Syntax and behavior semantics analysis of network protocol of malware

被引：1

作者：

Ying L.-Y. ^{[1
,2
,3
]}

Yang Y. ^{[1
]}

Feng D.-G. ^{[1
,2
]}

Su P.-R. ^{[1
]}

机构：

[1] State Key Laboratory of Information Security, Institute of Software, The Chinese Academy of Sciences

[2] State Key Laboratory of Information Security, Graduate University, The Chinese Academy of Sciences

[3] National Engineering Research Center for Information Security

来源：

Ruan Jian Xue Bao/Journal of Software | 2011年 / 22卷 / 07期

关键词：

Dynamic analysis; Malware analysis; Network protocol reverse analysis; Network security;

D O I：

10.3724/SP.J.1001.2011.03858

中图分类号：

学科分类号：

摘要：

Network protocol reverse analysis is an important aspect of malware analysis. There are many different network protocols and every protocol contains different types of fields that result in various malware behaviors. Without the protocol syntax and filed semantics, analyzers cannot understand how malware interacts with the outside network. This paper presents a syntax and a behavior semantics analysis method of the network protocol. By monitoring the way malware parse the network data and by using different fields in a virtual execution environment, this method can identify protocol fields, extract protocol syntax and correlate each syntax with malware behaviors, accordingly. This paper designs and implements the prototype Prama (protocol reverse analyzer for malware analysis). Experimental results show that this method can correctly infer protocol syntax and tag fields with meaningful malware behaviors. © Copyright 2011, Institute of Software, the Chinese Academy of Sciences.

引用

页码：1676 / 1689

页数：13

共 28 条

[1] Moser A., Kruegel C., Kirda E., Limits of static analysis for malware detection, Proc. of the 23rd Annual Computer Security Applications Conf. (ACSAC 2007), pp. 421-430, (2007)
[2] Cui W.D., Kannan J., Wang H.J., Discoverer: Automatic protocol reverse engineering from network traces, Proc. of the 16th USENIX Security Symp. (Security 2007), pp. 199-212, (2007)
[3] Ma J., Levchenko K., Kreibich C., Savage S., Voelker G.M., Unexpected means of protocol inference, Proc. of the 6th ACM SIGCOMM Conf. on Internet Measurement (IMC 2006, pp. 313-326, (2006)
[4] Small S., Mason J., Monrose F., Provos N., Stubblefield A., To catch a predator: A natural language approach for eliciting malicious payloads, Proc. of the 17th USENIX Security Symp. (Security 2008), pp. 171-183, (2008)
[5] Kruegel C., Robertson W., Valeur F., Vigna G., Static disassembly of obfuscated binaries, Proc. of the 13th Conf. on USENIX Security Symp. (Security 2004), (2004)
[6] Vigna G., Static disassembly and code analysis, Proc. of the Malware Detection, pp. 19-41, (2007)
[7] Christodorescu M., Kidd N., Goh W.H., String analysis for x86 binaries, Proc. of the 6th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE 2005), pp. 88-95, (2005)
[8] Cavadini S., Secure slices of insecure programs, Proc. of the 2008 ACM Symp. on Information, Computer and Communications Security (ASIACCS 2008), pp. 112-122, (2008)
[9] Linn C., Debray S., Obfuscation of executable code to improve resistance to static disassembly, Proc. of the 10th ACM Conf. on Computer and Communications Security (CCS 2003), pp. 290-299, (2003)
[10] Nethercote N., Seward J., Valgrind: A framework for heavyweight dynamic binary instrumentation, Proc. of the ACM Conf. on Programming Language Design and Implementation (PLDI 2007), pp. 89-100, (2007)

← 1 2 3 →