Recently, the use of mobile devices has exceeded the use of personal computers. The malicious programs used to disrupt the systems on personal computers show up in a similar way on mobile devices, for example on the Android™ operating system on smartphones or tablet computers. The widespread problem of malicious programs causes the users of mobile devices to be exposed to malware threats, and fast polymorphism forces antivirus software developers to constantly be alert to ensure their users' safety against electronic attacks in the form of malware.
Malicious software detection techniques play an important role in the defense of information security. The fast polymorphism of malware has developed into a variety of disguises, making a precise detection method a necessity. The major malware detection methods on personal computer systems can be categorized into static analysis and dynamic analysis. Static analysis models the structural characteristics by extracting the control procedure of the pending program; however, benign program characteristics constantly appear in malicious program characteristics, which cause a great deal of concealment about the technique. Dynamic analysis monitors and models the runtime of the pending program, and is a common technique; however, this technique is conditioned on the quality of the simulation by the simulator in the mobile device, there is no way to observe the interaction between the malicious program and the telecom service, and there is no way to observe the interaction between the malicious program and specific elements in the mobile device.
US 20120222120 discloses a trigger action by monitoring an Application Program Interface (API) to detect malicious behavior. In this patent, the malware detection on personal computers can be applied to mobile devices. However, the instruction set in mobile devices is generally included together with the common sequence of instructions in the system. Hence, the analysis of whether the application is a malware program faces low accuracy issues either by comparing the flow graph of the malware pattern file or the flow graph of the extracted action. If the common sequences of instructions in the system are not removed from malware programs, a false alert message may easily occur.
US 20120072988 discloses a model generated during a controlled procedure and data flow in the collection of a malware program, and applies the model to detect unknown programs. This patent further provides a new technique “super block” for a more firmly built flow graph model, but this patent does not resolve interference issues constructed by the common sequences of instruction in the malware program and the system.
US 20100011441 discloses preprocessed computer programs to remove obfuscation that might prevent the detection of embedded malware to strengthen the accuracy of detection. The main purposes of this patent are unpacking of encrypted malware and reordering of the malware into a standard form. However, this patent does not resolve interference issues constructed by the common sequences of instructions in the malware program and the system.
U.S. Pat. No. 8,370,931B1 discloses a technique using dynamic behavior matching to detect malware programs. This patent designs an algorism to determine whether the system behavior is suspicious by matching sets of rules to system events caused by a particular process.
U.S. Pat. No. 8,266,698B1 discloses a technique using dynamic behavior matching to detect malware programs. This patent collects the behavioral characteristics of the users and designs an algorism to determine whether the executing application is a malware threat.
Among the aforementioned prior arts, all the semantics models of the malware program contain other normal and benign programs. As a result, the detection may not be precise enough.
In order to overcome the drawbacks in the prior art, a computer-implemented method for distilling a malware program in a system is disclosed. The particular design in the present invention not only solves the problems described above, but is also easier to implement. Thus, the present invention has the utility for the industry.