Commit 9b8e06b2 authored by AbiusX's avatar AbiusX
Browse files

fix 2 minor typos

parent 83f54067
...@@ -166,7 +166,7 @@ To investigate further, we leverage VirusTotal (VT). Specifically, among the 238 ...@@ -166,7 +166,7 @@ To investigate further, we leverage VirusTotal (VT). Specifically, among the 238
VT also recognized 2,406 of \toolname's 3,891 (3,748 + 143) detected samples as malware, while not recognizing 1,485 of them (Fig.~\ref{fig:scanned_files}-\blkcc{4}-\blkcc{B}). Out of the 2,406 recognized samples, 741 were detected by only 1 engine, while 797 were detected by exactly two engines. 836 were detected by less than 5 engines, leaving only 32 samples that were discovered by several engines. VT also recognized 2,406 of \toolname's 3,891 (3,748 + 143) detected samples as malware, while not recognizing 1,485 of them (Fig.~\ref{fig:scanned_files}-\blkcc{4}-\blkcc{B}). Out of the 2,406 recognized samples, 741 were detected by only 1 engine, while 797 were detected by exactly two engines. 836 were detected by less than 5 engines, leaving only 32 samples that were discovered by several engines.
65 samples recognized by both maldet and VT were not detected by \toolname. 65 samples recognized by both maldet and VT were not detected by \toolname.
%% %%
Our manual inspection on these cases shows that they are malicious code that either uses deprecated PHP features, or is dead code, and thus are no longer harmful (as they cannot be executed anymore). Our manual inspection on these cases shows that they are malicious code that either use deprecated PHP features, or are dead code, and thus are no longer harmful (as they cannot be executed anymore).
%After manual investigation of those cases, we find that these are malicious code that are either deprecated, thus simply ignored or causing exceptions during execution, or are malicious code but broken hence unreachable code (i.e., dead code). As \sysname did not observe any malicious behaviors from those samples, they are not flagged as malware. %After manual investigation of those cases, we find that these are malicious code that are either deprecated, thus simply ignored or causing exceptions during execution, or are malicious code but broken hence unreachable code (i.e., dead code). As \sysname did not observe any malicious behaviors from those samples, they are not flagged as malware.
%\ykupdate{do we need to say solving the two above problems is future work?} %\ykupdate{do we need to say solving the two above problems is future work?}
%As they do not actually emit malicious behavior, \sysname is unable to categorize them as malware. %As they do not actually emit malicious behavior, \sysname is unable to categorize them as malware.
......
...@@ -59,9 +59,9 @@ In addition, PHP malware are often injected into complex benign programs, which ...@@ -59,9 +59,9 @@ In addition, PHP malware are often injected into complex benign programs, which
\end{newtext} \end{newtext}
J-Force~\cite{kim2017j} also uses a similar method to analyze JavaScript (JS) malware which frequently leverages user events such as mouse clicks to hide malicious behaviors. In contrast, \sysname focuses on handling server-side specific evasive techniques such as heavy obfuscations and J-Force~\cite{kim2017j} also uses a similar method to analyze JavaScript (JS) malware which frequently leverages user events such as mouse clicks to hide malicious behaviors. In contrast, \sysname focuses on handling server-side specific evasive techniques such as heavy obfuscations and
\begin{newtext} %\begin{newtext}
plugins architectures plugins architectures
\end{newtext} %\end{newtext}
(Section~\ref{section:background}). NAVEX uses a similar approach to counterfactual execution to discover vulnerabilities in web applications~\cite{Alhuzali:2018vd}. However, NAVEX is rooted in static analysis, resulting in evasion of many metamorphic malware. (Section~\ref{section:background}). NAVEX uses a similar approach to counterfactual execution to discover vulnerabilities in web applications~\cite{Alhuzali:2018vd}. However, NAVEX is rooted in static analysis, resulting in evasion of many metamorphic malware.
The most closely related research to our work uses runkit~\cite{runkit}, a PHP extension that allows overriding functions and operators, to create a sandbox in PHP, and evaluates one dynamic path of an application while checking for the presence of potentially malicious functions~\cite{Wrench:2014cz}. The most closely related research to our work uses runkit~\cite{runkit}, a PHP extension that allows overriding functions and operators, to create a sandbox in PHP, and evaluates one dynamic path of an application while checking for the presence of potentially malicious functions~\cite{Wrench:2014cz}.
Finally, we note that static PHP analyzers such as Pixy and RIPS~\cite{Jovanovic:2006jo,Dahse:2014wj} are unable to fully uncloak dynamic malware Finally, we note that static PHP analyzers such as Pixy and RIPS~\cite{Jovanovic:2006jo,Dahse:2014wj} are unable to fully uncloak dynamic malware
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment