BinGraph: Discovering mutant malware using hierarchical semantic signatures

Jonghoon Kwon, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Citations (Scopus)

Abstract

Malware landscape has been dramatically elevated over the last decade. The main reason of the increase is that new malware variants can be produced easily using simple code obfuscation techniques. Once the obfuscation is applied, the malware can change their syntactics while preserving semantics, and bypass anti-virus (AV) scanners. Malware authors, thus, commonly use the code obfuscation techniques to generate metamorphic malware. Nevertheless, signature based AV techniques are limited to detect the metamorphic malware since they are commonly based on the syntactic signature matching. In this paper, we propose BinGraph, a new mechanism that accurately discovers metamorphic malware. BinGraph leverages the semantics of malware, since the mutant malware is able to manipulate their syntax only. To this end, we first extract API calls from malware and convert to a hierarchical behavior graph that represents with identical 128 nodes based on the semantics. Later, we extract unique subgraphs from the hierarchical behavior graphs as semantic signatures representing common behaviors of a specific malware family. To evaluate BinGraph, we analyzed a total of 827 malware samples that consist of 10 malware families with 1,202 benign binaries. Among the malware, 20% samples randomly chosen from each malware family were used for extracting semantic signatures, and rest of them were used for assessing detection accuracy. Finally, only 32 subgraphs were selected as the semantic signatures. BinGraph discovered malware variants with 98% of detection accuracy.

Original languageEnglish
Title of host publicationProceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012
Pages104-111
Number of pages8
DOIs
Publication statusPublished - 2012 Dec 1
Event2012 7th International Conference on Malicious and Unwanted Software, Malware 2012 - Fajardo, PR, United States
Duration: 2012 Oct 162012 Oct 18

Other

Other2012 7th International Conference on Malicious and Unwanted Software, Malware 2012
CountryUnited States
CityFajardo, PR
Period12/10/1612/10/18

Fingerprint

Semantics
Computer viruses
Malware
Syntactics
Application programming interfaces (API)

ASJC Scopus subject areas

  • Software

Cite this

Kwon, J., & Lee, H. (2012). BinGraph: Discovering mutant malware using hierarchical semantic signatures. In Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012 (pp. 104-111). [6461015] https://doi.org/10.1109/MALWARE.2012.6461015

BinGraph : Discovering mutant malware using hierarchical semantic signatures. / Kwon, Jonghoon; Lee, Heejo.

Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012. 2012. p. 104-111 6461015.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kwon, J & Lee, H 2012, BinGraph: Discovering mutant malware using hierarchical semantic signatures. in Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012., 6461015, pp. 104-111, 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012, Fajardo, PR, United States, 12/10/16. https://doi.org/10.1109/MALWARE.2012.6461015
Kwon J, Lee H. BinGraph: Discovering mutant malware using hierarchical semantic signatures. In Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012. 2012. p. 104-111. 6461015 https://doi.org/10.1109/MALWARE.2012.6461015
Kwon, Jonghoon ; Lee, Heejo. / BinGraph : Discovering mutant malware using hierarchical semantic signatures. Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012. 2012. pp. 104-111
@inproceedings{a7dfe99891a24bb9ba108f587ce72afe,
title = "BinGraph: Discovering mutant malware using hierarchical semantic signatures",
abstract = "Malware landscape has been dramatically elevated over the last decade. The main reason of the increase is that new malware variants can be produced easily using simple code obfuscation techniques. Once the obfuscation is applied, the malware can change their syntactics while preserving semantics, and bypass anti-virus (AV) scanners. Malware authors, thus, commonly use the code obfuscation techniques to generate metamorphic malware. Nevertheless, signature based AV techniques are limited to detect the metamorphic malware since they are commonly based on the syntactic signature matching. In this paper, we propose BinGraph, a new mechanism that accurately discovers metamorphic malware. BinGraph leverages the semantics of malware, since the mutant malware is able to manipulate their syntax only. To this end, we first extract API calls from malware and convert to a hierarchical behavior graph that represents with identical 128 nodes based on the semantics. Later, we extract unique subgraphs from the hierarchical behavior graphs as semantic signatures representing common behaviors of a specific malware family. To evaluate BinGraph, we analyzed a total of 827 malware samples that consist of 10 malware families with 1,202 benign binaries. Among the malware, 20{\%} samples randomly chosen from each malware family were used for extracting semantic signatures, and rest of them were used for assessing detection accuracy. Finally, only 32 subgraphs were selected as the semantic signatures. BinGraph discovered malware variants with 98{\%} of detection accuracy.",
author = "Jonghoon Kwon and Heejo Lee",
year = "2012",
month = "12",
day = "1",
doi = "10.1109/MALWARE.2012.6461015",
language = "English",
isbn = "9781467348782",
pages = "104--111",
booktitle = "Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012",

