One prominent tactic used to keep malicious behavior from being detected during dynamic test campaigns is logic bombs, where malicious operations are triggered only when specific conditions are satisfied. Defusing logic bombs remains an unsolved problem in the literature. In this work, we propose to investigate Suspicious Hidden Sensitive Operations (SHSOs) as a step towards triaging logic bombs. To that end, we develop a novel hybrid approach that combines static analysis and anomaly detection techniques to uncover SHSOs, which we predict as likely implementations of logic bombs. Concretely, Difuzer identifies SHSO entry-points using an instrumentation engine and an inter-procedural data-flow analysis. Then, it extracts trigger-specific features to characterize SHSOs and leverages One-Class SVM to implement an unsupervised learning model for detecting abnormal triggers. We evaluate our prototype and show that it yields a precision of 99.02% to detect SHSOs among which 29.7% are logic bombs. Difuzer outperforms the state-of-the-art in revealing more logic bombs while yielding less false positives in about one order of magnitude less time. All our artifacts are released to the community.
翻译:在动态测试活动中,防止发现恶意行为的突出策略之一是逻辑炸弹,因为只有在满足特定条件时才触发恶意行动。逻辑炸弹的消减仍然是文献中一个尚未解决的问题。在这项工作中,我们提议调查可疑的隐藏敏感行动(SHSO),以此作为对逻辑炸弹进行三角分析的一个步骤。为此,我们开发了一种新型混合方法,结合静态分析和异常探测技术,以发现SHSOS,我们预测这些技术很可能是逻辑炸弹的运用。具体来说,Difuzer利用仪器引擎和程序间数据流分析来识别SHSOS的进入点。然后,它提取触发特性,以描述SHSOS的特点,并利用一格SVM实施一个不受监督的学习模型,用于检测异常触发器。我们评估原型,并显示它能精确到99.02 % 来检测SHSOS,其中29.7%是逻辑炸弹。Difzer超越了在揭示更多逻辑炸弹时的状态,同时产生一个不那么大范围的反常态特性。