research-article

Fast malware classification by automated behavioral graph matching

Authors:

Douglas Reeves,

Vikram Mulukutla,

Balaji SundaravelAuthors Info & Claims

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

Article No.: 45, Pages 1 - 4

https://doi.org/10.1145/1852666.1852716

Published: 21 April 2010 Publication History

Abstract

Malicious software (malware) is a serious problem in the Internet. Malware classification is useful for detection and analysis of new threats for which signatures are not available, or possible (due to polymorphism). This paper proposes a new malware classification method based on maximal common subgraph detection. A behavior graph is obtained by capturing system calls during the execution (in a sandboxed environment) of the suspicious software. The method has been implemented and tested on a set of 300 malware instances in 6 families. Results demonstrate the method effectively groups the malware instances, compared with previous methods of classification, is fast, and has a low false positive rate when presented with benign software.

Supplementary Material

Supplemental material. (a45-park_slides.pdf)

Download
880.50 KB

References

[1]

M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, and F. J. and Jose Nazario. Automated classification and analysis of internet malware. In Proceedings of 10th International Symposium in Recent Advances in Intrusion Detection(RAID), volume 4637 of Lecture Notes in Computer Science, pages 178--197, Gold Goast, Australia, September 2007. Springer.

Digital Library

[2]

U. Bayer, P. Milani Comparetti, C. Hlauscheck, C. Kruegel, and E. Kirda. Scalable, Behavior-Based Malware Clustering. In 16th Symposium on Network and Distributed System Security (NDSS), 2009.

[3]

H. Bunke and K. Shearer. A graph distance metric based on the maximal common subgraph. pages 255--259.

Digital Library

[4]

M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering(ESEC-FSE '07), pages 5--14, New York, NY, USA, 2007. ACM.

Digital Library

[5]

D. Conte, P. Foggia, and M. Vento. Challenging complexity of maximum common subgraph detection algorithms: A performance analysis of three algorithms on a wide database of graphs. J. Graph Algorithms Appl., 11(1):99--143, 2007.

[6]

S. Corp. Symantec global internet security threat report, April 2008. http://www.symantec.com/.

[7]

A. Dinaburg, P. Royal, M. I. Sharif, and W. Lee. Ether: malware analysis via hardware virtualization extensions. In ACM Conference on Computer and Communications Security, pages 51--62, 2008.

Digital Library

[8]

X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Proceedings of the 16th ACM conference on Computer and communications security(CCS'09), pages 611--620, Chicago, Illinois, USA, 2009. ACM.

Digital Library

[9]

C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and Efficient Malware Detection at the End Host. In 18th Usenix Security Symposium, Montreal, Canada, August 2009.

Digital Library

[10]

J. Z. Kolter and M. A. Maloof. Learning to detect and classify malicious executables in the wild. Journal of Machine Learning Research, 7:2721--2744, 2006.

Digital Library

[11]

C. Krugel, E. Kirda, D. Mutz, W. K. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In RAID, pages 207--226, 2005.

Digital Library

[12]

A. T. R. Labs. Graphviz - graph visualization software. http://graphviz.org/.

[13]

B. T. Messmer and H. Bunke. A new algorithm for error-tolerant subgraph isomorphism detection. IEEE Transactions on Pattern Analysis and Machine Intelligence, 20(5):493--504, 1998.

Digital Library

[14]

T. M. Project. Windows system call table. http://www.metasploit.com/users/opcode/syscalls.html.

[15]

K. Rieck, T. Holz, C. Willems, P. Dussel, and P. Laskov. Learning and classification of malware behavior. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA), pages 108--125, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[16]

E. Stinson and J. C. Mitchell. Characterizing bots' remote control behavior. In Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA '07), pages 89--108, Berlin, Heidelberg, 2007. Springer-Verlag.

Digital Library

[17]

D. Wagner and R. Dean. Intrusion Detection via Static Analysis. In Proceedings 2001 IEEE Symposium on Security and Privacy(S&P), pages 156--168, Oakland, CA, USA, May 2001.

Digital Library

[18]

Q. Zhang and D. S. Reeves. Metaaware: Identifying metamorphic malware. In 23rd Annual Computer Security Applications Conference (ACSAC).

