University of Limerick
Shosha_2012_malware.pdf (728.57 kB)

Evasion-resistant malware signature based on profiling kernel data structure objects

Download (728.57 kB)
conference contribution
posted on 2013-02-15, 16:30 authored by Ahmed F Shosha, Liu Chen-Ching, Pavel Gladyshev, Marcus Matten
Malware authors attempt in an endless effort to find new methods to evade the malware detection engines. A popular method is the use of obfuscation technologies that change the syntax of malicious code while preserving the execution semantics. This leads to the evasion of signatures that are built based on the code syntax. In this paper, we propose a novel approach to develop an evasion-resistant malware signature. This signature is based on the malware’s execution profiles extracted from kernel data structure objects and neither uses malicious code syntax specific information code execution flow information. Thus, proposed signature is more resistant to obfuscation methods and resilient in detecting malicious code variants. To evaluate the effectiveness of the proposed approach, a prototype signature generation tool called SigGENE is developed. The effectiveness of signatures generated by SigGENE evaluated using an experimental root kit-simulation tool that employs techniques commonly found in rootkits. This simulation-tool is obfuscated using several different methods. In further experiments, real-world malware samples that have different variants with the same behavior used to verify the real-world applicability of the approach. The experiments show that the proposed approach is effective, not only in generating a signature that detects the malware and its variants and defeats different obfuscation methods, but also, in producing an execution profiles that can be used to characterize different malicious attacks.


Study on Aerodynamic Characteristics Control of Slender Body Using Active Flow Control Technique

Japan Society for the Promotion of Science

Find out more...



7th International Conference on Risks and Security of Internet Systems (CRiSIS) 2012;pp. 1-8


IEEE Computer Society



Other Funding information



“© 2012 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.”



Usage metrics

    University of Limerick


    No categories selected


    Ref. manager