Malware Detection Using Logic Signature of Basic Block Sequence

  • Dawei Shi
  • Qiang XuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11204)


Malware detection is an important method for maintaining the security and privacy in cyberspace. As the most mainstream method currently, signature-based detecting is confronted with many obfuscation methods which can hide the true signature of malware. In our research, we propose a logic signature-based malware detecting method to overcome the shortcoming of being susceptible to disturbance in data signature-based method. Firstly, we achieve the logic of basic block based on Symbolic execution and Static Single Assignment, and then use a set of expression trees to represent the basic block logic, the trees set will be filtered to pick out the remarkable items. Depending on basic block logic trees set, we use n-gram method to select features for the discrimination of malicious and benign software. Every feature of program is a sequence of basic block logic and the feature matching is based on edit distance calculating. We design and implement a detector and evaluate its effectiveness by comparing with data signature-based detector. The experimental results indicate that the proposed malware detector using logic signature of basic block sequence has a higher performance than data signature-based detectors.


Logic signature Basic block logic Expression tree Basic block sequence 



This research was supported by the National Natural Science Foundation of China (91318301), and the National High Technology Research and Development Program (“863” Program) of China (2012AA7111043).


  1. 1.
    Idika, N., Mathur, A.P.: A survey of malware detection techniques. Purdue University (2007)Google Scholar
  2. 2.
    Griffin, K., Schneider, S., Hu, X., Chiueh, T.: Automatic generation of string signatures for malware detection. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 101–120. Springer, Heidelberg (2009). Scholar
  3. 3.
    Martín, A., Menéndez, Héctor D., Camacho, D.: String-based malware detection for android environments. Intelligent Distributed Computing X. SCI, vol. 678, pp. 99–108. Springer, Cham (2017). Scholar
  4. 4.
    Santos, I., et al.: Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf. Sci. 231(9), 64–82 (2013)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Ding, Y., et al.: Control flow-based opcode behavior analysis for Malware detection. Comput. Secur. 44(2), 65–74 (2014)CrossRefGoogle Scholar
  6. 6.
    Vinod, P., et al.: Static CFG analyzer for metamorphic Malware code. In: International Conference on Security of Information and Networks, Sin 2009, Gazimagusa, North Cyprus, October, pp. 225–228. DBLP (2009)Google Scholar
  7. 7.
    Adkins, F., et al.: Heuristic malware detection via basic block comparison. In: International Conference on Malicious and Unwanted Software, pp. 11–18. The Americas IEEE (2014)Google Scholar
  8. 8.
    Mehdi, B., et al.: Towards a theory of generalizing system call representation for in-execution malware detection. In: IEEE International Conference on Communications, pp. 1–5. IEEE (2010)Google Scholar
  9. 9.
    Elhadi, A.A.E., Maarof, M.A., Osman, A.H.: Malware detection based on hybrid signature behaviour application programming interface call graph. Am. J. Appl. Sci. 9(3), 283–288 (2012)CrossRefGoogle Scholar
  10. 10.
    Natani, P., Vidyarthi, D.: Malware detection using API function frequency with ensemble based classifier. In: Thampi, S.M., Atrey, P.K., Fan, C.-I., Perez, G.M. (eds.) SSCC 2013. CCIS, vol. 377, pp. 378–388. Springer, Heidelberg (2013). Scholar
  11. 11.
    Chandramohan, M., Tan, H.B.K., Shar, L.K.: Scalable malware clustering through coarse-grained behavior modeling. In: ACM SIGSOFT, International Symposium on the Foundations of Software Engineering, p. 27. ACM (2012)Google Scholar
  12. 12.
    You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300. IEEE (2010)Google Scholar
  13. 13.
    Jensen, F.V., Nielsen, T.D.: Bayesian networks and decision graphs. Technometrics 50(1), 97 (2007)zbMATHGoogle Scholar
  14. 14.
    Denœux, T.: A k-nearest neighbor classification rule based on dempster-shafer theory. In: Yager, R.R., Liu, L. (eds.) Classic Works of the Dempster-Shafer Theory of Belief Functions. STUDFUZZ, vol. 219, pp. 737–760. Springer, Heidelberg (2008). Scholar
  15. 15.
    Landgrebe, D.: A survey of decision tree classifier methodology. IEEE Trans. Syst. Man Cybern. 21(3), 660–674 (2002)MathSciNetGoogle Scholar
  16. 16.
    Suykens, J.A.K., Vandewalle, J.: least squares support vector machine classifiers. Neural Process. Lett. 9(3), 293–300 (1999)CrossRefGoogle Scholar
  17. 17.
    Van Emmerik, M.: Static single assignment for decompilation. UQ Theses (RHD) - UQ staff and students only (2007)Google Scholar
  18. 18.
    Khurshid, S., PĂsĂreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 553–568. Springer, Heidelberg (2003). Scholar
  19. 19.
    Mira, F., Huang, W., Brown, A.: Improving malware detection time by using RLE and N-gram. In: International Conference on Automation and Computing, pp. 1–5 (2017)Google Scholar
  20. 20.
    Bille, P.: A survey on tree edit distance and related problems. Theor. Comput. Sci. 337(1), 217–239 (2005)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Shoshitaishvili, Y., et al.: SOK: (state of) the art of war: offensive techniques in binary analysis. In: Security and Privacy, pp. 138–157. IEEE (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Jiangnan Institute of Computing TechnologyWuxiChina

Personalised recommendations