A fast flowgraph based classification system for packed and polymorphic malware on the endhost

Proceedings - International Conference on Advanced Information Networking and Applications, AINA

Volumn , Issue , 2010, Pages 721-728

  Cesare, Silvio ^a   Xiang, Yang ^a  

^a CENTRAL QUEENSLAND UNIVERSITY   (Australia)

Author keywords

Emulation; Malware; Network security; Structural classification; Unpacking

Indexed keywords

CLASSIFICATION ,; CLASSIFICATION SYSTEM; CONTROL FLOWS; EMAIL GATEWAY; EMULATION; FLOW GRAPH; FLOW-GRAPHS; GRAPH ISOMORPHISM; MALICIOUS SOFTWARE; MALWARE DETECTION; MALWARES; MATCHING ALGORITHM; NETWORKED SYSTEMS; PERFORMANCE CHARACTERISTICS; POLYMORPHIC VARIANT; QUERY PROGRAMS; STRING MATCHING; STRUCTURAL CLASSIFICATION; TIME USE;

COMPUTER CRIME; GATEWAYS (COMPUTER NETWORKS); GRAPHIC METHODS;

NETWORK SECURITY;

EID: 77954329802     PISSN: 1550445X     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/AINA.2010.121     Document Type: Conference Paper

References (31)

1. K. Griffin, S. Schneider, X. Hu and T. Chiueh, "Automatic generation of string signatures for malware detection," Springer, 2009, pp. 101.
2. J.O. Kephart and W.C. Arnold, "Automatic extraction of computer virus signatures," 1994, pp. 178-184.
3. A.V. Aho and M.J. Corasick, "Efficient string matching: An aid to bibliographic search," Communications of the ACM, vol. 18, no. 6, 1975, pp. 340.
4. E. Carrera and G. Erdélyi, "Digital genome mapping-advanced binary malware analysis," Virus Bulletin Conference, 2004, pp. 187-197.
5. C. Kruegel, E. Kirda, D. Mutz, W. Robertson and G. Vigna, "Polymorphic worm detection using structural information of executables," Lecture notes in computer science, vol. 3858, 2006, pp. 207.
6. P. Royal, M. Halpin, D. Dagon, R. Edmonds and W. Lee, "Polyunpack: Automating the hidden-code extraction of unpack-executing malware," Computer Security Applications Conference, 2006, pp. 289-300.
7. Panda Research, "Mal(ware)formation statistics - panda research blog," 2007; http://research.pandasecurity.com/archive/Mal-2800-ware-2900- formation-statistics.aspx.
8. A. Stepan, "Improving proactive detection of packed malware," Virus Bulletin Conference, 2006.
9. J.Z. Kolter and M.A. Maloof, "Learning to detect malicious executables in the wild," International Conference on Knowledge Discovery and Data Mining, 2004, pp. 470-478.
10. Y. Ye, D. Wang, T. Li and D. Ye, "Imds: Intelligent malware detection system," ACM, 2007, pp. 1047.
11. M.E. Karim, A. Walenstein, A. Lakhotia and L. Parida, "Malware phylogeny generation using permutations of code," Journal in Computer Virology, vol. 1, no. 1, 2005, pp. 13-23.
12. R. Perdisci, A. Lanzi and W. Lee, "Mcboost: Boosting scalability in malware collection and analysis using statistical classification of executables," Proceedings of the 2008 Annual Computer Security Applications Conference, IEEE Computer Society Washington, DC, USA, 2008, pp. 301-310.
13. L. Boehne, "Pandora's bochs: Automatic unpacking of malware," University of Mannheim, 2008.
14. M. Gheorghescu, "An automated virus classification system," Virus Bulletin Conference, 2005, pp. 294-300.
15. T. Dullien and R. Rolles, "Graph-based comparison of executable objects (english version)," SSTIC, 2005.
16. I. Briones and A. Gomez, "Graphs, entropy and grid computing: Automatic comparison of malware," Virus Bulletin Conference, 2008, pp. 1-12.
17. Zynamics, "Vxclass," http://www.zynamics.com/vxclass.html.
18. D. Gao, M.K. Reiter and D. Song, "Binhunt: Automatically finding semantic differences in binary programs," Information and Communications Security, Springer, 2008, pp. 238-255.
19. X. Hu, T. Chiueh and K.G. Shin, "Large-scale malware indexing using function-call graphs," Computer and Communications Security, ACM, pp. 611-620.
20. S. Cesare and Y. Xiang, "Classification of malware using structured control flow," 8th Australasian Symposium on Parallel and Distributed Computing (AusPDC 2010), 2010.
21. G. Bonfante, M. Kaczmarek and J.Y. Marion, "Morphological detection of malware," International Conference on Malicious and Unwanted Software, IEEE, 2008, pp. 1-8.
22. R. Lyda and J. Hamrock, "Using entropy analysis to find encrypted and packed malware," IEEE Security and Privacy, vol. 5, no. 2, 2007, pp. 40.
23. C. Kruegel, W. Robertson, F. Valeur and G. Vigna, "Static disassembly of obfuscated binaries," USENIX Security Symposium, 2004, pp. 18-18.
24. G. Salton and M.J. McGill, Introduction to modern information retrieval, McGraw-Hill New York, 1983.
25. N.Y. Peter, "Data structures and algorithms for nearest neighbor search in general metric spaces," Proceedings of the fourth annual ACM-SIAM Symposium on Discrete algorithms, Society for Industrial and Applied Mathematics, 1993, pp. 311-321.
26. "Offensive computing," 2009; http://www.offensivecomputing.net.
27. "Mwcollect alliance," 2009; http://alliance.mwcollect.org.
28. R.N. Horspool and N. Marovac, "An approach to the problem of detranslation of computer programs," The Computer Journal, vol. 23, no. 3, 1979, pp. 223-229.
29. L. Martignoni, M. Christodorescu and S. Jha, "Omniunpack: Fast, generic, and safe unpacking of malware," Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007, pp. 431-441.
30. M. Sharif, A. Lanzi, J. Giffin and W. Lee, Rotalume: A tool for automatic reverse engineering of malware emulators, 2009.
31. R. Rolles, "Unpacking virtualization obfuscators," USENIX Workshop on Offensive Technologies (WOOT), 2009.