Ming Xu,Lingfei Wu,Shuhui Qi,Jian Xu,Haiping Zhang,Yizhi Ren,Ning Zheng

DOI: https://doi.org/10.1007/s11416-012-0175-y

2013-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Code obfuscating technique plays a significant role to produce new obfuscated malicious programs, generally called malware variants, from previously encountered malwares. However, the traditional signature-based malware detecting method is hard to recognize the up-to-the-minute obfuscated malwares. This paper proposes a method to identify the malware variants based on the function-call graph. Firstly, the function-call graphs were created from the disassembled codes of program; then the caller–callee relationships of functions and the operational code (opcode) information about functions, combining the graph coloring techniques were used to measure the similarity metric between two function-call graphs; at last, the similarity metric was utilized to identify the malware variants from known malwares. The experimental results show that the proposed method is able to identify the obfuscated malicious softwares effectively.

Jing Liu,Yongjun Wang,Peidai Xie,Yuan Wang,Zhijian Huang

DOI: https://doi.org/10.1007/978-981-10-0281-6_5

2015-01-01

Abstract:Malware is a pervasive problem in computer security. The traditional signature-based detecting method is ineffective to recognize the dramatically increased malware. Researches show that many of the malicious samples are just variations of previously encountered malware. Therefore, it would be preferable to analysis the similarity of malware to determine whether submitted samples are merely variations of existing ones. Static analysis of polymorphic malware variants plays an important role. Function call graph has shown to be an effective feature that represents functionality of malware semantically. In this paper we propose a novel algorithm by comparing the function call graph based on similarity flooding algorithm to analyze the similarity of malware. Similarity between malware can be determined by graph matching method. The evaluation shows that our algorithm is highly effective in terms of accuracy and computational complexity.

Jing Liu,Yongjun Wang,Peidai Xie,Xingkong Ma

DOI: https://doi.org/10.1007/978-981-10-3023-9_9

2017-01-01

Abstract:Nowadays, the dramatically increased malware causes severe challenges to computer security. Most emerging instances are variants of previously encountered malware through polymorphism and metamorphism techniques. The traditional signature-based detecting methods are ineffective to recognize the enormous variants. Malware similarity analysis has become the mainstream technique of identifying variants. However, most existing methods are either hard to handle polymorphic and metamorphic samples based on static structure feature, or time consuming and resource intensive by using dynamic behavior feature. In this paper, we propose a novel malware similarity analysis method based on a fine-grained hybrid feature by exploiting the complementary nature of static and dynamic analysis. We integrate dynamic runtime behavior with static function-call graph. The hybrid feature overcomes the limitation of using static and dynamic feature separately and with more accuracy. Furtherly, we use graph edit distance, and inexact graph matching algorithm as metric to measure the distance between malicious instances. We have evaluated our algorithm on real-world dataset and compared with other approach. The experiments demonstrate that our method achieves higher accuracy.

Yao Du,Junfeng Wang,Qi Li

DOI: https://doi.org/10.1109/access.2017.2720160

IF: 3.9

2017-01-01

IEEE Access

Abstract:With the development of code obfuscation and application repackaging technologies, an increasing number of structural information-based methods have been proposed for malware detection. Although, many offer improved detection accuracy via a similarity comparison of specific graphs, they still face limitations in terms of computation time and the need for manual operation. In this paper, we present a new malware detection method that automatically divides a function call graph into community structures. The features of these community structures can then be used to detect malware. Our method reduces the computation time by improving the Girvan–Newman algorithm and using machine learning classification instead of a similarity comparison of subgraphs. To evaluate our method, 5040 malware samples and 8750 benign samples were collected as an experimental data set. The evaluation results show that the detection accuracy of our method is higher than that of three well-known anti-virus software and two previous control flow graph-based methods for many malware families. The runtime performance of our method exhibits a clear improvement over the GN algorithm for community structure generation.

He SUN,Lifa WU,Zheng HONG,Huiying YAN,Yafeng ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2017.03.027

2017-01-01

Abstract:Extracting a complete and accurate function call graph is the foundation of malware similarity analysis based on function call graph.This paper proposes a malware function call graph extraction method which integrates both dynamic and static analysis methods.It extracts executable path of malicious programs on the basis of static disassembly,and an active discovery strategy of hidden information is used to find out the hidden instructions and function calls in the malware.A dynamic feedback mechanism is used to ensure the information synchronization during the process of static and dynamic analysis.The experimental results show that the proposed method can deal with all kinds of reverse analysis technologies and extract a complete and accurate function call graph from malwares.

