Malwise-an effective and efficient classification system for packed and polymorphic malware

Cesare, Silvio, Xiang, Yang and Zhou, Wanlei 2013, Malwise-an effective and efficient classification system for packed and polymorphic malware, IEEE transactions on computers, vol. 62, no. 6, pp. 1193-1206, doi: 10.1109/TC.2012.65.

Attached Files
Name Description MIMEType Size Downloads

Title Malwise-an effective and efficient classification system for packed and polymorphic malware
Author(s) Cesare, Silvio
Xiang, YangORCID iD for Xiang, Yang
Zhou, WanleiORCID iD for Zhou, Wanlei
Journal name IEEE transactions on computers
Volume number 62
Issue number 6
Start page 1193
End page 1206
Total pages 14
Publisher IEEE
Place of publication Piscataway, N.J.
Publication date 2013
ISSN 0018-9340
Keyword(s) computer security
control flow
structural classification
structured control flow
Summary Signature-based malware detection systems have been a much used response to the pervasive problem of malware. Identification of malware variants is essential to a detection system and is made possible by identifying invariant characteristics in related samples. To classify the packed and polymorphic malware, this paper proposes a novel system, named Malwise, for malware classification using a fast application-level emulator to reverse the code packing transformation, and two flowgraph matching algorithms to perform classification. An exact flowgraph matching algorithm is employed that uses string-based signatures, and is able to detect malware with near real-time performance. Additionally, a more effective approximate flowgraph matching algorithm is proposed that uses the decompilation technique of structuring to generate string-based signatures amenable to the string edit distance. We use real and synthetic malware to demonstrate the effectiveness and efficiency of Malwise. Using more than 15,000 real malware, collected from honeypots, the effectiveness is validated by showing that there is an 88 percent probability that new malware is detected as a variant of existing malware. The efficiency is demonstrated from a smaller sample set of malware where 86 percent of the samples can be classified in under 1.3 seconds.
Language eng
DOI 10.1109/TC.2012.65
Field of Research 080503 Networking and Communications
080501 Distributed and Grid Systems
080199 Artificial Intelligence and Image Processing not elsewhere classified
Socio Economic Objective 890202 Application Tools and System Utilities
HERDC Research category C1 Refereed article in a scholarly journal
Copyright notice ©2013, IEEE
Persistent URL

Document type: Journal Article
Collections: School of Information Technology
2018 ERA Submission
Connect to link resolver
Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved.

Version Filter Type
Citation counts: TR Web of Science Citation Count  Cited 25 times in TR Web of Science
Scopus Citation Count Cited 49 times in Scopus
Google Scholar Search Google Scholar
Access Statistics: 454 Abstract Views, 5 File Downloads  -  Detailed Statistics
Created: Tue, 27 Aug 2013, 12:20:49 EST

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact