• PDF / 373,977 Bytes
• 7 Pages / 439.37 x 666.142 pts Page_size
• 99 Downloads / 192 Views

DOWNLOAD

REPORT

Abstract. Nowadays, the dramatically increased malware causes severe challenges to computer security. Most emerging instances are variants of previously encountered malware through polymorphism and metamorphism techniques. The traditional signature-based detecting methods are ineffective to recognize the enormous variants. Malware similarity analysis has become the mainstream technique of identifying variants. However, most existing methods are either hard to handle polymorphic and metamorphic samples based on static structure feature, or time consuming and resource intensive by using dynamic behavior feature. In this paper, we propose a novel malware similarity analysis method based on a fine-grained hybrid feature by exploiting the complementary nature of static and dynamic analysis. We integrate dynamic runtime behavior with static function-call graph. The hybrid feature overcomes the limitation of using static and dynamic feature separately and with more accuracy. Furtherly, we use graph edit distance, and inexact graph matching algorithm as metric to measure the distance between malicious instances. We have evaluated our algorithm on real-world dataset and compared with other approach. The experiments demonstrate that our method achieves higher accuracy. Keywords: Similarity analysis
Function-call graph
Hybrid feature
Graph edit distance

1 Introduction Malware poses a major threat to network security. According to the latest report of Symantec, more than 430,000,000 new malware samples were discovered in 2015, up 36 percent from the year before. The sheer volume of malware brings severe challenges to security vendors. However, research shows that the majority of new incoming malware instances are merely variations of encountered malware through polymorphism and metamorphism techniques. They share the same functionality while have different syntactic representations. Malware similarity analysis has been put forward to efficiently cope with the tremendous number of variants. Through precisely measuring the similarity based on quantitative metric to determine whether a malware program is similar to a previously-seen sample. A large amount of time and resources could be saved to avoid

© Springer Nature Singapore Pte Ltd. 2017 J.J. (Jong Hyuk) Park et al. (eds.), Advances in Computer Science and Ubiquitous Computing, Lecture Notes in Electrical Engineering 421, DOI 10.1007/978-981-10-3023-9_9

Using a Fine-Grained Hybrid Feature for Malware Similarity Analysis

55

the duplicated analysis of variants. It is the basis for automatic malware detection. It is also the foundation of malware classification and phylogeny model generation. In this paper, we propose a novel malware similarity analysis metric using a fine-grained hybrid feature, which combines static function-call graph and dynamic runtime traces in a way that taking advantage of both simultaneously. Firstly, we extract the function-call graph of programs using static analysis, which is resilient to low-level obfuscation, such as basic block-reordering,

Recommend Documents

Hierarchical Similarity Hash for Fast Malware Detection

186 41 6MB

A Hybrid Approach for Improved Image Similarity Using Semantic Segmentation

228 44 149MB

HDM-Analyser: a hybrid analysis approach based on data mining techniques for malware detection

237 35 768KB

Feature Selection Optimization Using a Hybrid Genetic Algorithm

185 8 29MB

Feature and Sample Size Selection for Malware Classification Process

192 79 57MB

A Comparative Analysis of Malware Anomaly Detection

391 66 33MB

Malware Analysis Lab Setup

210 41 50MB

SemiDroid: a behavioral malware detector based on unsupervised machine learning techniques using feature selection appro

155 63 9MB

Evolutionary Hybrid Feature Selection for Cancer Diagnosis

181 75 25MB

A new hybrid stability measure for feature selection

198 108 2MB

A parallel hybrid krill herd algorithm for feature selection

201 70 2MB

A hybrid feature selection scheme for mixed attributes data

164 34 335KB