Abstract
Malware has been around since the 1980s and is a large and expensive security concern today, constantly growing over the past years. As our social, professional and financial lives become more digitalised, they present larger and more profitable targets for malware. The problem of classifying and preventing malware is therefore urgent, and it is complicated by the existence of several specific approaches. In this paper, we use an existing malware taxonomy to formulate a general, language independent functional description of malware as transformers between states of the host system and described by a trust relation with its components. This description is then further generalised in terms of mechanisms, thereby contributing to a general understanding of malware. The aim is to use the latter in order to present an improved classification method for malware.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
For a general introduction, see Houkes and Vermaas (2010).
An organisation might also have security violations in administrative, communications, personnel or physical security, for example. Security is from the perspective of the system to be secured, i.e. there is not one absolute concept.
NIST glossary entry: https://csrc.nist.gov/Glossary/?term=5475.
See Alberts et al. (2004, p.3). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
See, e.g. Sikorski and Honig (2012, Ch.0).
It is interesting to note that MAEC capabilities where first called mechanisms.
Writing in 2006, Rutkowska (2006) marks this type as uninteresting. The more recent prevalence of ransomware, which uses normal system features to disrupt the user’s tasks to extort money, indicates that type 0 malware can nonetheless significantly harm an organisation’s security architecture.
For a canonical perspective on defining access control, see Bell and LaPadula (1973).
The following definition is formulated as a special case of the more general one provided in Primiero and Taddeo (2012).
We do not claim this is the only way to analyze or describe the analysis of the situation. Some of these steps will be intuitive to professional malware analysts or program verification logicians. We view this similarity as a main contribution. By casting malware analysis in this mechanistic lens, we can see similarities between fields in biology and computer science that otherwise appear starkly dissimilar.
References
Addis, B., & Garrick, S. (2014). Botnet takedowns—our GameOver Zeus experience. In Botconf, Nancy, France, Dec 3. AILB-IBFA.
Alberts, C, Dorofee, A, Killcrece, G, Ruefle, R, Zajicek, M. (2004). Defining incident management processes for CSIRTS: a work in progress. Technical Report CMU/SEI-2004-TR-015. Software Engineering Institute, Carnegie Mellon University.
AV-Test. (2017). Malware Statistics. Technical report. The Indendent IT-Security Institute.
Bechtel, W, & Richardson, RC. (1993). Discovering complexity: decomposition and localization as strategies in scientific research, 1st edn. Princeton: Princeton University Press.
Beck, D., Kirillov, I., Chase, P. (2012). The MAEC language— overview. Technical report. The Mitre Corporation.
Bell, D.E., & LaPadula, L.J. (1973). Secure computer systems: mathematical foundations. Technical Report MTR-2547 (Vol. 1). MITRE Corp.: Bedford.
Caltagirone, S, Pendergast, A, Betz, C. (2013). The diamond model of intrusion analysis. Technical report, Center for Cyber Intelligence Analysis and Threat Research. http://www.threatconnect.com/methodology/diamond_model_of_intrusion_analysis.
CERT/CC. (2017). Basic fuzzing framework (bff). https://www.cert.org/vulnerability-analysis/tools/bff.cfm. Accessed Feb 6, 2017.
Cohen, F. (1987). Computer viruses: theory and experiments. Computers and Security, 6(1), 22–35.
Craver, CF. (2001). Role functions, mechanisms, and hierarchy. Philosophy of Science, 68, 53–74.
Craver, CF. (2007). Explaining the brain: mechanisms and the mosaic of unity of neuroscience. Oxford: Oxford University Press.
Darden, L. (2006). Reasoning in biological discoveries: essays on mechanisms, interfield relations, and anomaly resolution. Cambridge: Cambridge University Press.
Denning, P. (1988). Computer viruses. Technical report. Research Inst. for Advanced Computer Science.
Erdélyi, G. (2004). Hide ‘n’ seek? Anatomy of stealth malware. Technical report. F-Secure Corporation.
Floridi, L, Fresco, N, Primiero, G. (2015). On malfunctioning software. Synthese, 192(4), 1199 –1220.
Fresco, N., & Primiero, G. (2013). Miscomputation. Philosophy & Technology, 26(3), 253–272.
Galmiche, D, Méry, D, Pym, D. (2005). The semantics of BI and resource tableaux. Mathematical Structures in Computer Science, 15(06), 1033–1088.
Glennan, S., & Illari, P. (2017). Mechanisms and the new mechanical philosophy. Evanston: Routledge.
ICSG Malware Metadata Exchange Format Working Group. (2011). Malware metadata exchange format behavioral.
Hatleback, E, & Spring, JM. (2018). A refinement to the general mechanistic account. European Journal of Philosophy of Science. In press.
Houkes, W, & Vermaas, PE. (2010). Technical functions— on the use and design of artefacts, volume 1 of Philosophy of Engineering and Technology. Berlin: Springer.
