DepSim: a dependency-based malware similarity comparison system

Authors:
Yang Yi;Ying Lingyun;Wang Rui;Su Purui;Feng Dengguo
Affiliations:
State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, China and State Key Laboratory of Information Security, Graduate University of Chinese Ac ...;State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, China and National Engineering Research Center for Information Security, Beijing, China;State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, Beijing, China;State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, China;State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing, China
Venue:
Inscrypt'10 Proceedings of the 6th international conference on Information security and cryptology
Year:
2010

Citing 10
Cited 0

Identifying loops using DJ graphs

ACM Transactions on Programming Languages and Systems (TOPLAS)
Learning to detect malicious executables in the wild

Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
QEMU, a fast and portable dynamic translator

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Toward Automated Dynamic Malware Analysis Using CWSandbox

IEEE Security and Privacy
Data mining approaches for intrusion detection

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Mining specifications of malicious behavior

Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Panorama: capturing system-wide information flow for malware detection and analysis

Proceedings of the 14th ACM conference on Computer and communications security
BinHunt: Automatically Finding Semantic Differences in Binary Programs

ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
ReconBin: Reconstructing Binary File from Execution for Software Analysis

SSIRI '09 Proceedings of the 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement
Automated classification and analysis of internet malware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

It is important for malware analysis that comparing unknown files to previously-known malicious samples to quickly characterize the type of behavior and generate signatures. Malware writers often use obfuscation, such as packing, junk-insertion and other means of techniques to thwart traditional similarity comparison methods. In this paper, we introduce DepSim, a novel technique for finding dependency similarities between malicious binary programs. DepSim constructs dependency graphs of control flow and data flow of the program by taint analysis, and then conducts similarity analysis using a new graph isomorphism technique. In order to promote the accuracy and antiinterference capability, we reduce redundant loops and remove junk actions at the dependency graph pre-processing phase, which can also greatly improve the performance of our comparison algorithm. We implemented a prototype of DepSim and evaluated it to malware in the wild. Our prototype system successfully identified some semantic similarities between malware and revealed their inner similarity in program logic and behavior. The results demonstrate that our technique is accurate.