BinGraph: Discovering mutant malware using hierarchical semantic signatures

Malware landscape has been dramatically elevated over the last decade. The main reason of the increase is that new malware variants can be produced easily using simple code obfuscation techniques. Once the obfuscation is applied, the malware can change their syntactics while preserving semantics, and bypass anti-virus (AV) scanners. Malware authors, thus, commonly use the code obfuscation techniques to generate metamorphic malware. Nevertheless, signature based AV techniques are limited to detect the metamorphic malware since they are commonly based on the syntactic signature matching. In this paper, we propose BinGraph, a new mechanism that accurately discovers metamorphic malware. BinGraph leverages the semantics of malware, since the mutant malware is able to manipulate their syntax only. To this end, we first extract API calls from malware and convert to a hierarchical behavior graph that represents with identical 128 nodes based on the semantics. Later, we extract unique subgraphs from the hierarchical behavior graphs as semantic signatures representing common behaviors of a specific malware family. To evaluate BinGraph, we analyzed a total of 827 malware samples that consist of 10 malware families with 1,202 benign binaries. Among the malware, 20% samples randomly chosen from each malware family were used for extracting semantic signatures, and rest of them were used for assessing detection accuracy. Finally, only 32 subgraphs were selected as the semantic signatures. BinGraph discovered malware variants with 98% of detection accuracy.

[1]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[2]  Heejo Lee,et al.  Code Graph for Malware Detection , 2008, 2008 International Conference on Information Networking.

[3]  Steve R. White,et al.  An Undetectable Computer Virus , 2000 .

[4]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[5]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[6]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[7]  TJHSST Senior,et al.  Greedy Algorithm , 2013 .

[8]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[9]  Bezawada Bruhadeshwar,et al.  Signature Generation and Detection of Malware Families , 2008, ACISP.

[10]  Paul Ferguson Observations on Emerging Threats , 2012, LEET.

[11]  Wen Fu,et al.  Detecting Malicious Behavior Using Critical API-Calling Graph Matching , 2009, 2009 First International Conference on Information Science and Engineering.

[12]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2008, TOPL.

[13]  Engin Kirda,et al.  A View on Current Malware Behaviors , 2009, LEET.

[14]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[15]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[16]  Heejo Lee,et al.  Detecting metamorphic malwares using code graphs , 2010, SAC '10.

[17]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[18]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  Mattia Monga,et al.  Code Normalization for Self-Mutating Malware , 2007, IEEE Security & Privacy.

[20]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[21]  David M. Nicol,et al.  The Koobface botnet and the rise of social malware , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[22]  Eul Gyu Im,et al.  Detection Methods for Malware Variant Using API Call Related Graphs , 2011, ICITCS.

[23]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.

[24]  Sattar Hashemi,et al.  Metamorphic Malware Detection using Control Flow Graph Mining , 2011 .

[25]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[26]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[27]  Tom Grundner Whose Internet is it anyway?—a challenge , 1992 .