Nowadays, code obfuscation plays a more and more role in writing variations for malware. Unfortunately, the obfuscated variation invalidates the text-based malware detector. This paper proposes a semantics-based framework of malware detection for detecting whether a program is a variation of the malware. For that purpose, both of symbolic states are collected by symbolic execution, and then prove the semantics is satisfied with the definition of variation relationship. This framework can detect whether the malware is the variation of its obfuscated program, which will largely reduce the updating of virus definition database. Finally, the prototype which implements the framework shows the feasibility of the semantics-based framework of malware detection.
symbolic execution; program analysis; malware detection; code obfuscation
Figure: Our framework of semantics-based Malware detector