Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.6.1043

Detecting Spectre Malware Binary through Function Level N-gram Comparison  

Kim, Moon-Sun (Hanam University)
Yang, Hee-Dong (Hanam University)
Kim, Kwang-Jun (Hanam University)
Lee, Man-Hee (Hanam University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.6, 2020 , pp. 1043-1052 More about this Journal
Abstract
Signature-based malicious code detection methods share a common limitation; it is very hard to detect modified malicious codes or new malware utilizing zero-day vulnerabilities. To overcome this limitation, many studies are actively carried out to classify malicious codes using N-gram. Although they can detect malicious codes with high accuracy, it is difficult to identify malicious codes that uses very short codes such as Spectre. We propose a function level N-gram comparison algorithm to effectively identify the Spectre binary. To test the validity of this algorithm, we built N-gram data sets from 165 normal binaries and 25 malignant binaries. When we used Random Forest models, the model performance experiments identified Spectre malicious functions with 99.99% accuracy and its f1-score was 92%.
Keywords
Spectre; Binary Analysis; Malware Detection; N-gram;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Jain and Y. K. Meena, "Byte level n-gram analysis for malware detection," nternational Conference on Information Processing, pp. 51-59, Aug. 2011.
2 E. Raff, R. Zak, R. Cox, J. Sylvester, P. Yacci, R. Ward, A. Tracy, M. Mclean and C. Nicholas, "n investigation of byte n-gram features for malware classification," Journal of Computer Virology and Hacking Techniques 14.1, pp. 1-20, Sep. 2018.   DOI
3 A. Pektas, M. Eris and T. Acarman, "Proposal of n-gram based algorithm for malware classification," The Fifth International Conference on Emerging Security Information, Systems and Technologies, pp. 7-13, Aug. 2011.
4 B. Kang, S.Y. Yerima, K. Mclaughlin and S. Sezer, "N-opcode analysis for android malware classification and categorization," 2016 International conference on cyber security and protection of digital services (cyber security), pp. 1-7, Jun. 2016.
5 A. Fog, "The Microarchitecture of Intel, AMD and VIA CPUs," May. 2017.
6 Turner, Paul. "Retpoline: a software construct for preventing branch target injection," https://support.google.com/faqs/answer/7625886, 2018.
7 Microsoft Visual C/C++ complier, "Qspectre," https://docs.microsoft.com/ko-kr/cpp/build/reference/qspectre?view=vs-2019
8 P. Kocher, "Spectre Mitigations in Microsoft's C/C++ Compiler," https://www.paulkocher.com/doc/MicrosoftCompilerSpectreMitigation.html
9 G. Wang, S. Chattopadhyay, I. Gotovchits, T. Mitra and A. Roychoudhury, "oo7: Low-overhead Defense against Spectre attacks via Program Analysis," IEEE Transactions on Software Engineering, pp. 1-1, Nov. 2019.
10 N.A. Simakov, M.D. Innus, M.D. Jones, J.P. White, S.M. Gallo, R.L. Deleon and T.R. Furlani, "Effect of meltdown and spectre patches on the performance of HPC applications," arXiv preprint arXiv:1801.04329, Jan. 2018.
11 Radare2, "radare2," https://rada.re/n/
12 S. Ertekin, J. Huang, L. Bottou and C.L. Giles, "Learning on the border: active learning in imbalanced data classification," Proceedings of the sixteenth ACM conference on Conference on information and knowledge management, pp. 127-136, Nov. 2007.
13 N.V. Chawla, K.W. Bowyer, L.O. Hall and W.P. Kegelmeyer, "SMOTE: synthetic minority over-sampling technique," Journal of artificial intelligence research 16, pp. 321-357, Jun. 2002.   DOI
14 M. Mushtaq, J. Bricq, M.K. Bhatti, A. Akram, V. Lapotre, G. Gogniat and P. Benoit, "WHISPER: A Tool for Run-Time Detection of Side-Channel Attacks," IEEE Access 8, pp. 83871-83900, May. 2020.
15 P. Kocher, D. Genkin, D. Gruss, W. Hass, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz and Y. Yarom, "Spectre attacks: Exploiting speculative execution," 2019 IEEE Symposium on Security and Privacy (SP), pp. 1-19, May. 2019.
16 Intel, "Intel(R) 64 and IA-32 Architectures Software Developer's Manual: Volume 3," https://www.intel.co.kr/
17 J. Corbet, "Meltdown/Spectre mitigation for 4.15 and beyond," LWN.net, https://lwn.net/Articles/744287/
18 G. Marco, B. Kopf, J.F. Morales, J. Reineke and A. Sanchez, "SPECTECTOR: Principled detection of speculative information flows," 2020 IEEE Symposium on Security and Privacy (SP), pp. 1-19, May. 2020.
19 P. F. Brown, V.J.D. Pietra, P.V. Desouza, J.C. Lai and R.L. Mercer, "Class-based n-gram models of natural language," Computational linguistics 18(4), pp. 467-480, Dec. 1992.
20 I. Santos, Y.K. Penya, J. Devesa and P.G. Bringas, "N-grams-based File Signatures for Malware Detection," Proceedings of the 11th International Conference on Enterprise Information Systems(ICEIS), pp. 317-320, May. 2009.