A framework for understanding dynamic anti-analysis defenses

Jing Qiu, Babak Yadegari, Brian Johannesmeyer, Saumya Debray, Xiaohong Su

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Malicious code often use a variety of anti-analysis and anti-tampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

Original languageEnglish
Title of host publicationProceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW 2014
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781605586373
DOIs
Publication statusPublished - 9 Dec 2014
Externally publishedYes
Event4th Program Protection and Reverse Engineering Workshop, PPREW 2014 - New Orleans, United States
Duration: 9 Dec 2014 → …

Publication series

NameACM International Conference Proceeding Series
Volume12-December-2014

Conference

Conference4th Program Protection and Reverse Engineering Workshop, PPREW 2014
CountryUnited States
CityNew Orleans
Period9/12/14 → …

Keywords

  • Anti-analysis defense
  • Sefl-checksumming
  • Taint analysis
  • Timing defense

Fingerprint

Dive into the research topics of 'A framework for understanding dynamic anti-analysis defenses'. Together they form a unique fingerprint.

Cite this