Research Article
PDFIET: PDF Malicious Indicators Extraction Technique Through Optimized Symbolic Execution
@INPROCEEDINGS{10.1007/978-3-031-64954-7_21, author={Enzhou Song and Tao Hu and Peng Yi and Wenbo Wang}, title={PDFIET: PDF Malicious Indicators Extraction Technique Through Optimized Symbolic Execution}, proceedings={Security and Privacy in Communication Networks. 19th EAI International Conference, SecureComm 2023, Hong Kong, China, October 19-21, 2023, Proceedings, Part II}, proceedings_a={SECURECOMM PART 2}, year={2024}, month={10}, keywords={Malicious documents JavaScript code Indicator extraction Optimized symbolic execution}, doi={10.1007/978-3-031-64954-7_21} }- Enzhou Song
Tao Hu
Peng Yi
Wenbo Wang
Year: 2024
PDFIET: PDF Malicious Indicators Extraction Technique Through Optimized Symbolic Execution
SECURECOMM PART 2
Springer
DOI: 10.1007/978-3-031-64954-7_21
Abstract
The malicious PDF documents posed a significant threat to network security in recent years. Extracting malicious indicators from PDF documents is a critical method for subsequent analysis and detection. However, current static and dynamic extraction methods are easily interfered by evasion methods such as highly obfuscation and sandbox detection, etc. Therefore, we creatively apply optimized symbolic execution to PDF indicator extraction and propose PDFIET, a technique of PDF malicious indicators extraction consisting of three modules: code parsing, symbolic execution and indicator extraction. We design the code rewriting method to improve code coverage by enforcing branch transfers. We also use the concurrency strategy and two constraint-solving optimization methods to enhance the efficiency of symbolic execution. We use 1271 malicious samples to make several experiments. The success rate and the effectiveness of indicators is high. The code coverage and the system efficiency improve significantly after optimization. The evaluation supports the design of the approach.
