Automatically Identifying Trigger-based Behavior in Malware View Full Text


Ontology type: schema:Chapter     


Chapter Info

DATE

2008-01-01

AUTHORS

David Brumley , Cody Hartwig , Zhenkai Liang , James Newsome , Dawn Song , Heng Yin

ABSTRACT

Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS’s on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behaviorCurrently, trigger-based behavior analysis is often performed in a tedious, manual fashion. Providing even a small amount of assistance would greatly assist and speed-up the analysis. In this chapter, we propose that automatic analysis of trigger-based behavior in malware is possible. In particular, we design an approach for automatic trigger-based behavior detection and analysis using dynamic binary instrumentation and mixed concrete and symbolic execution. Our approach shows that in many cases we can:(1) detect the existence of trigger-based behavior, (2) find the conditions that trigger such hidden behavior, and (3) find inputs that satisfy those conditions, allowing us to observe the triggered malicious behavior in a controlled environment. We have implemented MineSweeper, a system utilizing this approach. In our experiments, MineSweeper has successfully identified trigger-based behavior in real-world malware. Although there are many challenges presented by automatic trigger-based behavior detection, MineSweeper shows us that such automatic analysis is possible and encourages future work in this area More... »

PAGES

65-88

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-0-387-68768-1_4

DOI

http://dx.doi.org/10.1007/978-0-387-68768-1_4

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1035754722


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Artificial Intelligence and Image Processing", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213", 
          "id": "http://www.grid.ac/institutes/grid.147455.6", 
          "name": [
            "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Brumley", 
        "givenName": "David", 
        "id": "sg:person.07667617727.70", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.07667617727.70"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213", 
          "id": "http://www.grid.ac/institutes/grid.147455.6", 
          "name": [
            "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Hartwig", 
        "givenName": "Cody", 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213", 
          "id": "http://www.grid.ac/institutes/grid.147455.6", 
          "name": [
            "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Liang", 
        "givenName": "Zhenkai", 
        "id": "sg:person.014106736131.19", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014106736131.19"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213", 
          "id": "http://www.grid.ac/institutes/grid.147455.6", 
          "name": [
            "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Newsome", 
        "givenName": "James", 
        "id": "sg:person.010737772415.24", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010737772415.24"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213", 
          "id": "http://www.grid.ac/institutes/grid.147455.6", 
          "name": [
            "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Song", 
        "givenName": "Dawn", 
        "id": "sg:person.01143152610.86", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.01143152610.86"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213", 
          "id": "http://www.grid.ac/institutes/grid.147455.6", 
          "name": [
            "Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Yin", 
        "givenName": "Heng", 
        "id": "sg:person.010023156265.84", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010023156265.84"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2008-01-01", 
    "datePublishedReg": "2008-01-01", 
    "description": "Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS\u2019s on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behaviorCurrently, trigger-based behavior analysis is often performed in a tedious, manual fashion. Providing even a small amount of assistance would greatly assist and speed-up the analysis. In this chapter, we propose that automatic analysis of trigger-based behavior in malware is possible. In particular, we design an approach for automatic trigger-based behavior detection and analysis using dynamic binary instrumentation and mixed concrete and symbolic execution. Our approach shows that in many cases we can:(1) detect the existence of trigger-based behavior, (2) find the conditions that trigger such hidden behavior, and (3) find inputs that satisfy those conditions, allowing us to observe the triggered malicious behavior in a controlled environment. We have implemented MineSweeper, a system utilizing this approach. In our experiments, MineSweeper has successfully identified trigger-based behavior in real-world malware. Although there are many challenges presented by automatic trigger-based behavior detection, MineSweeper shows us that such automatic analysis is possible and encourages future work in this area", 
    "editor": [
      {
        "familyName": "Lee", 
        "givenName": "Wenke", 
        "type": "Person"
      }, 
      {
        "familyName": "Wang", 
        "givenName": "Cliff", 
        "type": "Person"
      }, 
      {
        "familyName": "Dagon", 
        "givenName": "David", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-0-387-68768-1_4", 
    "inLanguage": "en", 
    "isAccessibleForFree": false, 
    "isPartOf": {
      "isbn": [
        "978-0-387-68766-7", 
        "978-0-387-68768-1"
      ], 
      "name": "Botnet Detection", 
      "type": "Book"
    }, 
    "keywords": [
      "trigger-based behavior", 
      "behavior detection", 
      "automatic analysis", 
      "hidden behavior", 
      "real-world malware", 
      "dynamic binary instrumentation", 
      "malicious behavior", 
      "binary instrumentation", 
      "symbolic execution", 
      "malware", 
      "manual fashion", 
      "proper commands", 
      "behavior analysis", 
      "Minesweeper", 
      "future work", 
      "keyloggers", 
      "DDoS", 
      "keystrokes", 
      "execution", 
      "command", 
      "detection", 
      "particular date", 
      "environment", 
      "known examples", 
      "input", 
      "challenges", 
      "zombies", 
      "system", 
      "speed", 
      "assistance", 
      "example", 
      "work", 
      "experiments", 
      "fashion", 
      "behavior", 
      "analysis", 
      "such behavior", 
      "amount", 
      "instrumentation", 
      "chapter", 
      "area", 
      "small amount", 
      "cases", 
      "worms", 
      "triggers", 
      "date", 
      "conditions", 
      "particular site", 
      "existence", 
      "sites", 
      "approach"
    ], 
    "name": "Automatically Identifying Trigger-based Behavior in Malware", 
    "pagination": "65-88", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1035754722"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-0-387-68768-1_4"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-0-387-68768-1_4", 
      "https://app.dimensions.ai/details/publication/pub.1035754722"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2022-05-20T07:42", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20220519/entities/gbq_results/chapter/chapter_180.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-0-387-68768-1_4"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-0-387-68768-1_4'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-0-387-68768-1_4'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-0-387-68768-1_4'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-0-387-68768-1_4'


