A similarity metric method of obfuscated malware using function-call graph

Authors:
Ming Xu;Lingfei Wu;Shuhui Qi;Jian Xu;Haiping Zhang;Yizhi Ren;Ning Zheng
Affiliations:
College of Computer, Hangzhou Dianzi University, Hangzhou, China;College of Computer, Hangzhou Dianzi University, Hangzhou, China;College of Computer, Hangzhou Dianzi University, Hangzhou, China;College of Computer, Hangzhou Dianzi University, Hangzhou, China;College of Computer, Hangzhou Dianzi University, Hangzhou, China;College of Computer, Hangzhou Dianzi University, Hangzhou, China;College of Computer, Hangzhou Dianzi University, Hangzhou, China
Venue:
Journal in Computer Virology
Year:
2013

Citing 13
Cited 0

Computers and Intractability: A Guide to the Theory of NP-Completeness

Computers and Intractability: A Guide to the Theory of NP-Completeness
The Art of Computer Virus Research and Defense

The Art of Computer Virus Research and Defense
A Method for Detecting Obfuscated Calls in Malicious Binaries

IEEE Transactions on Software Engineering
Detecting Obfuscated Viruses Using Cosine Similarity Analysis

AMS '07 Proceedings of the First Asia International Conference on Modelling & Simulation
Mining specifications of malicious behavior

Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Large-scale malware indexing using function-call graphs

Proceedings of the 16th ACM conference on Computer and communications security
Malware Obfuscation Detection via Maximal Patterns

IITA '09 Proceedings of the 2009 Third International Symposium on Intelligent Information Technology Application - Volume 02
A survey of graph edit distance

Pattern Analysis & Applications
Detecting metamorphic malwares using code graphs

Proceedings of the 2010 ACM Symposium on Applied Computing
Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Improved call graph comparison using simulated annealing

Proceedings of the 2011 ACM Symposium on Applied Computing
Malware classification based on call graph clustering

Journal in Computer Virology
Polymorphic worm detection using structural information of executables

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

Code obfuscating technique plays a significant role to produce new obfuscated malicious programs, generally called malware variants, from previously encountered malwares. However, the traditional signature-based malware detecting method is hard to recognize the up-to-the-minute obfuscated malwares. This paper proposes a method to identify the malware variants based on the function-call graph. Firstly, the function-call graphs were created from the disassembled codes of program; then the caller---callee relationships of functions and the operational code (opcode) information about functions, combining the graph coloring techniques were used to measure the similarity metric between two function-call graphs; at last, the similarity metric was utilized to identify the malware variants from known malwares. The experimental results show that the proposed method is able to identify the obfuscated malicious softwares effectively.