Detecting metamorphic malwares using code graphs

Jusuk Lee, Kyoochang Jeong, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

63 Citations (Scopus)

Abstract

Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. Packing and code obfuscation are two popular evasion techniques. When these techniques are applied to malwares, they are able to change their instruction sequence while maintaining their intended function. We propose a detection mechanism defeating these self-defense techniques to improve malware detection. Since an obfuscated malware is able to change the syntax of its code while preserving its semantics, the proposed mechanism uses the semantic invariant. We convert the API call sequence of the malware into a graph, commonly known as a call graph, to extract the semantic of the malware. The call graph can be reduced to a code graph used for semantic signatures of the proposed mechanism. We show that the code graph can represent the characteristics of a program exactly and uniquely. Next, we evaluate the proposed mechanism by experiment. The mechanism has an 91% detection ratio of real-world malwares and detects 300 metamorphic malwares that can evade AV scanners. In this paper, we show how to analyze malwares by extracting program semantics using static analysis. It is shown that the proposed mechanism provides a high possibility of detecting malwares even when they attempt self-protection.

Original languageEnglish
Title of host publicationProceedings of the ACM Symposium on Applied Computing
Pages1970-1977
Number of pages8
DOIs
Publication statusPublished - 2010 Jul 23
Event25th Annual ACM Symposium on Applied Computing, SAC 2010 - Sierre, Switzerland
Duration: 2010 Mar 222010 Mar 26

Other

Other25th Annual ACM Symposium on Applied Computing, SAC 2010
CountrySwitzerland
CitySierre
Period10/3/2210/3/26

Fingerprint

Semantics
Malware
Detectors
Static analysis
Viruses
Application programming interfaces (API)
Experiments

Keywords

  • code graph
  • code obfuscation
  • metamorphic malware
  • static analysis

ASJC Scopus subject areas

  • Software

Cite this

Lee, J., Jeong, K., & Lee, H. (2010). Detecting metamorphic malwares using code graphs. In Proceedings of the ACM Symposium on Applied Computing (pp. 1970-1977) https://doi.org/10.1145/1774088.1774505

Detecting metamorphic malwares using code graphs. / Lee, Jusuk; Jeong, Kyoochang; Lee, Heejo.

Proceedings of the ACM Symposium on Applied Computing. 2010. p. 1970-1977.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lee, J, Jeong, K & Lee, H 2010, Detecting metamorphic malwares using code graphs. in Proceedings of the ACM Symposium on Applied Computing. pp. 1970-1977, 25th Annual ACM Symposium on Applied Computing, SAC 2010, Sierre, Switzerland, 10/3/22. https://doi.org/10.1145/1774088.1774505
Lee J, Jeong K, Lee H. Detecting metamorphic malwares using code graphs. In Proceedings of the ACM Symposium on Applied Computing. 2010. p. 1970-1977 https://doi.org/10.1145/1774088.1774505
Lee, Jusuk ; Jeong, Kyoochang ; Lee, Heejo. / Detecting metamorphic malwares using code graphs. Proceedings of the ACM Symposium on Applied Computing. 2010. pp. 1970-1977
@inproceedings{9c674163ff42451c942bc62f321d1165,
title = "Detecting metamorphic malwares using code graphs",
abstract = "Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. Packing and code obfuscation are two popular evasion techniques. When these techniques are applied to malwares, they are able to change their instruction sequence while maintaining their intended function. We propose a detection mechanism defeating these self-defense techniques to improve malware detection. Since an obfuscated malware is able to change the syntax of its code while preserving its semantics, the proposed mechanism uses the semantic invariant. We convert the API call sequence of the malware into a graph, commonly known as a call graph, to extract the semantic of the malware. The call graph can be reduced to a code graph used for semantic signatures of the proposed mechanism. We show that the code graph can represent the characteristics of a program exactly and uniquely. Next, we evaluate the proposed mechanism by experiment. The mechanism has an 91{\%} detection ratio of real-world malwares and detects 300 metamorphic malwares that can evade AV scanners. In this paper, we show how to analyze malwares by extracting program semantics using static analysis. It is shown that the proposed mechanism provides a high possibility of detecting malwares even when they attempt self-protection.",
keywords = "code graph, code obfuscation, metamorphic malware, static analysis",
author = "Jusuk Lee and Kyoochang Jeong and Heejo Lee",
year = "2010",
month = "7",
day = "23",
doi = "10.1145/1774088.1774505",
language = "English",
isbn = "9781605586380",
pages = "1970--1977",
booktitle = "Proceedings of the ACM Symposium on Applied Computing",

}

TY - GEN

T1 - Detecting metamorphic malwares using code graphs

AU - Lee, Jusuk

AU - Jeong, Kyoochang

AU - Lee, Heejo

PY - 2010/7/23

Y1 - 2010/7/23

N2 - Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. Packing and code obfuscation are two popular evasion techniques. When these techniques are applied to malwares, they are able to change their instruction sequence while maintaining their intended function. We propose a detection mechanism defeating these self-defense techniques to improve malware detection. Since an obfuscated malware is able to change the syntax of its code while preserving its semantics, the proposed mechanism uses the semantic invariant. We convert the API call sequence of the malware into a graph, commonly known as a call graph, to extract the semantic of the malware. The call graph can be reduced to a code graph used for semantic signatures of the proposed mechanism. We show that the code graph can represent the characteristics of a program exactly and uniquely. Next, we evaluate the proposed mechanism by experiment. The mechanism has an 91% detection ratio of real-world malwares and detects 300 metamorphic malwares that can evade AV scanners. In this paper, we show how to analyze malwares by extracting program semantics using static analysis. It is shown that the proposed mechanism provides a high possibility of detecting malwares even when they attempt self-protection.

AB - Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. Packing and code obfuscation are two popular evasion techniques. When these techniques are applied to malwares, they are able to change their instruction sequence while maintaining their intended function. We propose a detection mechanism defeating these self-defense techniques to improve malware detection. Since an obfuscated malware is able to change the syntax of its code while preserving its semantics, the proposed mechanism uses the semantic invariant. We convert the API call sequence of the malware into a graph, commonly known as a call graph, to extract the semantic of the malware. The call graph can be reduced to a code graph used for semantic signatures of the proposed mechanism. We show that the code graph can represent the characteristics of a program exactly and uniquely. Next, we evaluate the proposed mechanism by experiment. The mechanism has an 91% detection ratio of real-world malwares and detects 300 metamorphic malwares that can evade AV scanners. In this paper, we show how to analyze malwares by extracting program semantics using static analysis. It is shown that the proposed mechanism provides a high possibility of detecting malwares even when they attempt self-protection.

KW - code graph

KW - code obfuscation

KW - metamorphic malware

KW - static analysis

UR - http://www.scopus.com/inward/record.url?scp=77954746422&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77954746422&partnerID=8YFLogxK

U2 - 10.1145/1774088.1774505

DO - 10.1145/1774088.1774505

M3 - Conference contribution

AN - SCOPUS:77954746422

SN - 9781605586380

SP - 1970

EP - 1977

BT - Proceedings of the ACM Symposium on Applied Computing

ER -