research-article

Detecting metamorphic malwares using code graphs

Authors:

Kyoochang Jeong,

Heejo LeeAuthors Info & Claims

SAC '10: Proceedings of the 2010 ACM Symposium on Applied Computing

Pages 1970 - 1977

https://doi.org/10.1145/1774088.1774505

Published: 22 March 2010 Publication History

Abstract

Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. Packing and code obfuscation are two popular evasion techniques. When these techniques are applied to malwares, they are able to change their instruction sequence while maintaining their intended function. We propose a detection mechanism defeating these self-defense techniques to improve malware detection. Since an obfuscated malware is able to change the syntax of its code while preserving its semantics, the proposed mechanism uses the semantic invariant. We convert the API call sequence of the malware into a graph, commonly known as a call graph, to extract the semantic of the malware. The call graph can be reduced to a code graph used for semantic signatures of the proposed mechanism. We show that the code graph can represent the characteristics of a program exactly and uniquely. Next, we evaluate the proposed mechanism by experiment. The mechanism has an 91% detection ratio of real-world malwares and detects 300 metamorphic malwares that can evade AV scanners. In this paper, we show how to analyze malwares by extracting program semantics using static analysis. It is shown that the proposed mechanism provides a high possibility of detecting malwares even when they attempt self-protection.

References

[1]

Vx chaos file server. http://vxchaos.official.ws.

[2]

Vx heavens. http://vx.netlux.org.

[3]

AVV. Antiheuristics. 29A Magazine, 1(1), 1999.

[4]

D. Bruschi, L. Martignoni, and M. Monga. Code normalization for self-mutating malware. IEEE Security & Privacy, 5(2):46--54, 2007.

Digital Library

[5]

C. J. C. Burges. A tutorial on support vector machines for pattern recognition. Data Min. Knowl. Discov., 2(2):121--167, 1998.

Digital Library

[6]

M. Christodorescu and S. Jha. Testing malware detectors. In ISSTA, pages 34--44, 2004.

Digital Library

[7]

M. Christodorescu, S. Jha, S. A. Seshia, D. X. Song, and R. E. Bryant. Semantics-aware malware detection. In IEEE Symposium on Security and Privacy, pages 32--46, 2005.

Digital Library

[8]

M. Christodorescu, J. Kinder, S. Jha, S. Katzenbeisser, and H. Veith. Malware normalization. Technical report, University of Wisconsin, November 2005.

[9]

F. Cohen. Computer viruses: Theory and experiments. In 7th DOD/NBS Computers and Security Conference, volume 6, pages 22--35, September 1987.

Digital Library

[10]

D. Chess and S. White. An undetectable computer virus. In Virus Bulletin Conference, September 2000.

[11]

M. Driller. Metamorphism in practice. 29A Magazine, 1(6), 2002.

[12]

G. Jacob, H. Debar, and E. Filiol. Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, 4(3):251--266, 2008.

[13]

K. Jeong and H. Lee. Code graph for malware detection. In Information Networking. ICOIN. International Conference on, Jan 2008.

[14]

L. Julus. Metamorphism. 29A Magazine, 1(5), 2000.

[15]

J. Z. Kolter and M. A. Maloof. Learning to detect malicious executables in the wild. In KDD, pages 470--478, 2004.

Digital Library

[16]

R. Lyda and J. Hamrock. Using entropy analysis to find encrypted and packed malware. IEEE Security & Privacy, 5(2):40--45, 2007.

Digital Library

[17]

D. Mohanty. Anti-virus evasion techniques and countermeasures, August 2005. http://www.hackingspirits.com/ethhac/papers/whitrepapers.asp.

[18]

A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In ACSAC, pages 421--430, 2007.

[19]

A. Moser, C. Krügel, and E. Kirda. Exploring multiple execution paths for malware analysis. In IEEE Symposium on Security and Privacy, pages 231--245, 2007.

Digital Library

[20]

C. Nachenberg. Computer virus-antivirus coevolution. Commun. ACM, 40(1):46--51, 1997.

Digital Library

[21]

M. D. Preda, M. Christodorescu, S. Jha, and S. K. Debray. A semantics-based approach to malware detection. ACM Trans. Program. Lang. Syst., 30(5), 2008.

Digital Library

[22]

Rajaat. Polimorphism. 29A Magazine, 1(3), 1999.

[23]

J. W. Raymond, E. J. Gardiner, and P. W. 0002. Rascal: Calculation of graph similarity using maximum common edge subgraphs. Comput. J., 45(6):631--644, 2002.

[24]

V. S. Sathyanarayan, P. Kohli, and B. Bruhadeshwar. Signature generation and detection of malware families. In ACISP, pages 336--349, 2008.

Digital Library

[25]

M. G. Schultz, E. Eskin, E. Zadok, and S. J. Stolfo. Data mining methods for detection of new malicious executables. In IEEE Symposium on Security and Privacy, pages 38--49, 2001.

Digital Library

[26]

G. Taha. Counterattacking the packers. McAfee Avert Labs, Aylesbury, UK.

[27]

C. K. Ulrich Bayer and E. Kirda. Ttanalyze: A tool for analyzing malware. In Proc. 15th Ann. Conf. European Inst. for Computer Antivirus Research (EICAR), pages 180--192, 2006.

[28]

A. Walenstein, R. Mathur, M. R. Chouchane, and A. Lakhotia. Normalizing metamorphic malware using term rewriting. In SCAM, pages 75--84, 2006.

Digital Library

[29]

J.-H. Wang, P. Deng, Y.-S. Fan, L.-J. Jaw, and Y.-C. Liu. Virus detection using data mining techinques. In Proceedings. IEEE 37th Annual 2003 International Carnahan Conference on, pages 71--76, 2003.

[30]

C. Willems, T. Holz, and F. C. Freiling. Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy, 5(2):32--39, 2007.

Digital Library

[31]

B. Zelinka. On a certain distance between isomorphism classes of graph. In Casopis pro pestovani Matematiky, volume 100, pages 371--373, 1975.

Cited By

Khan FDurad MKhan AKhan FRizwan MAli A(2024)Design and Performance Analysis of an Anti-Malware System Based on Generative Adversarial Network FrameworkIEEE Access10.1109/ACCESS.2024.335845412(27683-27708)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3358454
Brezinski KFerens K(2023)Metamorphic Malware and ObfuscationSecurity and Communication Networks10.1155/2023/82277512023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/8227751
Sharif MAliMohammed MHassan SSharif M(2023)Comparative Study of Prognosis of Malware with PE Headers Based Machine Leaning Techniques2023 International Conference on Smart Computing and Application (ICSCA)10.1109/ICSCA57840.2023.10087532(1-6)Online publication date: 5-Feb-2023
https://doi.org/10.1109/ICSCA57840.2023.10087532
Show More Cited By

Recommendations

Metamorphic malware detection using opcode frequency rate and decision tree

Malware is defined as any type of malicious code that is the potent to harm a computer or a network. Modern malwares are accompanied with mutation characteristics, namely polymorphism and metamorphism. They let malwares to generate enormous number of ...
Metamorphic malware detection using base malware identification approach

Malware is a malicious program that is intentionally developed to harm computer systems. Because the metamorphic malwares are advanced in nature, they mutate their code in each generation by employing code obfuscation techniques to thwart detection. ...
A framework for metamorphic malware analysis and real-time detection

Metamorphism is a technique that mutates the binary code using different obfuscations. It is difficult to write a new metamorphic malware and in general malware writers reuse old malware. To hide detection the malware writers change the obfuscations (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '10: Proceedings of the 2010 ACM Symposium on Applied Computing

March 2010

2712 pages

ISBN:9781605586397

DOI:10.1145/1774088

Conference Chairs:
Sung Y. Shin
South Dakota State University
,
Sascha Ossowski
University Rey Juan Carlos, Spain
,
Michael Schumacher
University of Applied Sciences Western Switzerland, Switzerland
,
Program Chairs:
Mathew J. Palakal
Indiana University Purdue University
,
Chih-Cheng Hung
Southern Polytechnic State University

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

SAC'10

Sponsor:

SIGAPP

SAC'10: The 2010 ACM Symposium on Applied Computing

March 22 - 26, 2010

Sierre, Switzerland

Acceptance Rates

SAC '10 Paper Acceptance Rate 364 of 1,353 submissions, 27%;

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
958
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Khan FDurad MKhan AKhan FRizwan MAli A(2024)Design and Performance Analysis of an Anti-Malware System Based on Generative Adversarial Network FrameworkIEEE Access10.1109/ACCESS.2024.335845412(27683-27708)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3358454
Brezinski KFerens K(2023)Metamorphic Malware and ObfuscationSecurity and Communication Networks10.1155/2023/82277512023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/8227751
Sharif MAliMohammed MHassan SSharif M(2023)Comparative Study of Prognosis of Malware with PE Headers Based Machine Leaning Techniques2023 International Conference on Smart Computing and Application (ICSCA)10.1109/ICSCA57840.2023.10087532(1-6)Online publication date: 5-Feb-2023
https://doi.org/10.1109/ICSCA57840.2023.10087532
Tayyab UKhan FDurad MKhan ALee Y(2022)A Survey of the Recent Trends in Deep Learning Based Malware DetectionJournal of Cybersecurity and Privacy10.3390/jcp20400412:4(800-829)Online publication date: 28-Sep-2022
https://doi.org/10.3390/jcp2040041
Chen CYang WGuo ZCai JChe X(2022)Software family detection based on behavior analysisInternational Conference on Algorithms, Microchips and Network Applications10.1117/12.2636594(85)Online publication date: 6-May-2022
https://doi.org/10.1117/12.2636594
Olani GWu CChang YShih W(2022)DeepWare: Imaging Performance Counters with Deep Learning to Detect RansomwareIEEE Transactions on Computers10.1109/TC.2022.3173149(1-1)Online publication date: 2022
https://doi.org/10.1109/TC.2022.3173149
Lee KYoo C(2021)Malware Intelligence System based on Windows API Dependency GraphThe Journal of Korean Institute of Information Technology10.14801/jkiit.2021.19.4.12519:4(125-134)Online publication date: 30-Apr-2021
https://doi.org/10.14801/jkiit.2021.19.4.125
Puodzius CZendra OHeuser ANoureddine L(2021)Accurate and Robust Malware Analysis through Similarity of External Calls Dependency Graphs (ECDG)Proceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470115(1-12)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470115
Acarturk CSirlanci MBalikcioglu PDemirci DSahin NKucuk O(2021)Malicious Code Detection: Run Trace Output Analysis by LSTMIEEE Access10.1109/ACCESS.2021.30492009(9625-9635)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3049200
Sun YBashir ATariq UXiao F(2021)Effective malware detection scheme based on classified behavior graph in IIoTAd Hoc Networks10.1016/j.adhoc.2021.102558(102558)Online publication date: May-2021
https://doi.org/10.1016/j.adhoc.2021.102558
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents