Proceedings of the 6th International Conference on Security of Information and Networks
| Hi-index | 0.00 |
Vicious codes, especially viruses, as a kind of impressive malware have caused many disasters and continue to exploit more vulnerabilities. These codes are injected inside benign programs in order to abuse their hosts and ease their propagation. The offsets of injected virus codes are unknown and their targets usually are latent until they are executed and activated, what in turn makes viruses very hard to detect. In this paper enriched control flow graph miner, ECFGM in short, is presented to detect infected files corrupted by unknown viruses. ECFGM uses enriched control flow graph model to represent the benign and vicious codes. This model has more information than traditional control flow graph (CFG) by utilizing statistical information of dependent assembly instructions and API calls. To the best of our knowledge, the presented approach in this paper, for the first time, can recognize the offset of infected code of unknown viruses in the victim files. The main contributions of this paper are two folds: first, the presented model is able to detect unknown vicious code using ECFG model with reasonable complexity and desirable accuracy. Second, our approach is resistant against metamorphic viruses which utilize dead code insertion, variable renaming and instruction reordering methods.