Skip to main content
SpringerLink
Log in

A Survey on Mining Program-Graph Features for Malware Analysis

  • Conference paper
  • First Online:
International Conference on Security and Privacy in Communication Networks (SecureComm 2014)

  • 866 Accesses

Abstract

Malware, which is a malevolent software, mostly programmed by attackers for either disrupting the normal computer operation or gaining access to private computer systems. A malware detector determines the malicious intent of a program and thereafter, stops executing the program if the program is malicious. While a substantial number of various malware detection techniques based on static and dynamic analysis has been studied for decades, malware detection based on mining program graph features has attracted recent attention. It is commonly believed that graph based representation of a program is a natural way to understand its semantics and thereby, unveil its execution intent. This paper presents a state of the art survey on mining program-graph features for malware detection. We have also outlined the challenges of malware detection based on mining program graph features for its successful deployment, and opportunities that can be explored in the future.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Anderson, B., Quist, D., Neil, J., Storlie, C., Lane, T.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)

    Article  Google Scholar 

  2. Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: Cybersecurity Applications & Technology Conference for Homeland Security, pp. 299–304. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  3. Balakrishnan, A., Schulze, C.: Code obfuscation literature survey (2005). http://pages.cs.wisc.edu/~arinib/writeup.pdf

  4. Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static detection of malicious code in executable programs. Int J. of Req. Eng. 2001, 184–189 (2001)

    Google Scholar 

  5. Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 129–143. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  6. Carrera, E., Erdélyi, G.: Digital genome mapping-advanced binary malware analysis. In: Virus Bulletin Conference (2004)

    Google Scholar 

  7. Cesare, S., Xiang, Y.: A fast flowgraph based classification system for packed and polymorphic malware on the endhost. In: AINA, pp. 721–728 (2010)

    Google Scholar 

  8. Cesare, S., Xiang, Y.: Malware variant detection using similarity search over sets of control flow graphs. In: TrustCom, pp. 181–189 (2011)

    Google Scholar 

  9. Cesare, S., Xiang, Y.: Static analysis of binaries. In: Software Similarity and Classification. SpringerBriefs in Computer Science, pp. 41–49. Springer, London (2012)

    Google Scholar 

  10. Cesare, S., Xiang, Y., Zhou, W.: Malwise - an effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62(6), 1193–1206 (2013)

    Article  MathSciNet  Google Scholar 

  11. Chau, D.H., Nachenberg, C., Wilhelm, J., Wright, A., Faloutsos, C.: Large scale graph mining and inference for malware detection. In: SDM, pp. 131–142 (2011)

    Google Scholar 

  12. Chen, C., Lin, C.X., Fredrikson, M., Christodorescu, M., Yan, X., Han, J.: Mining graph patterns efficiently via randomized summaries. PVLDB 2(1), 742–753 (2009)

    Google Scholar 

  13. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008)

    Google Scholar 

  14. Eskandari, M., Hashemi, S.: Metamorphic malware detection using control flow graph mining. Int. J. Comput. Sci. Netw. Secur. 11(12), 1–6 (2011)

    Google Scholar 

  15. Eskandari, M., Hashemi, S.: A graph mining approach for detecting unknown malwares. J. Vis. Lang. Comput. 23(3), 154–162 (2012)

    Article  Google Scholar 

  16. Feily, M., Shahrestani, A., Ramadass, S.: A survey of botnet and botnet detection. In: Third International Conference on Emerging Security Information, Systems and Technologies, pp. 268–273 (2009)

    Google Scholar 

  17. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14 (2011)

    Google Scholar 

  18. Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., Yan, X.: Synthesizing near-optimal malware specifications from suspicious behaviors. In: IEEE Symposium on Security and Privacy, pp. 45–60 (2010)

    Google Scholar 

  19. Garcia-Teodoro, P., Díaz-Verdejo, J.E., Maciá-Fernández, G., Vázquez, E.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(1–2), 18–28 (2009)

    Article  Google Scholar 

  20. Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)

    MATH  Google Scholar 

  21. Han, K.S., Kim, I.K., Im, E.: Malware classification methods using api sequence characteristics. In: Kim, K.J., Ahn, S.J. (eds.) Proceedings of the International Conference on IT Convergence and Security 2011. Lecture Notes in Electrical Engineering, vol. 120, pp. 613–626. Springer, Netherlands (2012)

    Chapter  Google Scholar 

  22. Islam, R., Tian, R., Batten, L.M., Versteeg, S.: Classification of malware based on integrated static and dynamic features. J. Netw. Comput. Appl. 36(2), 646–656 (2013)

    Article  Google Scholar 

  23. Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: picking command and control connections from bot traffic. In: USENIX Security Symposium (2011)

    Google Scholar 

  24. Jeong, K., Lee, H.: Code graph for malware detection. In: ICOIN, pp. 1–5 (2008)

    Google Scholar 

  25. Khan, A., Yan, X., Wu, K.L.: Towards proximity pattern mining in large graphs. In: SIGMOD Conference, pp. 867–878 (2010)

    Google Scholar 

  26. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  27. Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: USENIX Security Symposium, p. 18 (2004)

    Google Scholar 

  28. Lee, J., Jeong, K., Lee, H.: Detecting metamorphic malwares using code graphs. In: SAC, pp. 1970–1977 (2010)

    Google Scholar 

  29. Li, Z., Liang, Y., Wu, Z., Tan, C.: Immunity based virus detection with process call arguments and user feedback. In: Bio-Inspired Models of Network, Information and Computing Systems, pp. 57–64 (2007)

    Google Scholar 

  30. Majumdar, A., Thomborson, C., Drape, S.: A survey of control-flow obfuscations. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 353–356. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  31. Navarro, G.: A guided tour to approximate string matching. ACM Comput. Surv. 33(1), 31–88 (2001)

    Article  Google Scholar 

  32. Perry, D.: Here Comes the Flood or end of the Pattern file. Virus Bulletin, Ottawa (2008)

    Google Scholar 

  33. Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantics-based approach to malware detection. SIGPLAN Not. 42(1), 377–388 (2007)

    Article  MATH  Google Scholar 

  34. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)

    Article  Google Scholar 

  35. Shabtai, A., Moskovitch, R., Elovici, Y., Glezer, C.: Detection of malicious code by applying machine learning classifiers on static features: a state-of-the-art survey. Inf. Secur. Tech. Rep. 14(1), 16–29 (2009)

    Article  Google Scholar 

  36. Sherwood, T., Perelman, E., Hamerly, G., Calder, B.: Automatically characterizing large scale program behavior. SIGARCH Comput. Archit. News 30(5), 45–57 (2002)

    Article  Google Scholar 

  37. Siddiqui, M., Wang, M.C., Lee, J.: A survey of data mining techniques for malware detection using file features. In: ACM Southeast Regional Conference, pp. 509–510 (2008)

    Google Scholar 

  38. Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)

    Article  Google Scholar 

  39. Stumpf, S., Rajaram, V., Li, L., Wong, W.K., Burnett, M.M., Dietterich, T.G., Sullivan, E., Herlocker, J.L.: Interacting meaningfully with machine learning systems: three experiments. Int. J. Hum.-Comput. Stud. 67(8), 639–662 (2009)

    Article  Google Scholar 

  40. Tavallaee, M., Stakhanova, N., Ghorbani, A.A.: Toward credible evaluation of anomaly-based intrusion-detection methods. Trans. Sys. Man Cyber. Part C 40(5), 516–524 (2010)

    Article  Google Scholar 

  41. Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. J. Comput. Virol. 4(4), 279–287 (2008)

    Article  Google Scholar 

  42. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 156–169 (2001)

    Google Scholar 

  43. Wang, X., Ding, X., Tung, A.K.H., Ying, S., Jin, H.: An efficient graph indexing method. In: ICDE, pp. 210–221 (2012)

    Google Scholar 

  44. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  45. Ye, Y., Wang, D., Li, T., Ye, D.: Imds: intelligent malware detection system. In: ACM SIGKDD, pp. 1043–1047 (2007)

    Google Scholar 

  46. You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: BWCCA, pp. 297–300. IEEE (2010)

    Google Scholar 

  47. Yu, Z., Tsai, J.J.: Intrusion Detection: A Machine Learning Approach, vol. 3. Imperial College Pr., London (2010)

    Google Scholar 

  48. Zhang, L., Yu, S., Wu, D., Watters, P.: A survey on latest botnet attack and defense. In: TrustCom, pp. 53–60 (2011)

    Google Scholar 

  49. Zhang, M.L., Zhou, Z.H.: Ml-knn: a lazy learning approach to multi-label learning. Pattern Recogn. 40(7), 2038–2048 (2007)

    Article  MATH  Google Scholar 

  50. Zhu, Y., Qin, L., Yu, J.X., Cheng, H.: Finding top-k similar graphs in graph databases. In: EDBT, pp. 456–467 (2012)

    Google Scholar 

Download references

Acknowledgement

M.S. Islam and C. Liu are supported by the Australian Research Council (ARC) discovery project no. DP140103499.

Author information

Authors and Affiliations

  1. Swinburne University of Technology, Melbourne, Australia

    Md. Saiful Islam, A. S. M. Kayes & Chengfei Liu

  2. Charles Sturt University, Alburry, Australia

    Md. Rafiqul Islam

  3. Charles Sturt University, Wagga Wagga, Australia

    Irfan Altas

Authors
  1. Md. Saiful Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Md. Rafiqul Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. A. S. M. Kayes
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chengfei Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Irfan Altas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Md. Saiful Islam .

Editor information

Editors and Affiliations

  1. CAS, Institute of Information Engineering, Beijing, China

    Jin Tian

  2. Institute of Information Engineering, Beijing, China

    Jiwu Jing

  3. IBM Thomas J. Watson Research Center, New York, New York, USA

    Mudhakar Srivatsa

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Islam, M.S., Islam, M.R., Kayes, A.S.M., Liu, C., Altas, I. (2015). A Survey on Mining Program-Graph Features for Malware Analysis. In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 153. Springer, Cham. https://doi.org/10.1007/978-3-319-23802-9_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23802-9_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23801-2

  • Online ISBN: 978-3-319-23802-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation