Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Instruction Sequences Monitor for Virus Detection Jianyong Dai, Ratan Guha, Joohan Lee Wednesday, January 28, 2009 Cho, Ho-Gi.

Published byLily Ray Modified over 8 years ago

Similar presentations

Presentation on theme: "Dynamic Instruction Sequences Monitor for Virus Detection Jianyong Dai, Ratan Guha, Joohan Lee Wednesday, January 28, 2009 Cho, Ho-Gi."— Presentation transcript:

1 Dynamic Instruction Sequences Monitor for Virus Detection Jianyong Dai, Ratan Guha, Joohan Lee Wednesday, January 28, 2009 Cho, Ho-Gi

2 Abstract Dynamic instruction sequences monitor – refers to a special program which has the ability to launch a program and capture the runtime instruction sequence of that program Problem – none of them are specially designed to launch a potentially malicious program Solution – intercept certain Win32 API and divert it to a safe version of that API – provide virus detection plug-in mechanism 2015-11-16 [WePu07] 2

3 Dynamic instruction sequence monitor 2015-11-16 [WePu07] 3 DebuggerAnalyzingMonitor mainTarget LaunchSystem Malicious code or program InfectInfect

4 Solution – built a dynamic instruction sequences monitor with a protection mechanism intercept potentially destructive Win32 API and divert it to a safe version of that API provide some mechanism to keep the original execution path as much as possible – plug-in mechanism programmer can build different applications based on the dynamic instruction sequences captured by the monitor 2015-11-16 [WePu07] 4

5 System Architecture Overview 2015-11-16 [WePu07] 5Monitor mainTarget Launch … ReadFile(..) CreateFile(..) CheckFile(..) WriteFile(..) … Malicious code or program Interposition Binary sequences Classification Models CreateFile(..) CheckFile(..) WriteFile(..) Classification Models CreateFile(..) CheckFile(..) WriteFile(..) Compare and Decision

6 2015-11-16 [WePu07] 6 Program Debugger Insulator Unknown Executable Disassembler Instruction processing Plug-in System Architecture for monitor Instruction Sequences Logic assembly construction Logic assembly construction Abstract assembly construction Abstract assembly construction Classification Decision Model Manager Classification Models Classification Models Structure of virus detection plug-in

7 Insulator – prevent certain Win32 API from executing – supply API with dummy output without actually invoking – use Microsoft Detour package 2015-11-16 [WePu07] 7 Return File and directory manipulation API Registry manipulation API Remote memory manipulation Remote thread creation Administration related API Socket creation, packet sending

8 Conclusion describe a dynamic instruction sequences monitor and a virus detection plug-in based the monitor – efficient and protect user computer in general case Problem – invoke the underlying ntdll.dll or interrupt 2E directly, which is not protected 2015-11-16 [WePu07] 8

Download ppt "Dynamic Instruction Sequences Monitor for Virus Detection Jianyong Dai, Ratan Guha, Joohan Lee Wednesday, January 28, 2009 Cho, Ho-Gi."

Similar presentations

Windows 2000 I/O System, Cache Manager and File Systems Computing Department, Lancaster University, UK.

Windows 2000 I/O System, Cache Manager and File Systems Computing Department, Lancaster University, UK.
Operating System Structures

Operating System Structures
Optimizing single thread performance Dependence Loop transformations.

Optimizing single thread performance Dependence Loop transformations.
Chapter 2 Operating System Overview Operating Systems: Internals and Design Principles, 6/E William Stallings.

Chapter 2 Operating System Overview Operating Systems: Internals and Design Principles, 6/E William Stallings.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.

Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
Windows 2000 System Architecture (continued) Computing Department, Lancaster University, UK.

Windows 2000 System Architecture (continued) Computing Department, Lancaster University, UK.
Operating-System Structures

Operating-System Structures
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Chapter 2: Operating-System Structures

Chapter 2: Operating-System Structures
Chapter 8 Operating System Support

Chapter 8 Operating System Support
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Computer Organization and Architecture

Computer Organization and Architecture
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.

Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
By Mr. Abdalla A. Shaame.  An operating system is a software component that acts as the core of a computer system.  It performs various functions and.

By Mr. Abdalla A. Shaame.  An operating system is a software component that acts as the core of a computer system.  It performs various functions and.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.

Similar presentations

Ads by Google