Cited By

Molloy CBanks JDing SAlaca FCharland PWalenstein A(2025)Mecha: A Neural-Symbolic Open-Set Homogeneous Decision Fusion Approach for Zero-Day Malware Similarity DetectionIEEE Transactions on Software Engineering10.1109/TSE.2025.353121051:2(621-637)Online publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1109/TSE.2025.3531210
Saint-Hilaire KNeal CCuppens FBoulahia-Cuppens NHadji M(2025)Matching Knowledge Graphs for Cybersecurity Countermeasures SelectionScience of Cyber Security10.1007/978-981-96-2417-1_7(118-137)Online publication date: 4-Mar-2025
https://doi.org/10.1007/978-981-96-2417-1_7
Yang YWu HWang YWang P(2024)AMN: Attention-based Multimodal Network for Android Malware Classification2024 IEEE International Conference on Cybernetics and Intelligent Systems (CIS) and IEEE International Conference on Robotics, Automation and Mechatronics (RAM)10.1109/CIS-RAM61939.2024.10672730(7-13)Online publication date: 8-Aug-2024
https://doi.org/10.1109/CIS-RAM61939.2024.10672730
Show More Cited By

Index Terms

Fast malware classification by automated behavioral graph matching
1. General and reference
  1. Cross-computing tools and techniques
    1. Metrics
2. Social and professional topics
  1. Computing / technology policy

Recommendations

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Detecting environment-sensitive malware
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion Detection

The execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in ...
Deriving common malware behavior through graph clustering

Detection of malicious software (malware) continues to be a problem as hackers devise new ways to evade available methods. The proliferation of malware and malware variants requires new advanced methods to detect them. This paper proposes a method to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

April 2010

257 pages

ISBN:9781450300179

DOI:10.1145/1852666

Editors:
Frederick T. Sheldon
Oak Ridge National Laboratory
,
Stacy Prowell
Oak Ridge National Laboratory
,
Robert K. Abercrombie
Oak Ridge National Laboratory
,
Axel Krings
University of Idaho

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CSIIRW '10

CSIIRW '10: Annual Cyber Security and Information Intelligence Research Workshop

April 21 - 23, 2010

Tennessee, Oak Ridge, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

117
Total Citations
View Citations
1,607
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)2

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Molloy CBanks JDing SAlaca FCharland PWalenstein A(2025)Mecha: A Neural-Symbolic Open-Set Homogeneous Decision Fusion Approach for Zero-Day Malware Similarity DetectionIEEE Transactions on Software Engineering10.1109/TSE.2025.353121051:2(621-637)Online publication date: 1-Feb-2025
https://dl.acm.org/doi/10.1109/TSE.2025.3531210
Saint-Hilaire KNeal CCuppens FBoulahia-Cuppens NHadji M(2025)Matching Knowledge Graphs for Cybersecurity Countermeasures SelectionScience of Cyber Security10.1007/978-981-96-2417-1_7(118-137)Online publication date: 4-Mar-2025
https://doi.org/10.1007/978-981-96-2417-1_7
Yang YWu HWang YWang P(2024)AMN: Attention-based Multimodal Network for Android Malware Classification2024 IEEE International Conference on Cybernetics and Intelligent Systems (CIS) and IEEE International Conference on Robotics, Automation and Mechatronics (RAM)10.1109/CIS-RAM61939.2024.10672730(7-13)Online publication date: 8-Aug-2024
https://doi.org/10.1109/CIS-RAM61939.2024.10672730
Mester A(2023)Malware Analysis and Static Call Graph Generation with Radare2Studia Universitatis Babeș-Bolyai Informatica10.24193/subbi.2023.1.0168:1(5-20)Online publication date: 20-Jul-2023
https://doi.org/10.24193/subbi.2023.1.01
Casey WMelaragno A(2023)Scaling a Machine Learning Approach to many kinds of Malicious Behavior for Cybersecurity2023 AEIT International Annual Conference (AEIT)10.23919/AEIT60520.2023.10330312(1-6)Online publication date: 5-Oct-2023
https://doi.org/10.23919/AEIT60520.2023.10330312
Li XYan ZZhang SLi XWang F(2023)Formal Characterization of Malicious Code in Power Information Systems Based on Multidimensional Feature FusionProceedings of the 8th International Conference on Cyber Security and Information Engineering10.1145/3617184.3630149(274-281)Online publication date: 22-Sep-2023
https://dl.acm.org/doi/10.1145/3617184.3630149
Xu YChen Z(2023)Family Classification based on Tree Representations for MalwareProceedings of the 14th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3609510.3609818(65-71)Online publication date: 24-Aug-2023
https://dl.acm.org/doi/10.1145/3609510.3609818
Zhong FChen ZXu MZhang GYu DCheng X(2023)Malware-on-the-Brain: Illuminating Malware Byte Codes With Images for Malware ClassificationIEEE Transactions on Computers10.1109/TC.2022.316035772:2(438-451)Online publication date: 1-Feb-2023
https://doi.org/10.1109/TC.2022.3160357
Xu YChen Z(2023)Familial Graph Classification of Malware based on Structured API Call Sequences2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00072(167-175)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS-C60940.2023.00072
Priya VSathya Sofia A(2023)Review on Malware Classification and Malware Detection Using Transfer Learning Approach2023 5th International Conference on Smart Systems and Inventive Technology (ICSSIT)10.1109/ICSSIT55814.2023.10061076(1042-1049)Online publication date: 23-Jan-2023
https://doi.org/10.1109/ICSSIT55814.2023.10061076
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten