Arun Lakhotia

Malware Phylogeny Generation using Permutations of Code

Malicious programs, such as viruses and worms, are frequently related to previous programs through evolutionary relationships. Discovering those relationships and constructing a phylogeny model is expected to be helpful for analyzing new malware and for establishing a principled naming scheme. Matching permutations of code may help build better models in cases where malware evolution does not keep things in the same order. We describe methods for constructing phylogeny models that uses features called n-perms to match possibly permuted codes. An experiment was performed to compare the relative effectiveness of vector similarity measures using n-perms and n-grams when comparing permuted variants of programs. The similarity measures using n-perms maintained a greater separation between the similarity scores of permuted families of specimens versus unrelated specimens. A subsequent study using a tree generated through n-perms suggests that phylogeny models based on n-perms may help forensic analysts investigate new specimens, and assist in reconciling malware naming inconsistenciesAbstraktŠkodlivé programy, jako viry a červy (malware), jsou zřídka psány narychlo, jen tak. Obvykle jsou výsledkem svých evolučních vztahů. Zjištěním těchto vztahů a tvorby v přesné fylogenezi se předpokládá užitečná pomoc v analýze nového malware a ve vytvoření zásad pojmenovacího schématu. Porovnávání permutací kódu uvnitř malware mů že nabídnout výhody pro fylogenní generování, protože evoluční kroky implementované autory malware nemohou uchovat posloupnosti ve sdíleném kódu. Popisujeme rodinu fylogenních generátorů, které provádějí clustering pomocí PQ stromově založených extrakčních vlastností. Byl vykonán experiment v němž výstup stromu z těchto generátorů byl vyhodnocen vzhledem k fylogenezím generovaným pomocí vážených n-gramů. Výsledky ukazují výhody přístupu založeného na permutacích ve fylogenním generování malware.RésuméLes codes malveillants, tels que les virus et les vers, sont rarement écrits de zéro; en conséquence, il existe des relations de nature évolutive entre ces différents codes. Etablir ces relations et construire une phylogénie précise permet d’espérer une meilleure capacité d’analyse de nouveaux codes malveillants et de disposer d’une méthode de fait de nommage de ces codes. La concordance de permutations de code avec des parties de codes malveillants sont susceptibles d’être très intéressante dans l’établissement d’une phylogénie, dans la mesure où les étapes évolutives réalisées par les auteurs de codes malveillants ne conservent généralement pas l’ordre des instructions présentes dans le code commun. Nous décrivons ici une famille de générateurs phylogénétiques réalisant des regroupements à l’aide de caractéristiques extraites d’arbres PQ. Une expérience a été réalisée, dans laquelle l’arbre produit par ces générateurs est évalué d’une part en le comparant avec les classificiations de références utilisées par les antivirus par scannage, et d’autre part en le comparant aux phylogénies produites à l’aide de polygrammes de taille n (n-grammes), pondérés. Les résultats démontrent l’intérêt de l’approche utilisant les permutations dans la génération phylogénétique des codes malveillants.AbstraktiHaitalliset ohjelmat, kuten tietokonevirukset ja -madot, kirjoitetaan harvoin alusta alkaen. Tämän seurauksena niistä on löydettävissä evoluution kaltaista samankaltaisuutta. Samankaltaisuuksien löytämisellä sekä rakentamalla tarkka evoluutioon perustuva malli voidaan helpottaa uusien haitallisten ohjelmien analysointia sekä toteuttaa nimeämiskäytäntöjä. Permutaatioiden etsiminen koodista saattaa antaa etuja evoluutiomallin muodostamiseen, koska haitallisten ohjelmien kirjoittajien evolutionääriset askeleet eivät välttämättä säilytä jaksoittaisuutta ohjelmakoodissa. Kuvaamme joukon evoluutiomallin muodostajia, jotka toteuttavat klusterionnin käyttämällä PQ-puuhun perustuvia ominaisuuksia. Teimme myös kokeen, jossa puun tulosjoukkoa verrattiin virustentorjuntaohjelman muodostamaan viitejoukkoon sekä evoluutiomalleihin, jotka oli muodostettu painotetuilla n-grammeilla. Tulokset viittaavat siihen, että permutaatioon perustuvaa lähestymistapaa voidaan menestyksekkäästi käyttää evoluutiomallien muodostamineen.ZusammenfassungMaliziöse Programme, wie z.B. Viren und Würmer, werden nur in den seltensten Fällen komplett neu geschrieben; als Ergebnis können zwischen verschiedenen maliziösen Codes Abhängigkeiten gefunden werden.Im Hinblick auf Klassifizierung und wissenschaftlichen Aufarbeitung neuer maliziöser Codes kann es sehr hilfreich erweisen, Abhängigkeiten zu bestehenden maliziösen Codes darzulegen und somit einen Stammbaum zu erstellen.In dem Artikel wird u.a. auf moderne Ansätze innerhalb der Staumbaumgenerierung anhand ausgewählter Win32 Viren eingegangen.AstrattoI programmi maligni, quali virus e worm, sono raramente scritti da zero; questo significa che vi sono delle relazioni di evoluzione tra di loro. Scoprire queste relazioni e costruire una filogenia accurata puo’aiutare sia nell’analisi di nuovi programmi di questo tipo, sia per stabilire una nomenclatura avente una base solida. Cercare permutazioni di codice tra vari programmi puo’ dare un vantaggio per la generazione delle filogenie, dal momento che i passaggi evolutivi implementati dagli autori possono non aver preservato la sequenzialita’ del codice originario. In questo articolo descriviamo una famiglia di generatori di filogenie che effettuano clustering usando feature basate su alberi PQ. In un esperimento l’albero di output dei generatori viene confrontato con una classificazione di rifetimento ottenuta da un programma anti-virus, e con delle filogenie generate usando n-grammi pesati. I risultati indicano i risultati positivi dell’approccio basato su permutazioni nella generazione delle filogenie del malware.

