detector for Android malware: an empirical study. Comput Secur, 61:1-18.

[22]Cao Y, Miao QG, Liu JC, et al., 2013. Abstracting minimal security-relevant behaviors for malware analysis. J Comput Virol Hack Tech, 9(4):193-204.

[23]Cen L, Gates CS, Si L, et al., 2015. A probabilistic discriminative model for Android malware detection with decompiled source code. IEEE Trans Depend Sec Comput, 12(4):400-412.

[24]Cesare S, Xiang Y, Zhou WL, 2014. Control flow-based malware variant detection. IEEE Trans Depend Sec Comput, 11(4):307-317.

[25]Chandramohan M, Tan HBK, Shar LK, 2012. Scalable malware clustering through coarse-grained behavior modeling. Proc ACM SIGSOFT 20^th Int Symp on the Foundations of Software Engineering, article 27.

[26]Christodorescu M, Jha S, Kruegel C, 2008. Mining specifications of malicious behavior. Proc 1^st India Software Engineering Conf, p.5-14.

[27]Chuang HY, Wang SD, 2015. Machine learning based hybrid behavior models for Android malware analysis. Proc IEEE Int Conf on Software Quality, Reliability and Security, p.201-206.

[28]Comparetti PM, Salvaneschi G, Kirda E, et al., 2010. Identifying dormant functionality in malware programs. Proc IEEE Symp on Security and Privacy, p.61-76.

[29]Cuckoo, 2017. Cuckoo sandbox. https://cuckoosandbox.org

[30]Dahl GE, Stokes JW, Deng L, et al., 2013. Large-scale malware classification using random projections and neural networks. Proc IEEE Int Conf on Acoustics, Speech and Signal Processing, p.3422-3426.

[31]Damodaran A, di Troia F, Visaggio CA, et al., 2017. A comparison of static, dynamic, and hybrid analysis for malware detection. J Comput Virol Hack Tech, 13(1): 1-12.

[32]Das S, Liu Y, Zhang W, et al., 2016. Semantics-based online malware detection: towards efficient real-time protection against malware. IEEE Trans Inform Forens Secur, 11(2): 289-302.

[33]Deschamps N, 2008. Specification language for code behavior. http://wombat-project.eu/WP4/FP7-ICT-216026-Wombat_WP4_D08_V01_Specification_language_for_code_behaviour.pdf

[34]Dinaburg A, Royal P, Sharif M, et al., 2008. Ether: malware analysis via hardware virtualization extensions. Proc 15^th ACM Conf on Computer and Communications Security, p.51-62.

[35]Ding YX, Yuan XB, Tang K, et al., 2013. A fast malware detection algorithm based on objective-oriented association mining. Comput Secur, 39:315-324.

[36]Ding YX, Dai W, Yan SL, et al., 2014. Control flow-based opcode behavior analysis for malware detection. Comput Secur, 44:65-74.

[37]Dube T, Raines R, Peterson G, et al., 2012. Malware target recognition via static heuristics. Comput Secur, 31(1): 137-147.

[38]Dumitras T, Neamtiu I, 2011. Experimental challenges in cyber security: a story of provenance and lineage for malware. Proc 4^th Conf on Cyber Security Experimen-tation and Test, p.9.

[39]Egele M, Scholte T, Kirda E, et al., 2012. A survey on automated dynamic malware-analysis techniques and tools. ACM Comput Surv, 44(2), Article 6.

[40]Elhadi AAE, Maarof MA, Barry BIA, et al., 2014. Enhancing the detection of metamorphic malware using call graphs. Comput Secur, 46:62-78.

[41]Feng Y, Anand S, Dillig I, et al., 2014. Apposcopy: semantics-based detection of Android malware through static analysis. Proc 22^nd ACM SIGSOFT Int Symp on Foundations of Software Engineering, p.576-587.

[42]Feng Y, Bastani O, Martins R, et al., 2017. Automated synthesis of semantic malware signatures using maxi-mum satisfiability. Proc Network and Distributed System Security Symp, p.1-16.

[43]Fratantonio Y, Bianchi A, Robertson W, et al., 2016. Triggerscope: towards detecting logic bombs in Android applications. Proc IEEE Symp on Security and Privacy, p.377-396.

[44]Fredrikson M, Jha S, Christodorescu M, et al., 2010. Synthesizing near-optimal malware specifications from suspicious behaviors. Proc IEEE Symp on Security and Privacy, p.45-60.

[45]Galal HS, Mahdy YB, Atiea MA, 2016. Behavior-based features model for malware detection. J Comput Virol Hack Tech, 12(2):59-67.

[46]Grégio ARA, Baruque AOC, Afonso VM, et al., 2012. Interactive, visual-aided tools to analyze malware behavior. Proc 12^th Int Conf on Computational Science and Its Applications, p.302-313.

[47]Gupta A, Kuppili P, Akella A, et al., 2009. An empirical study of malware evolution. Proc 1^st Int Communication Systems and NETworks and Workshops, p.1-10.

[48]Haass JC, Ahn GJ, Grimmelmann F, 2015. ACTRA: a case study for threat information sharing. Proc 2^nd ACM Workshop on Information Sharing and Collaborative Security, p.23-26.

[49]Huang HD, Acampora G, Loia V, et al., 2011. Applying FML and fuzzy ontologies to malware behavioural analysis. Proc IEEE Int Conf on Fuzzy Systems, p.2018-2025.

[50]Huang HD, Lee CS, Wang MH, et al., 2014. IT2FS-based ontology with soft-computing mechanism for malware behavior analysis. Soft Comput, 18(2):267-284.

[51]Huang L, Joseph AD, Nelson B, et al., 2011. Adversarial machine learning. Proc 4^th ACM Workshop on Security and Artificial Intelligence, p.43-58.

[52]Inoue D, Yoshioka K, Eto M, et al., 2009. Automated malware analysis system and its sandbox for revealing malware’s internal and external activities. IEICE Trans Inform Syst, E92.D(5):945-954.

[53]Jacob G, Debar H, Filiol E, 2009. Malware behavioral detection by attribute-automata using abstraction from platform and language. Proc 12^th Int Symp on Recent Advances in Intrusion Detection, p.81-100.

[54]Jang J, Woo M, Brumley D, 2013. Towards automatic software lineage inference. Proc 22^nd USENIX Conf on Security, p.81-96.

[55]Kharraz A, Arshad S, Mulliner C, et al., 2016. UNVEIL: a large-scale, automated approach to detecting ransomware. Proc 25^th USENIX Security Symp, p.757-772.

[56]Kirat D, Vigna G, 2015. MalGene: automatic extraction of malware analysis evasion signature. Proc 22^nd ACM SIGSAC Conf on Computer and Communications Security, p.769-780.

[57]Kirat D, Vigna G, Kruegel C, 2014. Barecloud: bare-metal analysis-based evasive malware detection. Proc 23^rd USENIX Conf on Security Symp, p.287-301.

[58]Kirda E, Kruegel C, Banks G, et al., 2006. Behavior-based spyware detection. Proc 15^th Conf on USENIX Security Symp, Article 19.

[59]Kirillov I, Beck D, Chase P, et al., 2011. Malware attribute enumeration and characterization (MAEC™). http://maec.mitre.org/

[60]Kokkonen T, Hautamaki J, Siltanen J, et al., 2016. Model for sharing the information of cyber security situation awareness between organizations. Proc 23^rd Int Conf on Telecommunications, p.1-5.

[61]Kruegel C, 2014. Full system emulation: achieving successful automated dynamic analysis of evasive malware. Lastline, Inc., Las Vegas, NV, USA.

[62]Lanzi A, Sharif M, Lee W, 2009. K-Tracer: a system for extracting kernel malware behavior. Proc Network and Distributed System Security Symp, p.163-169.

[63]Lebiere C, Bennati S, Thomson R, et al., 2015. Functional cognitive models of malware identification. Proc 13^th Annual Conf on Cognitive Modeling, p.90-95.

[64]Leder F, Steinbock B, Martini P, 2009. Classification and detection of metamorphic malware using value set analysis. Proc 4^th Int Conf on Malicious and Unwanted Software, p.39-46.

[65]Lee T, Choi B, Shin Y, et al., 2015. Automatic malware mutant detection and group classification based on the n-gram and clustering coefficient. J Supercomput, p.1-15.

[66]Lindorfer M, Kolbitsch C, Comparetti PM, 2011. Detecting environment-sensitive malware. Proc 14^th Int Symp on Recent Advances in Intrusion Detection, p.338-357.

[67]Liu L, Wang BS, Yu B, et al., 2016. A novel selective ensemble learning based on K-means and negative correlation. Proc 2^nd Int Conf on Cloud Computing and Security, p.578-588.

[68]Martignoni L, Stinson E, Fredrikson M, et al., 2008. A layered architecture for detecting malicious behaviors. Proc 11^th Int Symp on Recent Advances in Intrusion Detection, p.78-97.

[69]Martignoni L, Paleari R, Bruschi D, 2009. A framework for behavior-based malware analysis in the cloud. Proc 5^th Int Conf on Information Systems Security, p.178-192.

[70]Miao QG, Liu JC, Cao Y, et al., 2016. Malware detection using bilayer behavior abstraction and improved one-class support vector machines. Int J Inform Secur, 15(4):361-379.

[71]Ming J, Xin Z, Lan PW, et al., 2015. Replacement attacks: automatically impeding behavior-based malware specifications. Proc 13^th Int Conf on Applied Cryptography and Network Security, p.497-517.

[72]Ming J, Xin Z, Lan PW, et al., 2017. Impeding behavior-based malware analysis via replacement attacks to malware specifications. J Comput Virol Hack Tech, 13(3):193-207.

[73]Mithal T, Shah K, Singh DK, 2016. Case studies on intelligent approaches for static malware analysis. In: Shetty NR, Prasad NH, Nalini N (Eds.), Emerging Research in Computing, Information, Communication and Applications. Springer, Singapore, p.555-567.

[74]Mohaisen A, Alrawi O, 2015. AMAL: high-fidelity, behavior-based automated malware analysis and classification. Proc 15^th Int Workshop on Information Security Applications, p.107-121.

[75]Moonsamy V, Tian RH, Batten L, 2012. Feature reduction to speed up malware classification. Proc 16^th Nordic Conf on Information Security Technology for Applications, p.176-188.

[76]Moser A, Kruegel C, Kirda E, 2007. Exploring multiple execution paths for malware analysis. Proc IEEE Symp on Security and Privacy, p.231-245.

[77]Naval S, Laxmi V, Rajarajan M, et al., 2015. Employing program semantics for malware detection. IEEE Trans Inform Forens Secur, 10(12):2591-2604.

[78]Neugschwandtner M, Platzer C, Comparetti PM, et al., 2010. dAnubis—dynamic device driver analysis based on virtual machine introspection. Proc 7^th Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment, p.41-60.

[79]Nunes E, Buto C, Shakarian P, et al., 2015. Malware task identification: a data driven approach. Proc IEEE/ACM Int Conf on Advances in Social Networks Analysis and Mining, p.978-985.

[80]O’Kane P, Sezer S, McLaughlin K, et al., 2013. SVM training phase reduction using dataset feature filtering for malware detection. IEEE Trans Inform Forens Secur, 8(3):500-509.

[81]Palahan S, Babić D, Chaudhuri S, et al., 2013. Extraction of statistically significant malware behaviors. Proc 29^th Annual Computer Security Applications Conf, p.69-78.

[82]Park Y, Reeves DS, Stamp M, 2013. Deriving common malware behavior through graph clustering. Comput Secur, 39:419-430.

[83]Pleszkoch M, Linger R, 2015. Controlling combinatorial complexity in software and malware behavior computation. Proc 10^th Annual Cyber and Information Security Research Conf, Article 15.

[84]Poeplau S, Fratantonio Y, Bianchi A, et al., 2014. Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications. Proc Network and Distributed System Security Symp, p.23-26.

[85]Razak MFA, Anuar NB, Salleh R, et al., 2016. The rise of “malware”: bibliometric analysis of malware study. J Netw Comput Appl, 75:58-76.

[86]Rieck K, Holz T, Willems C, et al., 2008. Learning and classification of malware behavior. Proc 5^th Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment, p.108-125.

[87]Rieck K, Trinius P, Willems C, et al., 2011. Automatic analysis of malware behavior using machine learning. J Comput Secur, 19(4):639-668.

[88]Riley R, Jiang XX, Xu DY, 2009. Multi-aspect profiling of kernel rootkit behavior. Proc 4^th ACM European Conf on Computer Systems, p.47-60.

[89]Royal P, Halpin M, Dagon D, et al., 2006. PolyUnpack: automating the hidden-code extraction of unpack-executing malware. Proc 22^nd Annual Computer Security Applications Conf, p.289-300.

[90]Saxe J, Mentis D, Greamo C, 2012. Visualization of shared system call sequence relationships in large malware corpora. Proc 9^th Int Symp on Visualization for Cyber Security, p.33-40.

[91]Saxe J, Turner R, Blokhin K, 2014. Crowdsource: automated inference of high level malware functionality from low-level symbols using a crowd trained machine learning model. Proc 9^th Int Conf on Malicious and Unwanted Software: the Americas, p.68-75.

[92]Shan ZY, Wang X, 2014. Growing grapes in your computer to defend against malware. IEEE Trans Inform Forens Secur, 9(2):196-207.

[93]Shi HB, Hamagami T, Yoshioka K, et al., 2014. Structural classification and similarity measurement of malware. IEEJ Trans Electr Electron Eng, 9(6):621-632.

[94]Shosha AF, Liu C, Gladyshev P, et al., 2012. Evasion-resistant malware signature based on profiling kernel data structure objects. Proc 7^th Int Conf on Risk and Security of Internet and Systems, p.1-8.

[95]Sirinda P, 2014. A framework for mining significant subgraphs and its application in malware analysis. PhD Thesis, The Pennsylvania State University, Pennsylvania, USA.

[96]Suarez-Tangil G, Conti M, Tapiador JE, et al., 2014. Detecting targeted smartphone malware with behavior-triggering stochastic models. Proc 19^th European Symp on Research in Computer Security, p.183-201.

[97]Sun MK, Lin MJ, Chang M, et al., 2011. Malware virtualization-resistant behavior detection. Proc 17^th Int Conf on Parallel and Distributed Systems, p.912-917.

[98]Thomson R, Lebiere C, Bennati S, et al., 2015. Malware identification using cognitively-inspired inference. Proc 24^th Annual Behavior Representation in Modeling and Simulation Conf, p.1-8.

[99]Trinius P, Holz T, Göbel J, et al., 2009. Visual analysis of malware behavior using treemaps and thread graphs. Proc 6^th Int Workshop on Visualization for Cyber Security, p.33-38.

[100]Trinius P, Willems C, Holz T, et al., 2011. A malware instruction set for behavior-based analysis. http://subs.emis.de/LNI/Proceedings/Proceedings170/article5739.html

[101]Walenstein A, Lakhotia A, 2012. A transformation-based model of malware derivation. Proc 7^th Int Conf on Malicious and Unwanted Software, p.17-25.

[102]Wang SW, Wang BS, Yong T, et al., 2015. Malware clustering based on SNN density using system calls. Proc 1^st Int Conf on Cloud Computing and Security, p.181-191.

[103]Wang Z, Jiang XX, Cui WD, et al., 2008. Countering persistent kernel rootkits through systematic hook discovery. Proc 11^th Int Symp on Recent Advances in Intrusion Detection, p.21-38.

[104]Watson MR, Shirazi NUH, Marnerides AK, et al., 2016. Malware detection in cloud computing infrastructures. IEEE Trans Depend Sec Comput, 13(2):192-205.

[105]Wu DJ, Mao CH, Wei TE, et al., 2012. DroidMat: Android malware detection through manifest and API calls tracing. Proc 7^th Asia Joint Conf on Information Security, p.62-69.

[106]Wüchner T, Ochoa M, Pretschner A, 2015. Robust and effective malware detection through quantitative data flow graph metrics. Proc 12^th Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment, p.98-118.

[107]Yang C, Xu ZY, Gu GF, et al., 2014. DroidMiner: automated mining and characterization of fine-grained malicious behaviors in Android applications. Proc 19^th European Symp on Research in Computer Security, p.163-182.

[108]Yang W, Xiao XS, Andow B, et al., 2015. AppContext: differentiating malicious and benign mobile app behaviors using context. Proc 37^th IEEE Int Conf on Software Engineering, p.303-313.

[109]Yavvari C, Tokhtabayev A, Rangwala H, et al., 2012. Malware characterization using behavioral components. Proc 6^th Int Conf on Mathematical Methods, Models, and Architectures for Computer Network Security, p.226-239.

[110]Yerima SY, Sezer S, Muttik I, 2015. High accuracy Android malware detection using ensemble learning. IET Inform Secur, 9(6):313-320.

[111]Yin H, Liang ZK, Song D, 2008. HookFinder: identifying and understanding malware hooking behaviors. Proc Network and Distributed System Security Symp, p.1-16.

[112]Yuan JF, Qiang WZ, Jin H, et al., 2014. Cloudtaint: an elastic taint tracking framework for malware detection in the cloud. J Supercomput, 70(3):1433-1450.

[113]Zhang FW, Leach K, Stavrou A, et al., 2015. Using hardware features for increased debugging transparency. Proc IEEE Symp on Security and Privacy, p.55-69.

[114]Zhang H, Yao DF, Ramakrishnan N, et al., 2016. Causality reasoning about network events for detecting stealthy malware activities. Comput Secur, 58:180-198.

[115]Zhang M, Duan Y, Yin H, et al., 2014. Semantics-aware Android malware classification using weighted contextual API dependency graphs. Proc ACM SIGSAC Conf on Computer and Communications Security, p.1105-1116.

[116]Zhao ZQ, Wang JF, Bai JR, 2014. Malware detection method based on the control-flow construct feature of software. IET Inform Secur, 8(1):18-24.

[117]Zhou YJ, Jiang XX, 2012. Dissecting Android malware: characterization and evolution. Proc IEEE Symp on Security and Privacy, p.95-109.