Malware variant detection using similarity search over sets of control flow graphs

Proc. 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom 2011, 8th IEEE Int. Conf. on Embedded Software and Systems, ICESS 2011, 6th Int. Conf. on FCST 2011

Volumn , Issue , 2011, Pages 181-189

  Cesare, Silvio ^a   Xiang, Yang ^a  

^a DEAKIN UNIVERSITY   (Australia)

Author keywords

computer security; control flow; decompilation; malware classification; static analysi; structuring

Indexed keywords

CONTROL FLOW; DECOMPILATION; MALWARES; STATIC ANALYSI; STRUCTURING;

COMPUTER CRIME; EMBEDDED SOFTWARE; EMBEDDED SYSTEMS; GRAPHIC METHODS; NETWORK SECURITY; SECURITY OF DATA;

COMPUTER CONTROL SYSTEMS;

EID: 84856189723     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/TrustCom.2011.26     Document Type: Conference Paper

References (39)

1. Symantec, "Symantec internet security threat report: Volume XII," Symantec2008.
2. F-Secure. (2007, 19 August 2009). F-Secure Reports Amount of Malware Grew by 100% during 2007. Available: http://www.fsecure.com/en-EMEA/aboutus/ pressroom/news/2007/fs-news-20071204-1-eng.html
3. K. Griffin, et al., "Automatic Generation of String Signatures for Malware Detection," in Recent Advances in Intrusion Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, 2009.
4. J. O. Kephart and W. C. Arnold, "Automatic extraction of computer virus signatures," in 4th Virus Bulletin International Conference, 1994, pp. 178-184.
5. A. V. Aho and M. J. Corasick, "Efficient string matching: an aid to bibliographic search," Communications of the ACM, vol. 18, p. 340, 1975.
6. E. Carrera and G. Erdélyi, "Digital genome mapping-advanced binary malware analysis," in Virus Bulletin Conference, 2004, pp. 187-197.
7. C. Kruegel, et al., "Polymorphic worm detection using structural information of executables," Lecture notes in computer science, vol. 3858, p. 207, 2006.
8. M. Christodorescu, et al., "Malware normalization," University of Wisconsin, Madison, Wisconsin, USA Technical Report #1539, 2005.
9. W. Andrew, et al., "Normalizing Metamorphic Malware Using Term Rewriting," presented at the Proceedings of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation, 2006.
10. D. Bilar, "Opcodes as predictor for malware," International Journal of Electronic Security and Digital Forensics, vol. 1, pp. 156-168, 2007.
11. M. E. Karim, et al., "Malware phylogeny generation using permutations of code," Journal in Computer Virology, vol. 1, pp. 13-23, 2005.
12. R. Perdisci, et al., "McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables," in Proceedings of the 2008 Annual Computer Security Applications Conference, 2008, pp. 301-310.
13. J. Z. Kolter and M. A. Maloof, "Learning to detect malicious executables in the wild," in International Conference on Knowledge Discovery and Data Mining, 2004, pp. 470-478.
14. M. Gheorghescu, "An automated virus classification system," in Virus Bulletin Conference, 2005, pp. 294-300.
15. Y. Ye, et al., "IMDS: intelligent malware detection system," in Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining, 2007.
16. L. Boehne, "Pandora's Bochs: Automatic Unpacking of Malware," University of Mannheim, 2008.
17. M. Christodorescu, et al., "Semantics-aware malware detection," in Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005), Oakland, California, USA, 2005.
18. M. Christodorescu and S. Jha, "Static analysis of executables to detect malicious patterns," presented at the Proceedings of the 12th USENIX Security Symposium, 2003.
19. F. Leder, et al., "Classification and Detection of Metamorphic Malware using Value Set Analysis," in Proc. of 4th International Conference on Malicious and Unwanted Software (Malware 2009), Montreal, Canada, 2009.
20. I. Briones and A. Gomez, "Graphs, Entropy and Grid Computing: Automatic Comparison of Malware," in Virus Bulletin Conference, 2008, pp. 1-12.
21. X. Hu, et al., "Large-Scale Malware Indexing Using Function- Call Graphs," in Computer and Communications Security, Chicago, Illinois, USA, pp. 611-620.
22. T. Dullien and R. Rolles, "Graph-based comparison of Executable Objects (English Version)," in SSTIC, 2005.
23. R. T. Gerald and A. F. Lori, "Polymorphic malware detection and identification via context-free grammar homomorphism," Bell Labs Technical Journal, vol. 12, pp. 139-147, 2007.
24. S. Cesare and Y. Xiang, "A Fast Flowgraph Based Classification System for Packed and Polymorphic Malware on the Endhost," in IEEE 24th International Conference on Advanced Information Networking and Application (AINA 2010), 2010.
25. S. Cesare and Y. Xiang, "Classification of Malware Using Structured Control Flow," in 8th Australasian Symposium on Parallel and Distributed Computing (AusPDC 2010), 2010.
26. G. Bonfante, et al., "Morphological Detection of Malware," in International Conference on Malicious and Unwanted Software, IEEE, Alexendria VA, USA, 2008, pp. 1-8.
27. H. Tamada, et al., "Dynamic software birthmarks to detect the theft of windows applications," 2004.
28. N. Y. Peter, "Data structures and algorithms for nearest neighbor search in general metric spaces," in Proceedings of the fourth annual ACM-SIAM Symposium on Discrete algorithms, Austin, Texas, United States, 1993, pp. 311-321.
29. M. R. Vieira, et al., "DBM-Tree: A Dynamic Metric Access Method Sensitive to Local Density Data.," in Brazilian Symposium on Databases, Brazil, 2004, pp. 163-177.
30. P. Royal, et al., "Polyunpack: Automating the hidden-code extraction of unpack-executing malware," in Computer Security Applications Conference, 2006, pp. 289-300.
31. C. Kruegel, et al., "Static disassembly of obfuscated binaries," in USENIX Security Symposium, 2004, pp. 18-18.
32. C. Cifuentes, "Reverse compilation techniques," Queensland University of Technology, 1994.
33. T. Junttila and P. Kaski, "Engineering an efficient canonical labeling tool for large and sparse graphs," in Ninth Workshop on Algorithm Engineering and Experiments, SIAM, 2007.
34. (2010, 26 March 2010). GDBI Arboretum. Available: http://gbdi.icmc.usp. br/arboretum
35. S. Brecheisen, "Efficient and Effective Similarity Search on Complex Objects," Ludwig-Maximilians-Universität München, 2007.
36. H. Kuhn, W., "The hungarian method for the assignment problem," Naval Research Logistics Quarterly, 1955.
37. (2009, 21 September 2009). mwcollect Alliance. Available: http://alliance.mwcollect.org
38. (2010, 26 March 2010). Cygwin. Available: http://www.cygwin.com
39. (2009, 21 September 2009). Offensive Computing. Available: http://www.offensivecomputing.net