Large-scale malware indexing using function-call graphs

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 611-620

  Hu, Xin ^a   Chiueh, Tzi Cker ^b   Shin, Kang G ^a  

^a UNIVERSITY OF MICHIGAN   (United States)

^b STONY BROOK UNIVERSITY   (United States)

Author keywords

Graph similarity; Malware indexing; Multi resolution indexing

Indexed keywords

ANTI VIRUS; CALL GRAPHS; COMPREHENSIVE PERFORMANCE; DATA-BASE MANAGEMENT SYSTEMS; EARLY PRUNING; EFFICIENT METHOD; FEATURE VECTORS; GRAPH DATABASE; GRAPH SIMILARITY; INDEXING SCHEME; INSTRUCTION-LEVEL; MALWARES; MULTI-RESOLUTIONS; NEAREST NEIGHBOR SEARCH; POSSIBLE SOLUTIONS; SPEED-UPS; STRUCTURAL REPRESENTATION; SYMANTEC;

DATABASE SYSTEMS; IMAGE RETRIEVAL; INDEXING (OF INFORMATION); MANAGEMENT INFORMATION SYSTEMS; NETWORK SECURITY; VIRUSES; XML;

COMPUTER CRIME;

EID: 74049142314     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1653662.1653736     Document Type: Conference Paper

References (39)

1. Armadillo. http://www.siliconrealms.com/armadillo.htm, 2008.
2. Peid 0.95. http://www.peid.info/, 2008.
3. Trid v2.02. http://mark0.net/soft-trid-e.html, 2008.
4. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated classification and analysis of internet malware. In RAID, pages 178-197, 2007.
5. U. Bayer, P. Milani Comparetti, C. Hlauscheck, C. Kruegel, and E. Kirda. Scalable, Behavior-Based Malware Clustering. In 16th Symposium on Network and Distributed System Security, 2009.
6. T. Bozkaya and M. Ozsoyoglu. Distance-based indexing for high-dimensional metric spaces. In In Proc. ACM SIGMOD International Conference on Management of Data, 1997.
7. I. Briones and A. Gomez. Graphs, entropy and grid computing: Automatic comparison of malware. In Proceedings of the 2004 Virus Bulletin Conference, 2004.
8. E. Carrera and G. Erdelyi. Digital genome mapping a̧ł advanced binary malware analysis. In Proceedings of the 2004 Virus Bulletin Conference, 2004.
9. T.-c. Chiueh. Content-based image indexing. In VLDB '94: Proceedings of the 20th International Conference on Very Large Data Bases, pages 582-593, 1994.
10. S. Das, A. Mistry, D. Negoescu, G. Reed, and S. K. Singh. A graph matching problem. Techical report, IPAM Research in Industrial Projects for Students (RIPS), 2008.
11. M. R. Garey and D. S. Johnson. Computers and Intractability : A Guide to the Theory of NP-Completeness. W. H. Freeman, 1979.
12. F. Guo, P. Ferrie, and T.-C. Chiueh. A study of the packer problem and its solutions. In RAID '08, pages 98-115, 2008.
13. L. C. Harris and B. P. Miller. Practical analysis of stripped binary code. SIGARCH Comput. Archit. News, 33(5):63-68, 2005.
14. H. He and A. K. Singh. Closure-tree: An index structure for graph queries. In ICDE '06: Proceedings of the 22nd International Conference on Data Engineering, page 38, 2006.
15. Hex-rays. The IDA Pro Disassembler and Debugger. http://www.hexrays.com/ idapro/, 2008.
16. X. Hu, T. cker Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs (extended). Technical Report, Department of Computer Sicence, University of Michigan, 2009.
17. Ilfak Guilfanov. Fast Library Identification and Recognition Technology. http://www.hex-rays.com/idapro/flirt.htm, 1997.
18. D. Justice. A binary linear programming formulation of the graph edit distance. IEEE Trans. Pattern Anal. Mach. Intell., 28(8):1200-1214, 2006. Fellow-Hero,, Alfred.
19. J. Z. Kolter and M. A. Maloof. Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res., 7:2721-2744, 2006.
20. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In In RAID, pages 207-226. Springer-Verlag, 2005.
21. H. W. Kuhn. The hungarian method for the assignment problem. Naval Research Logistics Quarterly, 1955.
22. L. Martignoni, M. Christodorescu, and S. Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In In Proceedings of the Annual Computer Security Applications Conference (ACSAC, 2007.
23. R. Myers, R. C. Wilson, and E. R. Hancock. Bayesian graph edit distance. IEEE Trans. Pattern Anal. Mach. Intell., 22(6), 2000.
24. M. Neuhaus and H. Bunke. An error-tolerant approximate matching algorithm for attributed planar graphs and its application to fingerprint classification. In SSPR/SPR, pages 180-189, 2004.
25. M. Pietrek. An In-Depth Look into the Win32 PE File Format. http://msdn.microsoft.com/en-us/magazine/cc301805.aspx, 2002.
26. J. Raber and E. Laspe. Deobfuscator: An automated approach to the identification and removal of code obfuscation. Reverse Engineering, Working Conference on, 0:275-276, 2007.
27. K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In DIMVA '08, pages 108-125, 2008.
28. K. Riesen, M. Neuhaus, and H. Bunke. Bipartite graph matching for computing the edit distance of graphs. In Graph-Based Representations in Pattern Recognition, volume 4538, 2007.
29. D. Shasha, Jason, and R. Giugno. Algorithmics and applications of tree and graph searching. In Symposium on Principles of Database Systems, pages 39-52, 2002.
30. Symantec Corp. Symantec Global Internet Security Threat Report. Volume XII. http://www.symantec.com/, April 2008.
31. Y. Tian and J. M. Patel. Tale: A tool for approximate large graph matching. In ICDE, pages 963-972, 2008.
32. T.Lee and J.J.Mody. Behavioral classification. http://www.microsoft.com/ downloads/details.aspx?FamilyID=7b5d8cc8-b336-4091-abb5- 2cc500a6c41a&displaylang=en,2006.
33. VMProtect. Vmprotect. http://www.vmprotect.ru/, 2008.
34. X. Yan, P. S. Yu, and J. Han. Substructure similarity search in graph databases. In SIGMOD '05: Proceedings of the 2005 ACM SIGMOD international conference on Management of data, 2005.
35. P. N. Yianilos. Data structures and algorithms for nearest neighbor search in general metric spaces. In SODA: ACM-SIAM Symposium on Discrete Algorithms, 1993.
36. P. Zezula, G. Amato, V. Dohnal, and M. Batko. Similarity Search: The Metric Space Approach. Springer, 2006.
37. P. Zezula, P. Ciaccia, and F. Rabitti. M-tree: A dynamic index for similarity queries in multimedia databases. Technical Report 7, HERMES ESPRIT LTR Project, 1996.
38. K. Zhang and D. Shasha. Simple fast algorithms for the editing distance between trees and related problems. SIAM J. Comput., 18(6):1245-1262, 1989.
39. P. Zhao, J. X. Yu, and P. S. Yu. Graph indexing: tree + delta ≤ graph. In VLDB '07: Proceedings of the 33rd international conference on Very large data bases, pages 938-949, 2007.