Skip to main content
SpringerLink
Log in

Using a Fine-Grained Hybrid Feature for Malware Similarity Analysis

  • Conference paper
  • First Online:
Advances in Computer Science and Ubiquitous Computing (UCAWSN 2016, CUTE 2016, CSA 2016)

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 421))

  • 1706 Accesses

Abstract

Nowadays, the dramatically increased malware causes severe challenges to computer security. Most emerging instances are variants of previously encountered malware through polymorphism and metamorphism techniques. The traditional signature-based detecting methods are ineffective to recognize the enormous variants. Malware similarity analysis has become the mainstream technique of identifying variants. However, most existing methods are either hard to handle polymorphic and metamorphic samples based on static structure feature, or time consuming and resource intensive by using dynamic behavior feature. In this paper, we propose a novel malware similarity analysis method based on a fine-grained hybrid feature by exploiting the complementary nature of static and dynamic analysis. We integrate dynamic runtime behavior with static function-call graph. The hybrid feature overcomes the limitation of using static and dynamic feature separately and with more accuracy. Furtherly, we use graph edit distance, and inexact graph matching algorithm as metric to measure the distance between malicious instances. We have evaluated our algorithm on real-world dataset and compared with other approach. The experiments demonstrate that our method achieves higher accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: mining structural information to detect malicious executables in realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 121–141. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04342-0_7

    Chapter  Google Scholar 

  2. Kolter, J.Z., Maloof, M.A.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 6(4), 2721–2744 (2006)

    MathSciNet  MATH  Google Scholar 

  3. Hu, X., Chiueh, T.-C., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM (2009)

    Google Scholar 

  4. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection 68(6), 421–430 (2008)

    Google Scholar 

  5. Blokhin, K., Saxe, J., Mentis, D.: Malware similarity identification using call graph based system call subsequence features. In: IEEE International Conference on Distributed Computing Systems Workshops (2013)

    Google Scholar 

  6. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.,Morley, Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74320-0_10

    Chapter  Google Scholar 

  7. Wüchner, T., Ochoa, M., Pretschner, A.: Robust and effective malware detection through quantitative data flow graph metrics. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 98–118. Springer, Heidelberg (2015). doi:10.1007/978-3-319-20550-2_6

    Chapter  Google Scholar 

  8. Bao, T., et al.: Byteweight: learning to recognize functions in binary code. In: USENIX Security Symposium (2014)

    Google Scholar 

  9. Sanfeliu, A., Fu, K.S.: A distance measure between attributed relational graphs for pattern recognition. IEEE Trans. Syst. Man Cybern. SMC-13(3), 353–362 (1983)

    Article  MATH  Google Scholar 

  10. Riesen, K., Bunke, H.: Approximate graph edit distance computation by means of bipartite graph matching. Image Vis. Comput. 27(7), 950–959 (2009)

    Article  Google Scholar 

  11. Shang, S., et al.: Detecting malware variants via function-call graph similarity. In: International Conference on Malicious and Unwanted Software (2010)

    Google Scholar 

Download references

Acknowledgement

This work is supported by the National Science Foundation of China (No.61472439, No.61271252).

Author information

Authors and Affiliations

  1. College of Computer, National University of Defense Technology, Changsha, Hunan, China

    Jing Liu, Yongjun Wang, Peidai Xie & Xingkong Ma

Authors
  1. Jing Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yongjun Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peidai Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xingkong Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jing Liu .

Editor information

Editors and Affiliations

  1. Computer Science and Engineering, Seoul National University of Science and Technology, Seoul, Korea (Republic of)

    James J. (Jong Hyuk) Park

  2. Department of Computer Science, Georgia State University, Atlanta, Georgia, USA

    Yi Pan

  3. Computer Science and Engineering, Gangneung-Wonju National University, Wonju, Korea (Republic of)

    Gangman Yi

  4. University Salerno, Fisciano, Italy

    Vincenzo Loia

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer Nature Singapore Pte Ltd.

About this paper

Cite this paper

Liu, J., Wang, Y., Xie, P., Ma, X. (2017). Using a Fine-Grained Hybrid Feature for Malware Similarity Analysis. In: Park, J., Pan, Y., Yi, G., Loia, V. (eds) Advances in Computer Science and Ubiquitous Computing. UCAWSN CUTE CSA 2016 2016 2016. Lecture Notes in Electrical Engineering, vol 421. Springer, Singapore. https://doi.org/10.1007/978-981-10-3023-9_9

Download citation

  • DOI: https://doi.org/10.1007/978-981-10-3023-9_9

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-10-3022-2

  • Online ISBN: 978-981-10-3023-9

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation