Table 1 - uploaded by Mark Stamp
Content may be subject to copyright.
Source publication
In this paper, we consider a novel method for measuring the similarity of software.
Our technique can be applied to any executable �le and no special e�ort is required
when developing the software. In addition, our similarity score can be computed at any
point in time|even after the software has been distributed.
Our approach was inspired by the su...
Context in source publication
Similar publications
![Figure 4. Subroutine permutation Technique [12]](profile/Babak-Bashari-Rad/publication/311843298/figure/fig1/AS:458646980173824@1486361369505/Subroutine-permutation-Technique-12_Q320.jpg)
![Figure 5. Example of Garbage Codes [13]](profile/Babak-Bashari-Rad/publication/311843298/figure/fig2/AS:458646980173825@1486361369522/Example-of-Garbage-Codes-13_Q320.jpg)
Citations
... Except from the mutation methods that leverage one, or more, levels of encryption, there also exist more advanced mutation methods. Some of the most applicable malware mutations are the oligomorphism which is achieved through obfuscation techniques, the polymorphism where the code is modified through encryption techniques and the metamorphism, in which multiple structurally different copies of a malware sample are generated [11,13,18]. Hence, while the main functionality of a malware sample remains immutable during its mutations, malware samples can be merged into groups of malware samples with common functionality, the so called malware families. ...
In this work we propose a graph-based model that, utilizing relations between groups of System-calls, distinguishes malicious from benign software samples utilizing a behavioral graph representing their interaction with the operating system. More precisely, given a System-call Dependency Graph (ScDG) that depicts the malware's behavior, we first transform it to a more abstract representation, utilizing the indexing of System-calls to a set of groups of similar functionality, constructing thus a mutation tolerant graph that we call Group Relation Graph (GrG); we pointed out that behavior-based graph representations had not leveraged the aspect of the temporal evolution of the graph. Hence, the novelty of our work is that, preserving the initial representations of GrG graphs, we focus on augmenting the potentials of theses graphs by adding further features that enhance its detection abilities. To that end, we construct periodical instances of the graph that represent its temporal evolution concerning its structural modifications, creating another graph representation that we call Temporal Graphs. In this paper, we present the theoretical background behind our approach, and demonstrate the overall architecture of our proposed detection model alongside with its underlying main principles and its structural key-components.
... As referred in [41], the main principal is to modify the appearance of the code constantly across the copies. Finally, a metamorphic malware changes its structure while keeps its functionality each time it replicates itself [34]. Polymorphic and metamorphic malware is the hardest type of malware to detect, since are able to mutate in an infinite number of functionally equivalent copies of themselves, and thus there is not a constant signature for virus scanning [34]. ...
... Finally, a metamorphic malware changes its structure while keeps its functionality each time it replicates itself [34]. Polymorphic and metamorphic malware is the hardest type of malware to detect, since are able to mutate in an infinite number of functionally equivalent copies of themselves, and thus there is not a constant signature for virus scanning [34]. ...
In this work we propose a graph-based model that, utilizing relations between groups of System-calls, distinguishes malicious from benign software samples and classifies the detected malicious samples to one of a set of known malware families. More precisely, given a System-call Dependency Graph (ScDG) that depicts the malware's behavior, we first transform it to a more abstract representation, utilizing the indexing of System-calls to a set of groups of similar functionality, constructing thus an abstract and mutation-tolerant graph that we call Group Relation Graph (GrG); then, we construct another graph representation, which we call Coverage Graph (CvG), that depicts the dominating relations between the nodes of a GrG graph. Based on the research so far in the field, we pointed out that behavior-based graph representations had not leveraged the aspect of the temporal evolution of the graph. Hence, the novelty of our work is that, preserving the initial representations of GrG and CvG graphs, we focus on augmenting the potentials of theses graphs by adding further features that enhance its abilities on detecting and further classifying to a known malware family an unknown malware sample. To that end, we construct periodical instances of the graph that represent its temporal evolution concerning its structural modifications, creating another graph representation that we call Temporal Graphs. In this paper, we present the theoretical background behind our approach, discuss the current technological status on malware detection and classification and demonstrate the overall architecture of our proposed detection and classification model alongside with its underlying main principles and its structural key-components.
... As referred in [22], the main principal is to modify the appearance of the code constantly across the copies. • Metamorphism The Metamorphic malware changes its structure while keeps its functionality each time it replicate itself [16]. Polymorphic and metamorphic malware is the hardest type of malware to detect, since are able to mutate in an infinite number of functionally equivalent copies of themselves, and thus there is not a constant signature for virus scanning [16]. ...
... • Metamorphism The Metamorphic malware changes its structure while keeps its functionality each time it replicate itself [16]. Polymorphic and metamorphic malware is the hardest type of malware to detect, since are able to mutate in an infinite number of functionally equivalent copies of themselves, and thus there is not a constant signature for virus scanning [16]. ...
In this paper we present a graph-based model that, utilizing relations between groups of System-calls, detects whether an unknown software sample is malicious or benign, and classifies a malicious software to one of a set of known malware families. More precisely, we utilize the System-call Dependency Graphs (or, for short, ScD-graphs), obtained by traces captured through dynamic taint analysis. We design our model to be resistant against strong mutations applying our detection and classification techniques on a weighted directed graph, namely Group Relation Graph, or Gr-graph for short, resulting from ScD-graph after grouping disjoint subsets of its vertices. For the detection process, we propose the \(\Delta \)-similarity metric, and for the process of classification, we propose the SaMe-similarity and NP-similarity metrics consisting the SaMe-NP similarity. Finally, we evaluate our model for malware detection and classification showing its potentials against malicious software measuring its detection rates and classification accuracy.
