Deakin University
Browse

File(s) under permanent embargo

Malware variant detection using similarity search over sets of control flow graphs

conference contribution
posted on 2011-01-01, 00:00 authored by Silvio Cesare, Yang Xiang
Static detection of polymorphic malware variants plays an important role to improve system security. Control flow has shown to be an effective characteristic that represents polymorphic malware instances. In our research, we propose a similarity search of malware using novel distance metrics of malware signatures. We describe a malware signature by the set of control flow graphs the malware contains. We propose two approaches and use the first to perform pre-filtering. Firstly, we use a distance metric based on the distance between feature vectors. The feature vector is a decomposition of the set of graphs into either fixed size k-sub graphs, or q-gram strings of the high-level source after decompilation. We also propose a more effective but less computationally efficient distance metric based on the minimum matching distance. The minimum matching distance uses the string edit distances between programs' decompiled flow graphs, and the linear sum assignment problem to construct a minimum sum weight matching between two sets of graphs. We implement the distance metrics in a complete malware variant detection system. The evaluation shows that our approach is highly effective in terms of a limited false positive rate and our system detects more malware variants when compared to the detection rates of other algorithms.

History

Event

International Conference on Trust, Security and Privacy in Computing and Communications (10th : 2011 : Changsha, China)

Pagination

181 - 189

Publisher

IEEE

Location

Changsha, China

Place of publication

[Changsha, China]

Start date

2011-11-16

End date

2011-11-18

ISBN-13

9781457721359

ISBN-10

145772135X

Language

eng

Publication classification

E1 Full written paper - refereed

Copyright notice

2011, IEEE

Title of proceedings

TRUSTCOM 2011 : International Conference on Trust, Security and Privacy in Computing and Communications