白莉莉,庞建民,张一弛,岳峰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.09.048

2010-01-01

Abstract:Aiming at the problem that malware detection method based on signature can be easily subverted by obfuscation techniques,this paper proposes a detection method based on Critical Application Programming Interface Graph(CAG).By statically extracting nodes with critical API calling from Control Flow Graph(CFG) for each malware,each malicious behavior can be presented by one CAG.A matching algorithm based on CAG is used to determine whether a suspicious executable programming has the same malicious behavior as a malware does.Experimental results show that the method can detect malware variants efficiently with low false negative rate.

Yuxin Ding,Xiaoling Xia,Sheng Chen,Ye Li

DOI: https://doi.org/10.1016/j.cose.2017.10.007

IF: 5.105

2018-01-01

Computers & Security

Abstract:Graph-based malware detection methods must build a behavior graph for each known malware, and they are difficult to apply in practice. To solve this issue, we study how to build a common behavior graph for each malware family. We represent malware behaviors as dependency graphs. To find the dependency relations between system calls, we use a dynamic taint analysis technique to mark the system call parameters with taint tags, and we then build the system call dependency graph by tracing the propagation of the taint data. Based on the dependency graphs of malware samples, we propose an algorithm to extract the common behavior graph, which is used to represent the behavioral features of a malware family. Finally, a graph matching algorithm that is based on the maximum weight subgraph is used to detect malicious code. The experimental results show that the proposed method has a high detection rate and a low false positive rate and can detect malware variants.

zhiyin liang,tao wei,yu zong chen,xinhui han,jianwei zhuge,wanhong zou

2007-01-01

Abstract:In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative rate. Furthermore, comparing to dynamic analysis methods and model checking methods, our static method has the advantage of larger analytical coverage.

Renjie Lu

DOI: https://doi.org/10.48550/arXiv.1906.04632

2019-06-10

Abstract:Recently, with the booming development of software industry, more and more malware variants are designed to perform malicious behaviors. The evolution of malware makes it difficult to detect using traditional signature-based methods. Moreover, malware detection has important effect on system security. In this paper, we present SCGDet, which is a novel malware detection method based on system call graph model (SCGM). We first develop a system call pruning method, which can exclude system calls that have little impact on malware detection. Then we propose the SCGM, which can capture the semantic features of run-time program by grouping the system calls based on the reachability relation. We aim to obtain the generic representation of malicious behaviors with similar system call patterns. We evaluate the performance of SCGDet using different machine learning algorithms on the dataset including 854 malware samples and 740 benign samples. Compared with the traditional n-gram method, the SCGDet has the smaller feature space, the higher detection accuracy and the lower false positives. Experimental results show that SCGDet can reduce the average FPR of 14.75% and improve the average Accuracy of 8.887%, and can obtain a TPR of 97.44%, an FPR of 1.96% and an Accuracy of 97.78% in the best case.

Cryptography and Security

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Zongqu Zhao,Junfeng Wang,Chonggang Wang

DOI: https://doi.org/10.1002/sec.524

IF: 1.968

2012-02-28

Security and Communication Networks

Abstract:The traditional malware detection schemes based on specific signature give an unsatisfactory performance as disposing the previously unknown malware, so the general features of binary files should be explored to solve this problem. Recently, classification algorithms were employed successfully to choose the features in unknown malicious code, and most of the works use byte or operation code sequence n‐gram representation of the executables. However, these n‐gram representations are heavily dependent on the training data. In this paper, we present a graph‐based method to detect unknown malware. The function call graph of an executable, which includes the functions and the call relations between them, is selected as the representation of the executable in this method. The features are defined according to both the statistical information and the topology of the function call graph. They are extracted and processed through machine learning to classify unknown Portable Executable files. For the sake of fixed sum of the features, the graph‐based method can avoid so many features found in other methods. In our experiments, three types of malware datasets were tested, and as high as 96.8% accuracy can be achieved. Furthermore, it can achieve 92.1% accuracy when only 5% of the dataset is served as training set. Copyright © 2012 John Wiley & Sons, Ltd. To detect the unknown malware, the features of graph‐based method are predefined from function call graph of software, and then the rules are built with these features to classify an executable as the benign or the malware. The quantity and the contents of these features are independent of testing dataset, and this peculiarity enables our experiment results to nearly reflect the situation of unknown malware detection. The design can provide a high malware detection accuracy by using a small set of training set.

computer science, information systems,telecommunications

Joris Kinable,Orestis Kostakis

DOI: https://doi.org/10.48550/arXiv.1008.4365

2010-08-26

Abstract:Each day, anti-virus companies receive tens of thousands samples of potentially harmful executables. Many of the malicious samples are variations of previously encountered malware, created by their authors to evade pattern-based detection. Dealing with these large amounts of data requires robust, automatic detection approaches. This paper studies malware classification based on call graph clustering. By representing malware samples as call graphs, it is possible to abstract certain variations away, and enable the detection of structural similarities between samples. The ability to cluster similar samples together will make more generic detection techniques possible, thereby targeting the commonalities of the samples within a cluster. To compare call graphs mutually, we compute pairwise graph similarity scores via graph matchings which approximately minimize the graph edit distance. Next, to facilitate the discovery of similar malware samples, we employ several clustering algorithms, including k-medoids and DBSCAN. Clustering experiments are conducted on a collection of real malware samples, and the results are evaluated against manual classifications provided by human malware analysts. Experiments show that it is indeed possible to accurately detect malware families via call graph clustering. We anticipate that in the future, call graphs can be used to analyse the emergence of new malware families, and ultimately to automate implementation of generic detection schemes.

Cryptography and Security

Reza Mirzazadeh,Mohammad Hossein Moattar,Majid Vafaei Jahan

DOI: https://doi.org/10.48550/arXiv.1811.04304

2018-11-11

Abstract:The most common malware detection approaches which are based on signature matching and are not sufficient for metamorphic malware detection, since virus kits and metamorphic engines can produce variants with no resemblance to one another. Metamorphism provides an efficient way for eluding malware detection software kits. Code obfuscation methods like dead-code insertion are also widely used in metamorphic malware. In order to address the problem of detecting mutated generations, we propose a method based on Opcode Graph Similarity (OGS). OGS tries to detect metamorphic malware using the similarity of opcode graphs. In this method, all nodes and edges have a respective effect on classification, but in the proposed method, edges of graphs are pruned using Linear Discriminant Analysis (LDA). LDA is based on the concept of searching for a linear combination of predictors that best separates two or more classes. Most distinctive edges are identified with LDA and the rest of edges are removed. The metamorphic malware families considered here are NGVCK and metamorphic worms that we denote these worms as MWOR. The results show that our approach is capable of classifying metamorphosed instances with no or minimum false alarms. Also, our proposed method can detect NGVCK and MWOR with high accuracy rate.

Cryptography and Security

Yi-Hsien Chen,Si-Chen Lin,Szu-Chun Huang,Chin-Laung Lei,Chun-Ying Huang

DOI: https://doi.org/10.1109/tifs.2023.3283913

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Malicious binaries have caused data and monetary loss to people, and these binaries keep evolving rapidly nowadays. With tons of new unknown attack binaries, one essential daily task for security analysts and researchers is to analyze and effectively identify malicious parts and report the critical behaviors within the binaries. While manual analysis is slow and ineffective, automated malware report generation is a long-term goal for malware analysts and researchers. This study moves one step toward the goal by identifying essential functions in malicious binaries to accelerate and even automate the analyzing process. We design and implement an expert system based on our proposed graph neural network called MalwareExpert. The system pinpoints the essential functions of an analyzed sample and visualizes the relationships between involved parts. We evaluate our proposed approach using executable binaries in the Windows operating system. The evaluation results show that our approach has a competitive detection performance (97.3% accuracy and 96.5% recall rate) compared to existing malware detection models. Moreover, it gives an intuitive and easy-to-understand explanation of the model predictions by visualizing and correlating essential functions. We compare the identified essential functions reported by our system against several expert-made malware analysis reports from multiple sources. Our qualitative and quantitative analyses show that the pinpointed functions indicate accurate directions. In the best case, the top 2% of functions reported from the system can cover all expert-annotated functions in three steps. We believe that the MalwareExpert system has shed light on automated program behavior analysis.

computer science, theory & methods,engineering, electrical & electronic

Chenzhong Yin,Hantang Zhang,Mingxi Cheng,Xiongye Xiao,Xinghe Chen,Xin Ren,Paul Bogdan

2023-12-20

Abstract:Malware represents a significant security concern in today's digital landscape, as it can destroy or disable operating systems, steal sensitive user information, and occupy valuable disk space. However, current malware detection methods, such as static-based and dynamic-based approaches, struggle to identify newly developed (``zero-day") malware and are limited by customized virtual machine (VM) environments. To overcome these limitations, we propose a novel malware detection approach that leverages deep learning, mathematical techniques, and network science. Our approach focuses on static and dynamic analysis and utilizes the Low-Level Virtual Machine (LLVM) to profile applications within a complex network. The generated network topologies are input into the GraphSAGE architecture to efficiently distinguish between benign and malicious software applications, with the operation names denoted as node features. Importantly, the GraphSAGE models analyze the network's topological geometry to make predictions, enabling them to detect state-of-the-art malware and prevent potential damage during execution in a VM. To evaluate our approach, we conduct a study on a dataset comprising source code from 24,376 applications, specifically written in C/C++, sourced directly from widely-recognized malware and various types of benign software. The results show a high detection performance with an Area Under the Receiver Operating Characteristic Curve (AUROC) of 99.85%. Our approach marks a substantial improvement in malware detection, providing a notably more accurate and efficient solution when compared to current state-of-the-art malware detection methods.

Cryptography and Security,Artificial Intelligence,Machine Learning

Joseph Sexton,Curtis Storlie,Blake Anderson

DOI: https://doi.org/10.1007/s11416-015-0258-7

2015-12-21

Journal of Computer Virology and Hacking Techniques

Abstract:Statistical detection of mass malware has been shown to be highly successful. However, this type of malware is less interesting to cyber security officers of larger organizations, who are more concerned with detecting malware indicative of a targeted attack. Here we investigate the potential of statistically based approaches to detect such malware using a malware family associated with a large number of targeted network intrusions. Our approach is complementary to the bulk of statistical based malware classifiers, which are typically based on measures of overall similarity between executable files. One problem with this approach is that a malicious executable that shares some, but limited, functionality with known malware is likely to be misclassified as benign. Here a new approach to malware classification is introduced that classifies programs based on their similarity with known malware subroutines. It is illustrated that malware and benign programs can share a substantial amount of code, implying that classification should be based on malicious subroutines that occur infrequently, or not at all in benign programs. Various approaches to accomplishing this task are investigated, and a particularly simple approach appears the most effective. This approach simply computes the fraction of subroutines of a program that are similar to malware subroutines whose likes have not been found in a larger benign set. If this fraction exceeds around 1.5 %, the corresponding program can be classified as malicious at a 1 in 1000 false alarm rate. It is further shown that combining a local and overall similarity based approach can lead to considerably better prediction due to the relatively low correlation of their predictions.

Ding Yuxin,Yuan Xuebing,Zhou Di,Dong Li,An Zhanchao

DOI: https://doi.org/10.1016/j.cose.2011.05.007

IF: 5.105

2011-01-01

Computers & Security

Abstract:Currently almost all static methods for detecting malicious code are signature-based, this leads the result that viruses can easily escape detection by simple mechanisms such as code obfuscation. In this paper, a behavior-based detection approach is proposed to address this problem. The behaviors of interest are defined as static system call sequences. Unlike the traditional approach, which derives system call sequences by running executables (i.e., dynamic system call sequences), this approach statically analyzes binary code to derive system call sequences. In this paper, a method for deriving static system call sequences is presented, and two automatic feature-selection methods based on n-grams are proposed. We use machine-learning methods, including the K-nearest neighbor, Support Vector Machine, and decision tree methods to classify executables. The proposed approach is compared with the dynamic detection approach using dynamic system call sequences. The experimental results show that the proposed approach has higher accuracy and a lower false positive rate than the dynamic detection approach.

GAO Ying,CHEN Yi-yun,HUA Bao-jian

2008-01-01

Abstract:Nowadays, code obfuscation plays a more and more role in writing variations for malware. Unfortunately, the obfuscated variation invalidates the text-based malware detector. This paper proposes a semantics-based framework of malware detection for detecting whether a program is a variation of the malware. For that purpose, both of symbolic states are collected by symbolic execution, and then prove the semantics is satisfied with the definition of variation relationship. This framework can detect whether the malware is the variation of its obfuscated program, which will largely reduce the updating of virus definition database. Finally, the prototype which implements the framework shows the feasibility of the semantics-based framework of malware detection.

Peng Wu,Junfeng Wang,Bin Tian

DOI: https://doi.org/10.1109/access.2018.2803738

IF: 3.9

2018-01-01

IEEE Access

Abstract:Software homology plays an important role in intellectual property protection, malware analysis, and network attack traceback. Among many methods proposed by researchers, the structure-based method has been proved to have better detection and anti-obfuscation capabilities, but it is inefficiency on space-time complexity and difficult to be applied to large-scale software homology analysis. In this paper, we propose a parallel method to extract function call graph from source codes, and a new software structure information comparison algorithm. The approach transforms function call graph into the corresponding motifs as the features of the software, and calculates homology score by the algorithm which is quick and accurate for large-scale software based on software motifs. According to experiments on large-scale source codes, binary executable files and obfuscated software, the accuracy of homology detection is 90.00% for non-obfuscated software and 80.00% for obfuscated software.