Science and Development Network (SciDev.Net)
Attacker obscures malware into different versions, making syntactic nature based detection ineffective. State-of-the-art behavioral signature, behavior graph, is effective but unfortunately too complicated to be extracted from malware samples. In addition, malware detection using behavior graph is NP-Complete, thus it is too slow to be used in real-time detectors. This paper proposes an anti-obfuscation, more simple but comparably effective malware behavioral signature, ResSig, which focuses on the resources that malware operate on. ResSig describes behaviors on a same resource and constraints between different resources. Extracting ResSig voids cumbersome information-flow tracking technology and is scalable to process exponential growing malware samples.