A Malware and Variant Detection Method Using Function Call Graph Isomorphism
The huge influx of malware variants are generated using packing and obfuscating techniques. Current antivirus software use byte signature to identify known malware, and this method is easy to be deceived and generally ineffective for identifying malware variants. Antivirus experts use hash signature...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Hindawi-Wiley
2019-01-01
|
| Series: | Security and Communication Networks |
| Online Access: | http://dx.doi.org/10.1155/2019/1043794 |
| id |
doaj-db1a4b26a9fa408b930f84ce1a9804d3 |
|---|---|
| record_format |
Article |
| spelling |
doaj-db1a4b26a9fa408b930f84ce1a9804d32020-11-24T21:58:58ZengHindawi-WileySecurity and Communication Networks1939-01141939-01222019-01-01201910.1155/2019/10437941043794A Malware and Variant Detection Method Using Function Call Graph IsomorphismJinrong Bai0Qibin Shi1Shiguang Mu2School of Mathematics and Information Technology, Yuxi Normal University, Yuxi 653100, ChinaYuxi E-government Network Management Center, Yuxi 653100, ChinaSchool of Physics and Electronic Engineering, Yuxi Normal University, Yuxi 653100, ChinaThe huge influx of malware variants are generated using packing and obfuscating techniques. Current antivirus software use byte signature to identify known malware, and this method is easy to be deceived and generally ineffective for identifying malware variants. Antivirus experts use hash signature to verify if captured sample is one of the malware databases, and this method cannot recognize malware variants whose hash signatures have changed completely. Function call graph is a high-level abstraction representation of a program and more stable and resilient than byte or hash signature. In this paper, function call graph is used as signature of a program, and two kinds of graph isomorphism algorithms are employed to identify known malware and its variants. Four experiments are designed to evaluate the performance of the proposed method. Experimental results indicate that the proposed method is effective and efficient for identifying known malware and a portion of their variants. The proposed method can also be used to index and locate a large-scale malware database and group malware to the corresponding family.http://dx.doi.org/10.1155/2019/1043794 |
| collection |
DOAJ |
| language |
English |
| format |
Article |
| sources |
DOAJ |
| author |
Jinrong Bai Qibin Shi Shiguang Mu |
| spellingShingle |
Jinrong Bai Qibin Shi Shiguang Mu A Malware and Variant Detection Method Using Function Call Graph Isomorphism Security and Communication Networks |
| author_facet |
Jinrong Bai Qibin Shi Shiguang Mu |
| author_sort |
Jinrong Bai |
| title |
A Malware and Variant Detection Method Using Function Call Graph Isomorphism |
| title_short |
A Malware and Variant Detection Method Using Function Call Graph Isomorphism |
| title_full |
A Malware and Variant Detection Method Using Function Call Graph Isomorphism |
| title_fullStr |
A Malware and Variant Detection Method Using Function Call Graph Isomorphism |
| title_full_unstemmed |
A Malware and Variant Detection Method Using Function Call Graph Isomorphism |
| title_sort |
malware and variant detection method using function call graph isomorphism |
| publisher |
Hindawi-Wiley |
| series |
Security and Communication Networks |
| issn |
1939-0114 1939-0122 |
| publishDate |
2019-01-01 |
| description |
The huge influx of malware variants are generated using packing and obfuscating techniques. Current antivirus software use byte signature to identify known malware, and this method is easy to be deceived and generally ineffective for identifying malware variants. Antivirus experts use hash signature to verify if captured sample is one of the malware databases, and this method cannot recognize malware variants whose hash signatures have changed completely. Function call graph is a high-level abstraction representation of a program and more stable and resilient than byte or hash signature. In this paper, function call graph is used as signature of a program, and two kinds of graph isomorphism algorithms are employed to identify known malware and its variants. Four experiments are designed to evaluate the performance of the proposed method. Experimental results indicate that the proposed method is effective and efficient for identifying known malware and a portion of their variants. The proposed method can also be used to index and locate a large-scale malware database and group malware to the corresponding family. |
| url |
http://dx.doi.org/10.1155/2019/1043794 |
| work_keys_str_mv |
AT jinrongbai amalwareandvariantdetectionmethodusingfunctioncallgraphisomorphism AT qibinshi amalwareandvariantdetectionmethodusingfunctioncallgraphisomorphism AT shiguangmu amalwareandvariantdetectionmethodusingfunctioncallgraphisomorphism AT jinrongbai malwareandvariantdetectionmethodusingfunctioncallgraphisomorphism AT qibinshi malwareandvariantdetectionmethodusingfunctioncallgraphisomorphism AT shiguangmu malwareandvariantdetectionmethodusingfunctioncallgraphisomorphism |
| _version_ |
1725849971107823616 |