Malware Variant Detection and Classification Using Control Flow Graph

  • Donghwi Shin
  • Kwangwoo Lee
  • Dongho Won
Part of the Communications in Computer and Information Science book series (CCIS, volume 206)


The number of malware increases steadily and is too many. So a malware analyst cannot analyze these manually. Therefore many researchers are working on automatic malware analysis. As a result of these researches, there are so many algorithms. The representative example may be a behavior based malware automatic analysis system. For example, these are the Bitblaze [1], Anubis[2], and so on. However these behaviors based analysis result is not enough. So for more detail analysis and advanced automatic analysis feature, the automatic static analysis engine is necessary. Then some projects apply an automatic static analysis engine and the research on automatic static analysis is working. These analysis methods use the structural characteristic of malware, and that is the reason the malware is also software, there is a toolkit for a malware generation, and a malware author reuse some codes. For automatic static analysis, it is so useful that the static analysis engine uses the structural characteristic of malware. However previous researches have some problem. For example, these are a performance, false positive, detection ratio, and so on. Therefore we’ll describe another method that used the structural characteristic of malware.


Malware Malicious Software Control Flow Graph Structural Analysis Profiling Signature Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    BitBlaze: Binary Analysis for Computer Security,
  2. 2.
    Anubis: Analyzing Unknown Binaries,
  3. 3.
  4. 4.
    Goldberg, L.A., Goldberg, P.W., Phillips, C.A., Sorkin, G.B.: Constructing computer virus phylogenies. Journal of Algorithms 26(1), 188–208 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Wehner, S.: Analyzing worms using compression (2004)Google Scholar
  6. 6.
    Carrera, E., Erdélyi, G.: Digital genome mapping – advanced binary malware analysis. In: Proc. Virus Bull. Int. Conf., pp. 187–197 (September 2004)Google Scholar
  7. 7.
    Karim, E., Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny using maximal p-patterns. In: Proceedings of the EICAR 2005 Conference, pp. 167–174 (April-May 2005)Google Scholar
  8. 8.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo:A hidden code extractor for packed executables. In: Workshop on Recurring Malcode, pp. 46–53 (2007)Google Scholar
  9. 9.
    Gheorghescu, M.: An Automated Virus Classification System. In: Virus Bulletin Conference (2005)Google Scholar
  10. 10.
    Cesare, S., Xiang, Y.: Classification of Malware Using Structured Control Flow. In: Proc. 8th Australasian Symposium on Parallel and Distributed Computing (2010)Google Scholar
  11. 11.
    Krügel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Trinius, P.: Visual Analysis of Malware Behavior Using Treemaps and Thread Graphs. In: Vizsec 2009, pp. 33–38 (2009)Google Scholar
  13. 13.
    Quist, D.A.: Visualizing CompiledExecutables for Malware Analysis. In: Vizsec 2009, pp. 27–32 (2009)Google Scholar
  14. 14.
    Zubair Shafiq, M.: PE-probe: leveraging packer detection and structural information to detect malicious portable executables. In: VB 2009 (2009)Google Scholar
  15. 15.
    Kaczmarek, M.: Architecture of a Morphological Malware Detector. Journal in Computer Virology (2008)Google Scholar
  16. 16.
    Vinod, P.: Static CFG analyzer for metamorphic. In: PIN 2009 (2009)Google Scholar
  17. 17.
    Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Dullien, T., Rolles, R., Bochum, R.-U.: Graph-based comparison of executable objects (2005)Google Scholar
  19. 19.
    Sabin, T.: Comparing Binaries with Graph Isomorphisms (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Donghwi Shin
    • 1
  • Kwangwoo Lee
    • 1
  • Dongho Won
    • 1
  1. 1.Information Security Group, School of Information and Communication EngineeringSungkyunkwan UniversitySuwonKorea

Personalised recommendations