Fast discovery of VM-sensitive divergence points with basic block comparison

Yen Ju Liu*, Chong Kuan Chen, Michael Cheng Yi Cho, Shiuhpyng Shieh

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

To evade VM-based malware analysis systems, VM-aware malware equipped with the ability to detect the presence of virtual machine has appeared. To cope with the problem, detecting VM-aware malware and locating VM-sensitive divergence points of VM-aware malware is in urgent need. In this paper, we propose a novel block-based divergence locator. In contrast to the conventional instruction-based schemes, the block-based divergence locator divides malware program into basic blocks, instead of binary instructions, and uses them as the analysis unit. The block-based divergence locator significantly decrease the cost of behavior logging and trace comparison, as well as the size of behavior traces. As the evaluation showed, behavior logging is 23.87-39.49 times faster than the conventional schemes. The total number of analysis unit, which is highly related to the cost of trace comparisons, is 11.95%-16.00% of the conventional schemes. Consequently, VM-sensitive divergence points can be discovered more efficiently. The correctness of our divergence point discovery algorithm is also proved formally in this paper.

Original languageEnglish
Title of host publicationProceedings - 8th International Conference on Software Security and Reliability, SERE 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages196-205
Number of pages10
ISBN (Electronic)9781479942961
DOIs
StatePublished - 1 Jan 2014
Event8th International Conference on Software Security and Reliability, SERE 2014 - San Francisco, United States
Duration: 30 Jun 20142 Jul 2014

Publication series

NameProceedings - 8th International Conference on Software Security and Reliability, SERE 2014

Conference

Conference8th International Conference on Software Security and Reliability, SERE 2014
CountryUnited States
CitySan Francisco
Period30/06/142/07/14

Keywords

  • Malware behavior analysis
  • VM-aware malware
  • Virtual machine

Fingerprint Dive into the research topics of 'Fast discovery of VM-sensitive divergence points with basic block comparison'. Together they form a unique fingerprint.

Cite this