Detecting Obfuscated Code Using Cosine Similarity

Detecting Obfuscated Code Using Cosine Similarity -...

Info iconThis preview shows pages 1–11. Sign up to view the full content.

View Full Document Right Arrow Icon
    Detecting Obfuscated Code  Using Cosine Similarity
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    Overview Motivation Code Obfuscation Techniques and examples Proposed Approach Experiments and Results Extended Work and Results Future Work Limitations
Background image of page 2
    Motivation Virus writers come up with new innovative  ways to evade detection Polymorphic and metamorphic viruses  morph code to evade detection There is code obfuscation-deobfuscation  game played by virus writers String based detection not suitable for  “smart” viruses such as those which morph  code
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    PE Header
Background image of page 4
    Code Obfuscation Techniques Dead code insertion Code transposition Register reassignment Instruction substitution
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    Original Code Hex  Opcodes Assembly 51  push ecx 50  push eax 5B  pop ebx 8D 4B 38  lea ecx, [ebx + 38h] 50  push eax E8  00000000  call 0h 5B  pop ebx 83 C3 1C  add ebx, 1Ch FA  cli 8B 2B  mov ebp, [ebx] 5B  pop ebx Signature 5150 5B8D 4B38 50E8 0000 0000 5B83 C31C FA8B 2B5B Example code and virus  scanner signature
Background image of page 6
    Dead code insertion Hex Opcodes Assembly 51  push ecx 90  nop 50  push eax 5B  pop ebx 8D 4B 38  lea ecx, [ebx + 38h] 50  push eax 90  nop E8 00000000  call 0h 5B  pop ebx 83 C3 1C  add ebx, 1Ch FA  cli 90  nop 8B 2B  mov ebp, [ebx] 5B  pop ebx New Signature 51 90  505B 8D4B 3850  90 E8 0000 0000 5B83 C31C FA 90  8B2B 5B
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    Code transposition push ecx push eax jmp A C:  pop ebx add ebx, 1Ch cli mov ebp, [ebx] jmp D A:  pop ebx lea ecx, [ebx + 38h] jmp B B:  push eax call 0h jmp C D:  pop ebx
Background image of page 8
    Instruction substitution Example: 1.  add eax, 1 Can be substituted as     sub eax, -1 2. mov eax,5     mul eax, 2 Can be substituted as      mov eax,0 mov eax, 5     add eax, 5
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
    Proposed Approach Given two programs Program A and Program B we  would like to determine the degree of similarity Disassemble programs Run a trace through the disassembled code to extract  functional blocks Encode each functional block as a single dimensional  vector based on frequency of instructions within a block Use cosine similarity to compute similarity of two  functional block vectors from Program A and Program  B
Background image of page 10
Image of page 11
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 07/04/2011 for the course CIS 4643 taught by Professor Staff during the Spring '07 term at University of Central Florida.

Page1 / 27

Detecting Obfuscated Code Using Cosine Similarity -...

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online