MAIL: Malware Analysis Intermediate Language

Shahid Alam, R. Nigel Horspool, Issa Traore
2013 Proceedings of the 6th International Conference on Security of Information and Networks - SIN '13  
Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. Such malware are very difficult to analyse and detect manually even with the help of tools. We need to automate the analysis and detection process of such malware. This paper introduces and presents a new language named MAIL (Malware Analysis Intermediate Language) to automate and optimize this process. MAIL also provides portability for building malware analysis and
more » ... detection tools. Each MAIL statement is assigned a pattern that can be used to annotate a control flow graph for pattern matching to analyse and detect metamorphic malware. Experimental evaluation of the proposed approach using an existing dataset yields malware detection rate of 93.92% and false positive rate of 3.02%.
doi:10.1145/2523514.2527006 dblp:conf/sin/AlamHT13 fatcat:enxc3uwkb5daxbvqj5nx7ppvjq