 

This table displays all metadata directly associated to this object as RDF triples.

155 TRIPLES      23 PREDICATES      75 URIs      68 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-0-387-68768-1_4 schema:about anzsrc-for:08
2 anzsrc-for:0801
3 schema:author N6b9c9b2ae829461f953b1bb9fa029590
4 schema:datePublished 2008-01-01
5 schema:datePublishedReg 2008-01-01
6 schema:description Malware often contains hidden behavior which is only activated when properly triggered. Well known examples include: the MyDoom worm which DDoS’s on particular dates, keyloggers which only log keystrokes for particular sites, and DDoS zombies which are only activated when given the proper command. We call such behavior trigger-based behaviorCurrently, trigger-based behavior analysis is often performed in a tedious, manual fashion. Providing even a small amount of assistance would greatly assist and speed-up the analysis. In this chapter, we propose that automatic analysis of trigger-based behavior in malware is possible. In particular, we design an approach for automatic trigger-based behavior detection and analysis using dynamic binary instrumentation and mixed concrete and symbolic execution. Our approach shows that in many cases we can:(1) detect the existence of trigger-based behavior, (2) find the conditions that trigger such hidden behavior, and (3) find inputs that satisfy those conditions, allowing us to observe the triggered malicious behavior in a controlled environment. We have implemented MineSweeper, a system utilizing this approach. In our experiments, MineSweeper has successfully identified trigger-based behavior in real-world malware. Although there are many challenges presented by automatic trigger-based behavior detection, MineSweeper shows us that such automatic analysis is possible and encourages future work in this area
7 schema:editor Nbf1fec2049c14f8a81e65065f43654f1
8 schema:genre chapter
9 schema:inLanguage en
10 schema:isAccessibleForFree false
11 schema:isPartOf Ndf526d7ffcae4f20b796dda3a375185c
12 schema:keywords DDoS
13 Minesweeper
14 amount
15 analysis
16 approach
17 area
18 assistance
19 automatic analysis
20 behavior
21 behavior analysis
22 behavior detection
23 binary instrumentation
24 cases
25 challenges
26 chapter
27 command
28 conditions
29 date
30 detection
31 dynamic binary instrumentation
32 environment
33 example
34 execution
35 existence
36 experiments
37 fashion
38 future work
39 hidden behavior
40 input
41 instrumentation
42 keyloggers
43 keystrokes
44 known examples
45 malicious behavior
46 malware
47 manual fashion
48 particular date
49 particular site
50 proper commands
51 real-world malware
52 sites
53 small amount
54 speed
55 such behavior
56 symbolic execution
57 system
58 trigger-based behavior
59 triggers
60 work
61 worms
62 zombies
63 schema:name Automatically Identifying Trigger-based Behavior in Malware
64 schema:pagination 65-88
65 schema:productId N4198883febe64097a1eb11105ce670d7
66 Nd0b9f80320054878935cab58c2f67a4d
67 schema:publisher N5ab5b2e877db40b08c6545ff7da5ac7c
68 schema:sameAs https://app.dimensions.ai/details/publication/pub.1035754722
69 https://doi.org/10.1007/978-0-387-68768-1_4
70 schema:sdDatePublished 2022-05-20T07:42
71 schema:sdLicense https://scigraph.springernature.com/explorer/license/
72 schema:sdPublisher N32073c18e7104b6f8d69d4afba3de247
73 schema:url https://doi.org/10.1007/978-0-387-68768-1_4
74 sgo:license sg:explorer/license/
75 sgo:sdDataset chapters
76 rdf:type schema:Chapter
77 N13530410637b45b5a9b219b4f2774351 rdf:first Nf6044af9c7ba46ecb7e8c2e326ea5902
78 rdf:rest Nde997fae84eb4993994401c1b19fb0b7
79 N257683ee3cde4f8984756455f8494ed3 schema:familyName Dagon
