Automatical Mining Specifications Of Malicious Behavior Based On Multiple Paths In Linux

The malware detection is one of the important part in secure Linux frame. Most traditional malware detection methods are based on the signature, generally lag behind the development of malicious code, and fail to detect malware processed through the obfuscation techniques, which no longer meet the increasingly urgent security needs. Advanced detection techniques can handle the obfuscation techniques used by attackers and the techniques include semantics-aware dectection and malicious-code model checking. However, advanced detection techniques needs high-level specifications and the specifications are currently manually developed, which reduces the attractiveness and deployment of these new detection techniques. This paper has presented automatical mining specifications of malicious behavior based on multiple paths in Linux which can automatically generate high-level specifications and make up for the advanced detection techniques in terms of lack of access malicious specification.In this paper, mining specifications of malicious code technique by comparing the execution paths of a known malware against the execution paths of a set of benign programs can automatically derive the high-level specification of malicious behavior. The paper has defined a new graph representation of program behavior. As system calls are the main interaction with the operating system, the representation definitely captures the system calls made by the program and summarizes all other program code. This technique infers the system-call graphs from execution traces, and then computes the minimal differences between the system-call graphs of malicious and benign programs to obtain a specification.For certain malicious programs triggered under specific circumstances, the Strace tool cann't collect malicious execution path, because the Strace tool collects system calls but only traces a single program execution. To deal with this problem, the paper has proposed an extension to the Strace tool in order to collect multiple execution paths of malicious program. The exploration of different paths is driven by monitoring how the code uses certain inputs. More specifically, this method dynamically tracks certain input values that the program reads and identifies points in the execution where this input is used to make control flow decisions. At the decision point, first a snapshot of the current state of the program execution is created. Then, the program is allowed to continue along one of the execution branches, depending on the actual input value. Later, the program is returned to the snapshot and rewrites the input value. And the other branch is taken.In the end, the paper has designed and implemented a prototype, named automatical mining specifications of malicious behavior based on multiple paths in Linux. It's proved to be effective that the system can perform well under certain conditions.