A New Approach to Malware Detection

  • Hongying Tang
  • Bo Zhu
  • Kui Ren
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5576)


Malware has become one of the most serious threats to computer users. Early techniques based on syntactic signatures can be easily bypassed using program obfuscation. A promising direction is to combine Control Flow Graph (CFG) with instruction-level information. However, since previous work includes only coarse information, i.e., the classes of instructions of basic blocks, it results in false positives during the detection. To address this issue, we propose a new approach that generates formalized expressions upon assignment statements within basic blocks. Through combining CFG with the functionalities of basic blocks, which are represented in terms of upper variables with their corresponding formalized expressions and system calls (if any), our approach can achieve more accurate malware detection compared to previous CFG-based solutions.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    2007 malware report: The economic impact of viruses, spyware, adware, botnets, and other malicious code. Comoputer Economics (June 2007)Google Scholar
  2. 2.
    Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, pp. 169–186 (2003)Google Scholar
  3. 3.
    Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of IEEE Symposium on Security and Privacy (2005)Google Scholar
  4. 4.
    Christodorescu, M., Kinder, J., Jha, S., Katzenbeisse, S., Veith, H.: Malware normalization. Technical Report 1539, Department of Computer Sciences, University of Wisconsin, Madison (2005)Google Scholar
  5. 5.
    Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 129–143. Springer, Heidelberg (2006)Google Scholar
  7. 7.
    Bruschi, D., Martignoni, L., Monga, M.: Using code normalization for fighting self-mutating malware. In: Proceedings of International Symposium on Secure Software Engineering (2006)Google Scholar
  8. 8.
    Bonfante, G., Kaczmarek, M., Marion, J.Y.: Control flow graphs as malware signatures. In: Proceedings of International Workshop on the Theory of Computer Viruses, TCV 2007 (2007)Google Scholar
  9. 9.
    Jin, R., Wei, Q., Yang, P., Wang, Q.: Normalization towards instruction substitution metamorphism based on standard instruction set. In: Proceedings of 2007 International Conference on Computational Intelligence and Security Workshops, pp. 795–798 (2007)Google Scholar
  10. 10.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2005 (2005)Google Scholar
  11. 11.
    Bayer, U.: TTAnalyze: A tool for analyzing malware. Master’s thesis, Technical University of Vienna (December 2005)Google Scholar
  12. 12.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of USENIX Annual Technical Conference, pp. 233–246 (2007)Google Scholar
  13. 13.
    Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004), pp. 34–44 (2004)Google Scholar
  14. 14.
    Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical Report 148, The University of Auckland (1997)Google Scholar
  15. 15.
    Cifuentes, C., Sendally, S.: Specifying the semantics of machine instructions. In: Proceedings of the 6th International Workshop on Program Comprehension (IWPC 1998), pp. 126–133 (1998)Google Scholar
  16. 16.

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Hongying Tang
    • 1
  • Bo Zhu
    • 1
  • Kui Ren
    • 2
  1. 1.Concordia Institute for Information Systems EngineeringConcordia UniversityCanada
  2. 2.Department of Electrical and Computer EngineeringIllinois Institute of TechnologyUSA

Personalised recommendations