Rule-based approach to computing module cohesion

Stevens, Myers, and Constantine introduced the notion of cohesion, an ordinal scale of seven levels that describes the degree to which the actions performed by a module contribute to a unified function (1974). They provided rules, termed as associative principles to examine the relationships between processing elements of a module and designate a cohesion level to it. Stevens et al., however, did not give a precise definition for the term processing element. The author interprets the output variables of a module as its processing elements. Stevens et al.s associative principles are transformed to relate the output variables based on their data and control dependence relationships. What results is a rule-based approach to computing cohesion. Experimental results show that, but for temporal cohesion, the cohesion associated to a module under this reinterpretation and that due to the original definitions are identical for all examples.<<ETX>>

Restructuring programs by tucking statements into functions

Abstract Changing the internal structure of a program without changing its behavior is called restructuring. This paper presents a transformation called tuck for restructuring programs by decomposing large functions into small functions. Tuck consists of three steps: Wedge, Split, and Fold. A wedge a subset of statements in a slice-contains computations that are related and that may create a meaningful function. The statements in a wedge are split from the rest of the code and folded into a new function. A call to the new function is placed in the now restructured function. That tuck does not alter the behavior of the original function follows from the semantic preserving properties of a slice.

A unified framework for expressing software subsystem classification techniques

The architecture of a software system classifies its components into subsystems and describes the relationships between the subsystems. The information contained in such an abstraction is of immense significance in various software maintenance activities. There is considerable interest in extracting the architecture of a software system from its source code and, hence, in techniques that classify the components of a program into subsystems. Techniques for classifying subsystems presented in the literature differ in the type of components they place in a subsystem and the information they use to identify related components. However, these techniques have been presented using different terminology and symbols, making it harder to perform comparative analyses. This article presents a unified framework for expressing techniques of classifying subsystems of a software system. The framework is comprised of a consistent set of terminology, notation, and symbols that may be used to describe the input, output, and processing performed by these techniques. Using this framework, several subsystem classification techniques have been reformulated. This reformulation makes it easier to compare these techniques and provides a first step towards evaluating their relative effectiveness.

Unmanned vehicles come of age: The DARPA grand challenge

While the DARPA Grand Challenge has revitalized interest in intelligent highway systems, autonomous vehicles, and sensing technology, a host of other novel issues afford interesting design and computer-engineering challenges for the future.