80 schema:givenName David
81 rdf:type schema:Person
82 N32073c18e7104b6f8d69d4afba3de247 schema:name Springer Nature - SN SciGraph project
83 rdf:type schema:Organization
84 N3c02517809724fac9574c0f8b475056b rdf:first N257683ee3cde4f8984756455f8494ed3
85 rdf:rest rdf:nil
86 N4198883febe64097a1eb11105ce670d7 schema:name dimensions_id
87 schema:value pub.1035754722
88 rdf:type schema:PropertyValue
89 N585ab034e94349d6af0ed37add1a5886 rdf:first Nf92d167581a94d2ca7e9ed4910b56557
90 rdf:rest N3c02517809724fac9574c0f8b475056b
91 N591dc60ed8dc499680361049b22852cc rdf:first sg:person.010023156265.84
92 rdf:rest rdf:nil
93 N5ab5b2e877db40b08c6545ff7da5ac7c schema:name Springer Nature
94 rdf:type schema:Organisation
95 N6b9c9b2ae829461f953b1bb9fa029590 rdf:first sg:person.07667617727.70
96 rdf:rest N13530410637b45b5a9b219b4f2774351
97 Na773f0477e83475c8ade6014bb5ffb20 schema:familyName Lee
98 schema:givenName Wenke
99 rdf:type schema:Person
100 Nbf1fec2049c14f8a81e65065f43654f1 rdf:first Na773f0477e83475c8ade6014bb5ffb20
101 rdf:rest N585ab034e94349d6af0ed37add1a5886
102 Nc6230205fdc64e3e910a99a49175a3af rdf:first sg:person.01143152610.86
103 rdf:rest N591dc60ed8dc499680361049b22852cc
104 Nd0b9f80320054878935cab58c2f67a4d schema:name doi
105 schema:value 10.1007/978-0-387-68768-1_4
106 rdf:type schema:PropertyValue
107 Nd3b0e7ca3cb4498a806574e75f97901f rdf:first sg:person.010737772415.24
108 rdf:rest Nc6230205fdc64e3e910a99a49175a3af
109 Nde997fae84eb4993994401c1b19fb0b7 rdf:first sg:person.014106736131.19
110 rdf:rest Nd3b0e7ca3cb4498a806574e75f97901f
111 Ndf526d7ffcae4f20b796dda3a375185c schema:isbn 978-0-387-68766-7
112 978-0-387-68768-1
113 schema:name Botnet Detection
114 rdf:type schema:Book
115 Nf6044af9c7ba46ecb7e8c2e326ea5902 schema:affiliation grid-institutes:grid.147455.6
116 schema:familyName Hartwig
117 schema:givenName Cody
118 rdf:type schema:Person
119 Nf92d167581a94d2ca7e9ed4910b56557 schema:familyName Wang
120 schema:givenName Cliff
121 rdf:type schema:Person
122 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
123 schema:name Information and Computing Sciences
124 rdf:type schema:DefinedTerm
125 anzsrc-for:0801 schema:inDefinedTermSet anzsrc-for:
126 schema:name Artificial Intelligence and Image Processing
127 rdf:type schema:DefinedTerm
128 sg:person.010023156265.84 schema:affiliation grid-institutes:grid.147455.6
129 schema:familyName Yin
130 schema:givenName Heng
131 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010023156265.84
132 rdf:type schema:Person
133 sg:person.010737772415.24 schema:affiliation grid-institutes:grid.147455.6
134 schema:familyName Newsome
135 schema:givenName James
136 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010737772415.24
137 rdf:type schema:Person
138 sg:person.01143152610.86 schema:affiliation grid-institutes:grid.147455.6
139 schema:familyName Song
140 schema:givenName Dawn
141 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.01143152610.86
142 rdf:type schema:Person
143 sg:person.014106736131.19 schema:affiliation grid-institutes:grid.147455.6
144 schema:familyName Liang
145 schema:givenName Zhenkai
146 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014106736131.19
147 rdf:type schema:Person
148 sg:person.07667617727.70 schema:affiliation grid-institutes:grid.147455.6
149 schema:familyName Brumley
150 schema:givenName David
151 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.07667617727.70
152 rdf:type schema:Person
153 grid-institutes:grid.147455.6 schema:alternateName Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213
154 schema:name Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213
155 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...