Article

Malware Variant Detection Using Similarity Search over Sets of Control Flow Graphs

Authors:

TRUSTCOM '11: Proceedings of the 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications

Pages 181 - 189

https://doi.org/10.1109/TrustCom.2011.26

Published: 16 November 2011 Publication History

Abstract

Static detection of polymorphic malware variants plays an important role to improve system security. Control flow has shown to be an effective characteristic that represents polymorphic malware instances. In our research, we propose a similarity search of malware using novel distance metrics of malware signatures. We describe a malware signature by the set of control flow graphs the malware contains. We propose two approaches and use the first to perform pre-filtering. Firstly, we use a distance metric based on the distance between feature vectors. The feature vector is a decomposition of the set of graphs into either fixed size k-sub graphs, or q-gram strings of the high-level source after decompilation. We also propose a more effective but less computationally efficient distance metric based on the minimum matching distance. The minimum matching distance uses the string edit distances between programs' decompiled flow graphs, and the linear sum assignment problem to construct a minimum sum weight matching between two sets of graphs. We implement the distance metrics in a complete malware variant detection system. The evaluation shows that our approach is highly effective in terms of a limited false positive rate and our system detects more malware variants when compared to the detection rates of other algorithms.

Cited By

View all

Muralidharan TNissim N(2023)Improving malicious email detection through novel designated deep-learning architectures utilizing entire emailNeural Networks10.1016/j.neunet.2022.09.002157:C(257-279)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1016/j.neunet.2022.09.002
Fortino GGreco CGuzzo AIanni M(2023)SigIL: A Signature-Based Approach of Malware Detection on Intermediate LanguageComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_15(256-266)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54129-2_15
Nair ARoy AMeinke K(2020)funcGNNProceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)10.1145/3382494.3410675(1-11)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3382494.3410675
Show More Cited By

Recommendations

Opcode sequences as representation of executables for data-mining-based unknown malware detection

Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
A novel malware analysis for malware detection and classification using machine learning algorithms
SIN '17: Proceedings of the 10th International Conference on Security of Information and Networks

Nowadays, Malware has become a serious threat to the digitization of the world due to the emergence of various new and complex malware every day. Due to this, the traditional signature-based methods for detection of malware effectively becomes an ...
Malware Function Classification Using APIs in Initial Behavior
ASIAJCIS '15: Proceedings of the 2015 10th Asia Joint Conference on Information Security

Malware proliferation has become a serious threat to the Internet in recent years. Most of the current malware are subspecies of existing malware that have been automatically generated by illegal tools. To conduct an efficient analysis of malware, ...

Comments

Information & Contributors

Information

Published In

TRUSTCOM '11: Proceedings of the 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications

November 2011

1807 pages

ISBN:9780769546001

Publisher

IEEE Computer Society

United States

Publication History

Published: 16 November 2011

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Muralidharan TNissim N(2023)Improving malicious email detection through novel designated deep-learning architectures utilizing entire emailNeural Networks10.1016/j.neunet.2022.09.002157:C(257-279)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1016/j.neunet.2022.09.002
Fortino GGreco CGuzzo AIanni M(2023)SigIL: A Signature-Based Approach of Malware Detection on Intermediate LanguageComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_15(256-266)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54129-2_15
Nair ARoy AMeinke K(2020)funcGNNProceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)10.1145/3382494.3410675(1-11)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3382494.3410675
Alam SHorspool RTraore ISogukpinar I(2015)A framework for metamorphic malware analysis and real-time detectionComputers and Security10.1016/j.cose.2014.10.01148:C(212-233)Online publication date: 1-Feb-2015
https://dl.acm.org/doi/10.1016/j.cose.2014.10.011
Narouei MAhmadi MGiacinto GTakabi HSami A(2015)DLLMinerSecurity and Communication Networks10.1002/sec.12558:18(3311-3322)Online publication date: 1-Dec-2015
https://dl.acm.org/doi/10.1002/sec.1255
Edler von Koch TFranke BBhandarkar PDasgupta A(2014)Exploiting function similarity for code size reductionACM SIGPLAN Notices10.1145/2666357.259781149:5(85-94)Online publication date: 12-Jun-2014
https://dl.acm.org/doi/10.1145/2666357.2597811
Edler von Koch TFranke BBhandarkar PDasgupta AZhang YKulkarni P(2014)Exploiting function similarity for code size reductionProceedings of the 2014 SIGPLAN/SIGBED conference on Languages, compilers and tools for embedded systems10.1145/2597809.2597811(85-94)Online publication date: 12-Jun-2014
https://dl.acm.org/doi/10.1145/2597809.2597811
Eskandari MRaesi H(2014)Frequent sub-graph mining for intelligent malware detectionSecurity and Communication Networks10.1002/sec.9027:11(1872-1886)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1002/sec.902
Alam SHorspool RTraore IElçi AGaur MOrgun MMakarevich O(2013)MAIL: Malware Analysis Intermediate LanguageProceedings of the 6th International Conference on Security of Information and Networks10.1145/2523514.2527006(233-240)Online publication date: 26-Nov-2013
https://dl.acm.org/doi/10.1145/2523514.2527006
Gascon HYamaguchi FArp DRieck KSadeghi ANelson BDimitrakakis CShi E(2013)Structural detection of android malware using embedded call graphsProceedings of the 2013 ACM workshop on Artificial intelligence and security10.1145/2517312.2517315(45-54)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2517312.2517315
Show More Cited By

Abstract

Cited By

Recommendations

Opcode sequences as representation of executables for data-mining-based unknown malware detection

A novel malware analysis for malware detection and classification using machine learning algorithms

Malware Function Classification Using APIs in Initial Behavior

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Share

Share this Publication link

Share on social media

Affiliations