Understanding someone else's code: analysis of experiences

It is the intention of the Journal of Systems and Software to publish, from time to time, articles cut from a different mold. This is one in that series. The object of the CONTROVERSY CORNER articles is both to present information and to stimulate thought. Topics chosen for this coverage are not just traditional formal discussions of research work; they also contain ideas at the fringes of the fields «conventional wisdom.» This series will succeed only to the extent that it stimulates not just thought, but action. If you have a strong reaction to the article that follows, either positive or negative, write to Robert L. Glass, Editor, Journal of Systems and Software, Computing Trends, P.O. Box 213, State College, PA 16804. We will publish the best of the responses as CONTROVERSY REVISITED

DroidLegacy: Automated Familial Classification of Android Malware

We present an automated method for extracting familial signatures for Android malware, i.e., signatures that identify malware produced by piggybacking potentially different benign applications with the same (or similar) malicious code. The APK classes that constitute malware code in a repackaged application are separated from the benign code and the Android API calls used by the malicious modules are extracted to create a signature. A piggybacked malicious app can be detected by first decomposing it into loosely coupled modules and then matching the Android API calls called by each of the modules against the signatures of the known malware families. Since the signatures are based on Android API calls, they are related to the core malware behavior, and thus are more resilient to obfuscations. In triage, AV companies need to automatically classify large number of samples so as to optimize assignment of human analysts. They need a system that gives low false negatives even if it is at the cost of higher false positives. Keeping this goal in mind, we fine tuned our system and used standard 10 fold cross validation over a dataset of 1,052 malicious APKs and 48 benign APKs to verify our algorithm. Results show that we have 94% accuracy, 97% precision, and 93% recall when separating benign from malware. We successfully classified our entire malware dataset into 11 families with 98% accuracy, 87% precision, and 94% recall.

A method for detecting obfuscated calls in malicious binaries

Information about calls to the operating system (or kernel libraries) made by a binary executable may be used to determine whether the binary is malicious. Being aware of this approach, malicious programmers hide this information by making such calls without using the call instruction. For instance, the call addr instruction may be replaced by two push instructions and a ret instruction, the first push pushes the address of instruction after the ret instruction, and the second push pushes the address addr. The code may be further obfuscated by spreading the three instructions and by splitting each instruction into multiple instructions. This work presents a method to statically detect obfuscated calls in binary code. The idea is to use abstract interpretation to detect where the normal call-ret convention is violated. These violations can be detected by what is called an abstract stack graph. An abstract stack graph is a concise representation of all potential abstract stacks at every point in a program. An abstract stack is used to associate each element in the stack to the instruction that pushes the element. An algorithm for constructing the abstract stack graph is also presented. Methods for using the abstract stack graph are shown to detect eight different obfuscations. The technique is demonstrated by implementing a prototype tool called DOC (detector for obfuscated calls).

Analysis and detection of computer viruses and worms: an annotated bibliography

This annotated bibliography reviews research in analyzing and detecting computer viruses and worms. This document focuses on papers that give information about techniques and systems detecting malicious code.

Constructing call multigraphs using dependence graphs

A call m.ultigraph’of a program is a directed Multigraph encoding the possible calling relations between procedures. These graphs are used in interprocedurd program optimization [2, 3, 9, 15] and for reverse engineering of softw~are systems [7, 8]. For programs that do not contain proCedul”e valued variables (referred to hencefollh as procedure variables) this graph can be constructed by a single pass over the program collecting the procedures called at each call site. When procedure v,ari.ables and indirect calls using values of such variables are allowed constructing such a graph is not so simple. In the worst case, the value of a procedure v,ariable at a call site may be a reference to any procedure in the program. For interprocedural optimizations and for understanding programs one would like to have more precise solutions. The importance of precisely constructing an analogue of call graph (referred to as the Ot}l order control flow analysis or OCFA) in the context of higher order languages such as Scheme and ML has been eloquently elaborated by Shivers [18]. A precise call graph enables data flow optimizations * In ths paper call multigmph is also refereed to as the call graph. Ths work was supported by the grant LEQSF (1991-92) ENH-98 from the Louisiana Bowl of Regents.