}

TY - GEN

T1 - BinGraph

T2 - Discovering mutant malware using hierarchical semantic signatures

AU - Kwon, Jonghoon

AU - Lee, Heejo

PY - 2012/12/1

Y1 - 2012/12/1

N2 - Malware landscape has been dramatically elevated over the last decade. The main reason of the increase is that new malware variants can be produced easily using simple code obfuscation techniques. Once the obfuscation is applied, the malware can change their syntactics while preserving semantics, and bypass anti-virus (AV) scanners. Malware authors, thus, commonly use the code obfuscation techniques to generate metamorphic malware. Nevertheless, signature based AV techniques are limited to detect the metamorphic malware since they are commonly based on the syntactic signature matching. In this paper, we propose BinGraph, a new mechanism that accurately discovers metamorphic malware. BinGraph leverages the semantics of malware, since the mutant malware is able to manipulate their syntax only. To this end, we first extract API calls from malware and convert to a hierarchical behavior graph that represents with identical 128 nodes based on the semantics. Later, we extract unique subgraphs from the hierarchical behavior graphs as semantic signatures representing common behaviors of a specific malware family. To evaluate BinGraph, we analyzed a total of 827 malware samples that consist of 10 malware families with 1,202 benign binaries. Among the malware, 20% samples randomly chosen from each malware family were used for extracting semantic signatures, and rest of them were used for assessing detection accuracy. Finally, only 32 subgraphs were selected as the semantic signatures. BinGraph discovered malware variants with 98% of detection accuracy.

AB - Malware landscape has been dramatically elevated over the last decade. The main reason of the increase is that new malware variants can be produced easily using simple code obfuscation techniques. Once the obfuscation is applied, the malware can change their syntactics while preserving semantics, and bypass anti-virus (AV) scanners. Malware authors, thus, commonly use the code obfuscation techniques to generate metamorphic malware. Nevertheless, signature based AV techniques are limited to detect the metamorphic malware since they are commonly based on the syntactic signature matching. In this paper, we propose BinGraph, a new mechanism that accurately discovers metamorphic malware. BinGraph leverages the semantics of malware, since the mutant malware is able to manipulate their syntax only. To this end, we first extract API calls from malware and convert to a hierarchical behavior graph that represents with identical 128 nodes based on the semantics. Later, we extract unique subgraphs from the hierarchical behavior graphs as semantic signatures representing common behaviors of a specific malware family. To evaluate BinGraph, we analyzed a total of 827 malware samples that consist of 10 malware families with 1,202 benign binaries. Among the malware, 20% samples randomly chosen from each malware family were used for extracting semantic signatures, and rest of them were used for assessing detection accuracy. Finally, only 32 subgraphs were selected as the semantic signatures. BinGraph discovered malware variants with 98% of detection accuracy.

UR - http://www.scopus.com/inward/record.url?scp=84874575571&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84874575571&partnerID=8YFLogxK

U2 - 10.1109/MALWARE.2012.6461015

DO - 10.1109/MALWARE.2012.6461015

M3 - Conference contribution

AN - SCOPUS:84874575571

SN - 9781467348782

SP - 104

EP - 111

BT - Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software, Malware 2012

ER -