Computer viruses: theory and experiments
Computers and Security
Computer virus-antivirus coevolution
Communications of the ACM
A Tutorial on Support Vector Machines for Pattern Recognition
Data Mining and Knowledge Discovery
Data Mining Methods for Detection of New Malicious Executables
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Learning to detect malicious executables in the wild
Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Normalizing Metamorphic Malware Using Term Rewriting
SCAM '06 Proceedings of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation
Toward Automated Dynamic Malware Analysis Using CWSandbox
IEEE Security and Privacy
Using Entropy Analysis to Find Encrypted and Packed Malware
IEEE Security and Privacy
Code Normalization for Self-Mutating Malware
IEEE Security and Privacy
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A semantics-based approach to malware detection
ACM Transactions on Programming Languages and Systems (TOPLAS)
Opcode graph similarity and metamorphic detection
Journal in Computer Virology
Mining control flow graph as API call-grams to detect portable executable malware
Proceedings of the Fifth International Conference on Security of Information and Networks
A similarity metric method of obfuscated malware using function-call graph
Journal in Computer Virology
Disguised malware script detection system using hybrid genetic algorithm
Proceedings of the 28th Annual ACM Symposium on Applied Computing
Obfuscated malware detection using API call dependency
Proceedings of the First International Conference on Security of Internet of Things
Proceedings of the 6th International Conference on Security of Information and Networks
| Hi-index | 0.00 |
Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. Packing and code obfuscation are two popular evasion techniques. When these techniques are applied to malwares, they are able to change their instruction sequence while maintaining their intended function. We propose a detection mechanism defeating these self-defense techniques to improve malware detection. Since an obfuscated malware is able to change the syntax of its code while preserving its semantics, the proposed mechanism uses the semantic invariant. We convert the API call sequence of the malware into a graph, commonly known as a call graph, to extract the semantic of the malware. The call graph can be reduced to a code graph used for semantic signatures of the proposed mechanism. We show that the code graph can represent the characteristics of a program exactly and uniquely. Next, we evaluate the proposed mechanism by experiment. The mechanism has an 91% detection ratio of real-world malwares and detects 300 metamorphic malwares that can evade AV scanners. In this paper, we show how to analyze malwares by extracting program semantics using static analysis. It is shown that the proposed mechanism provides a high possibility of detecting malwares even when they attempt self-protection.