Semantically non-preserving transformations for antivirus evaluation

Erkan Ersan; Lior Malka; Bruce M. Kapron

doi:10.1007/978-3-319-51966-1_18

Semantically non-preserving transformations for antivirus evaluation

Erkan Ersan
, Lior Malka
, Bruce M. Kapron

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

We relax the notion of malware obfuscation to include semantically non-preserving transformations. Unlike traditional obfuscation techniques, these transformation may not preserve original code behaviour. Using web-based malware we focus on transformations which modify abstract syntax trees. While such transformations yield syntactically valid programs, they may yield dysfunctional samples, so that it is not clear that this is a practical approach to producing detection-evading malware. However, by implementing an automated system that efficiently filters dysfunctional samples on a virtual cloud architecture, we show that such transformations are in fact practical. Using two simple transformations, we evaluated four antivirus products and were able to create many samples that evade detection, demonstrating that semantic-preserving obfuscation is not the only effective way to mutate malware.

Original language	English
Title of host publication	Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers
Editors	Joaquin Garcia-Alfaro, Frederic Cuppens, Nora Cuppens-Boulahia, Lingyu Wang, Nadia Tawbi
Publisher	Springer Verlag
Pages	273-281
Number of pages	9
ISBN (Print)	9783319519654
DOIs	https://doi.org/10.1007/978-3-319-51966-1_18
State	Published - 1 Jan 2017
Externally published	Yes
Event	9th International Symposium on Foundations and Practice of Security, FPS 2016 - Quebec, Canada Duration: 24 Oct 2016 → 26 Oct 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10128 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	9th International Symposium on Foundations and Practice of Security, FPS 2016
Country/Territory	Canada
City	Quebec
Period	24/10/16 → 26/10/16

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-319-51966-1_18

Cite this

Ersan, E., Malka, L., & Kapron, B. M. (2017). Semantically non-preserving transformations for antivirus evaluation. In J. Garcia-Alfaro, F. Cuppens, N. Cuppens-Boulahia, L. Wang, & N. Tawbi (Eds.), Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers (pp. 273-281). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10128 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-51966-1_18

Ersan, Erkan ; Malka, Lior ; Kapron, Bruce M. / Semantically non-preserving transformations for antivirus evaluation. Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers. editor / Joaquin Garcia-Alfaro ; Frederic Cuppens ; Nora Cuppens-Boulahia ; Lingyu Wang ; Nadia Tawbi. Springer Verlag, 2017. pp. 273-281 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{97835bc9f2d744bcb6d9607a51f2bdd9,

title = "Semantically non-preserving transformations for antivirus evaluation",

abstract = "We relax the notion of malware obfuscation to include semantically non-preserving transformations. Unlike traditional obfuscation techniques, these transformation may not preserve original code behaviour. Using web-based malware we focus on transformations which modify abstract syntax trees. While such transformations yield syntactically valid programs, they may yield dysfunctional samples, so that it is not clear that this is a practical approach to producing detection-evading malware. However, by implementing an automated system that efficiently filters dysfunctional samples on a virtual cloud architecture, we show that such transformations are in fact practical. Using two simple transformations, we evaluated four antivirus products and were able to create many samples that evade detection, demonstrating that semantic-preserving obfuscation is not the only effective way to mutate malware.",

author = "Erkan Ersan and Lior Malka and Kapron, \{Bruce M.\}",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 9th International Symposium on Foundations and Practice of Security, FPS 2016 ; Conference date: 24-10-2016 Through 26-10-2016",

year = "2017",

month = jan,

day = "1",

doi = "10.1007/978-3-319-51966-1\_18",

language = "English",

isbn = "9783319519654",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "273--281",

editor = "Joaquin Garcia-Alfaro and Frederic Cuppens and Nora Cuppens-Boulahia and Lingyu Wang and Nadia Tawbi",

booktitle = "Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers",

address = "Germany",

}

Ersan, E, Malka, L & Kapron, BM 2017, Semantically non-preserving transformations for antivirus evaluation. in J Garcia-Alfaro, F Cuppens, N Cuppens-Boulahia, L Wang & N Tawbi (eds), Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10128 LNCS, Springer Verlag, pp. 273-281, 9th International Symposium on Foundations and Practice of Security, FPS 2016, Quebec, Canada, 24/10/16. https://doi.org/10.1007/978-3-319-51966-1_18

Semantically non-preserving transformations for antivirus evaluation. / Ersan, Erkan; Malka, Lior; Kapron, Bruce M.
Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers. ed. / Joaquin Garcia-Alfaro; Frederic Cuppens; Nora Cuppens-Boulahia; Lingyu Wang; Nadia Tawbi. Springer Verlag, 2017. p. 273-281 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10128 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Semantically non-preserving transformations for antivirus evaluation

AU - Ersan, Erkan

AU - Malka, Lior

AU - Kapron, Bruce M.

N1 - Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017/1/1

Y1 - 2017/1/1

N2 - We relax the notion of malware obfuscation to include semantically non-preserving transformations. Unlike traditional obfuscation techniques, these transformation may not preserve original code behaviour. Using web-based malware we focus on transformations which modify abstract syntax trees. While such transformations yield syntactically valid programs, they may yield dysfunctional samples, so that it is not clear that this is a practical approach to producing detection-evading malware. However, by implementing an automated system that efficiently filters dysfunctional samples on a virtual cloud architecture, we show that such transformations are in fact practical. Using two simple transformations, we evaluated four antivirus products and were able to create many samples that evade detection, demonstrating that semantic-preserving obfuscation is not the only effective way to mutate malware.

AB - We relax the notion of malware obfuscation to include semantically non-preserving transformations. Unlike traditional obfuscation techniques, these transformation may not preserve original code behaviour. Using web-based malware we focus on transformations which modify abstract syntax trees. While such transformations yield syntactically valid programs, they may yield dysfunctional samples, so that it is not clear that this is a practical approach to producing detection-evading malware. However, by implementing an automated system that efficiently filters dysfunctional samples on a virtual cloud architecture, we show that such transformations are in fact practical. Using two simple transformations, we evaluated four antivirus products and were able to create many samples that evade detection, demonstrating that semantic-preserving obfuscation is not the only effective way to mutate malware.

UR - https://www.scopus.com/pages/publications/85009511183

U2 - 10.1007/978-3-319-51966-1_18

DO - 10.1007/978-3-319-51966-1_18

M3 - Conference contribution

AN - SCOPUS:85009511183

SN - 9783319519654

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 273

EP - 281

BT - Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers

A2 - Garcia-Alfaro, Joaquin

A2 - Cuppens, Frederic

A2 - Cuppens-Boulahia, Nora

A2 - Wang, Lingyu

A2 - Tawbi, Nadia

PB - Springer Verlag

T2 - 9th International Symposium on Foundations and Practice of Security, FPS 2016

Y2 - 24 October 2016 through 26 October 2016

ER -

Ersan E, Malka L, Kapron BM. Semantically non-preserving transformations for antivirus evaluation. In Garcia-Alfaro J, Cuppens F, Cuppens-Boulahia N, Wang L, Tawbi N, editors, Foundations and Practice of Security - 9th International Symposium, FPS 2016, Revised Selected Papers. Springer Verlag. 2017. p. 273-281. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-51966-1_18

Semantically non-preserving transformations for antivirus evaluation

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this