Howard, JD, & Longstaff, TA. (1998). A common language for computer security incidents. Technical Report SAND98-8667, Sandia National Laboratories.
Hutchins, E M, Cloppert, MJ, Amin, RM. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1, 80.
Illari, P., & Williamson, J. (2012). What is a mechanims? Thinking about mechanisms across the sciences. European Journal for Philosophy of Science, 2, 119–135.
Jacob, G, Debar, H, Filiol, E. (2008). Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, 4(3), 251–266.
Jespersen, B., & Carrara, M. (2011). Two conceptions of technical malfunction. Theoria, 77(2), 117–138.
Jespersen, B, & Carrara, M. (2013). A new logic of technical malfunction. Studia Logica, 101(3), 547–581.
Jin, W, Cohen, C, Gennari, J, Hines, C, Chaki, S, Gurfinkel, A, Havrilla, J, Narasimhan, P. (2014). Recovering C++ objects from binaries using inter-procedural data-flow analysis. In Program Protection and Reverse Engineering Workshop. San Diego: ACM.
Kramer, S, & Bradfield, JC. (2010). A general definition of malware. Journal in Computer Virology, 6(2), 105–114.
Kroes, P. (2012). Proper functions and technical artefact kinds (pp. 89–125). Netherlands: Springer.
Lamport, L. (1977). Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, SE-3(2), 125–143.
Lawrence Livermore National Laboratory. (2016). Rose compiler infrastructure. http://rosecompiler.org/.
MITRE. (2015). Common weakness enumeration: a community-developed dictionary of software weakness types v2.9. http://cwe.mitre.org.
Falliere, E., Chien, N., Murchu, L.O. (2011). Symantec security response, v.1.4. w32.stuxnet dossier.
O’Hearn, P.W. (2015). From categorical logic to Facebook engineering. In Logic in Computer Science (LICS) (pp. 17–20): IEEE.
Piccinini, G. (2007). Computing mechanisms. Philosophy of Science, 74(4), 501–526.
Primiero, G, & Taddeo, M. (2012). A modal type theory for formalizing trusted communications. Journal of Applied Logic, 10(1), 92–114.
Pym, D, Spring, JM., O’Hearn, P. (2018). Why separation logic works. Philosophy & Technology. https://doi.org/10.1007/s13347-018-0312-8.
Rhee, J., Riley, R., Xu, D., Jiang, X. (2009). Defeating dynamic data kernel rootkit attacks via vmm-based guest-transparent monitoring. In 2009 international conference on availability, reliability and security (pp. 74–81).
Rossow, C, Dietrich, CJ, Grier, C, Kreibich, C, Paxson, V, Pohlmann, N, Bos, H, Van Steen, M. (2012). Prudent practices for designing malware experiments: status quo and outlook. In IEEE symposium on security and privacy (S&P) (pp. 65–79).
Rutkowska, J. (2006). Introducing stealth malware taxonomy. Technical report, COSEINC Advanced Malware Labs.
Salomon, D. (2006). Foundations of computer security. Berlin: Springer.
Schaefer, R. (2009). The epistemology of computer security. SIGSOFT Software Engineering Notes, 34(6), 8–10.
Shirey, R. (2007). Internet Security Glossary, Version 2. RFC 4949.
Sikorski, M., & Honig, A. (2012). Practical malware analysis: the hands-on guide to dissecting malicious software, 1st edn. San Francisco: No Starch Press.
Spring, J.M., & Hatleback, E. (2017). Thinking about intrusion kill chains as mechanisms. Journal of Cybersecurity, 3(3), 185–197.
Spring, J.M., & Illari, P. (2018). Building general knowledge of mechanisms in information security. Philosophy & Technology. https://doi.org/10.1007/s13347-018-0329-z.
Szor, P. (2005). The art and craft of computer virus research and defense. Reading: Addison-Wesley.
van Eck, D. (2016). The philosophy of science and engineering design. Springer International Publishing.
Weaver, N., Paxson, V., Staniford, S., Cunningham, R. (2003). A taxonomy of computer worms. In S. Staniford, & S. Savage (Eds.) Proceedings of the 2003 ACM Workshop on Rapid Malcode, WORM 2003, Washington, DC, USA, October 27, 2003 (pp. 11–18): ACM Press.
Acknowledgments
This research was conducted while Giuseppe Primiero and Frida Solheim were affiliated to the Department of Computer Science, Middlesex University London (UK).
Giuseppe Primiero was partially supported by the Project PROGRAMme ANR-17-CE38-0003-01.
Jonathan Spring was supported by University College London’s Overseas Research Scholarship and Graduate Research Scholarship.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Primiero, G., Solheim, F.J. & Spring, J.M. On Malfunction, Mechanisms and Malware Classification. Philos. Technol. 32, 339–362 (2019). https://doi.org/10.1007/s13347-018-0334-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13347-018-0334-2