Detecting metamorphic malwares using code graphs

Jusuk Lee, Kyoochang Jeong, Heejo Lee

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    76 Citations (Scopus)

    Abstract

    Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. Packing and code obfuscation are two popular evasion techniques. When these techniques are applied to malwares, they are able to change their instruction sequence while maintaining their intended function. We propose a detection mechanism defeating these self-defense techniques to improve malware detection. Since an obfuscated malware is able to change the syntax of its code while preserving its semantics, the proposed mechanism uses the semantic invariant. We convert the API call sequence of the malware into a graph, commonly known as a call graph, to extract the semantic of the malware. The call graph can be reduced to a code graph used for semantic signatures of the proposed mechanism. We show that the code graph can represent the characteristics of a program exactly and uniquely. Next, we evaluate the proposed mechanism by experiment. The mechanism has an 91% detection ratio of real-world malwares and detects 300 metamorphic malwares that can evade AV scanners. In this paper, we show how to analyze malwares by extracting program semantics using static analysis. It is shown that the proposed mechanism provides a high possibility of detecting malwares even when they attempt self-protection.

    Original languageEnglish
    Title of host publicationAPPLIED COMPUTING 2010 - The 25th Annual ACM Symposium on Applied Computing
    Pages1970-1977
    Number of pages8
    DOIs
    Publication statusPublished - 2010
    Event25th Annual ACM Symposium on Applied Computing, SAC 2010 - Sierre, Switzerland
    Duration: 2010 Mar 222010 Mar 26

    Publication series

    NameProceedings of the ACM Symposium on Applied Computing

    Other

    Other25th Annual ACM Symposium on Applied Computing, SAC 2010
    Country/TerritorySwitzerland
    CitySierre
    Period10/3/2210/3/26

    Keywords

    • code graph
    • code obfuscation
    • metamorphic malware
    • static analysis

    ASJC Scopus subject areas

    • Software

    Fingerprint

    Dive into the research topics of 'Detecting metamorphic malwares using code graphs'. Together they form a unique fingerprint.

    Cite this