Analyse de Programmes Malveillants par Abstraction de Comportements

Philippe Beaucamps 1
1 CARTE - Theoretical adverse computations, and safety
INRIA Nancy - Grand Est, LORIA - FM - Department of Formal Methods
Abstract : Traditional behavior analysis usually operates at the implementation level of a malicious behavior. Yet, it is mostly concerned with the identification of a given behavior, independently of its technical implementation, and is therefore more naturally defined at a functional level. In this thesis, we define a form of program behavior analysis which operates on the function realized by a program rather than on its elementary interactions with the system. This function is extracted from program traces, a process we call abstraction. We define in a simple, intuitive and formal way the basic functionalities to abstract and the behaviors to detect, then we propose an abstraction mechanism applicable both to a static or to a dynamic analysis setting, with practical algorithms of reasonable complexity, finally we describe a behavior analysis technique integrating this abstraction mechanism. Our method is particularly suited to the analysis of programs written in high level languages or with a known source code, for which static analysis is facilitated: programs intended for virtual machines like Java or .NET, Web scripts, browser addons, off-the-shelf components. The formalism we propose for behavior analysis by abstraction relies on the theory of string and terms rewriting, word and tree languages and model checking. It allows an efficient identification of functionalities in traces and thus the construction of a representation of traces at a functional level; it defines functionalities and behaviors in a natural way, using temporal logic formulas, which assure their simplicity and their flexibility and enables the use of model checking techniques for behavior detection; it operates on an unrestricted set of execution traces; it handles the data flow in execution traces; and it allows the consideration of uncertainty in the identification of functionalities, with no complexity overhead. We validate our results on a set of experiments, which we conducted on existing malicious codes, whose traces are obtained either by dynamic binary instrumentation or by static analysis.
Document type :
Logique en informatique [cs.LO]. Institut National Polytechnique de Lorraine - INPL, 2011. Français
Contributor : Isabelle Gnaedig <>
Submitted on : Tuesday, November 29, 2011 - 7:32:41 PM
Last modification on : Tuesday, September 22, 2015 - 1:13:13 AM


  • HAL Id : tel-00646395, version 1



Philippe Beaucamps. Analyse de Programmes Malveillants par Abstraction de Comportements : . Logique en informatique [cs.LO]. Institut National Polytechnique de Lorraine - INPL, 2011. Français. <tel-00646395>




Consultation de
la notice


Téléchargement du document