Detecting malicious executable file via graph comparison using support vector machine

In every day, Anti-virus Corporations receive large number of potentially harmful executables. Many of the malicious samples among these executables are variations of their early versions that created by their authors to evade the detection. Consequently, robust detection approaches are required, capable of recognizing similar samples automatically. In this paper, malware detection through call graph was studied, the call graph functions of a binary executable are represented as vertices, and the calls between those functions as edges. By representing malware samples as call graphs, it is possible to derive and detect structural similarities between multiple samples. The present paper provides a new malware detection algorithm based on the analysis of graphs introduced from instructions of the executable objects, the graph is constructed through the graph extractor, and the maximum common sub-graph similarity measures is approximated, then the graphs are sent to support vector machine to perfectly approximate the similarity value.

[1]  Ming Liu,et al.  Virus Detection Method based on Behavior Resource Tree , 2011, J. Inf. Process. Syst..

[2]  Joris Kinable,et al.  Malware Detection Through Call Graphs , 2010 .

[3]  Dragos Gavrilut,et al.  Malware Detection Using Perceptrons and Support Vector Machines , 2009, 2009 Computation World: Future Computing, Service Computation, Cognitive, Adaptive, Content, Patterns.

[4]  Jason Weston,et al.  A user's guide to support vector machines. , 2010, Methods in molecular biology.

[5]  Joris Kinable,et al.  Improved call graph comparison using simulated annealing , 2011, SAC.

[6]  Christos Faloutsos,et al.  Polonium: Tera-Scale Graph Mining for Malware Detection , 2013 .

[7]  Douglas S. Reeves,et al.  Fast malware classification by automated behavioral graph matching , 2010, CSIIRW '10.

[8]  Edwin R. Hancock,et al.  Bayesian Graph Edit Distance , 2000, IEEE Trans. Pattern Anal. Mach. Intell..

[9]  Kaspar Riesen,et al.  Fast Suboptimal Algorithms for the Computation of Graph Edit Distance , 2006, SSPR/SPR.

[10]  Mark Stamp,et al.  Deriving common malware behavior through graph clustering , 2013, Comput. Secur..

[11]  Edwin R. Hancock,et al.  Bayesian graph edit distance , 1999, Proceedings 10th International Conference on Image Analysis and Processing.

[12]  Kang G. Shin,et al.  Large-scale malware indexing using function-call graphs , 2009, CCS.

[13]  Horst Bunke,et al.  A graph distance metric based on the maximal common subgraph , 1998, Pattern Recognit. Lett..

[14]  Su-Yun Huang,et al.  Reduced Support Vector Machines: A Statistical Theory , 2007, IEEE Transactions on Neural Networks.

[15]  Byung Ro Moon,et al.  Malware detection based on dependency graph using hybrid genetic algorithm , 2010, GECCO '10.

[16]  Curtis B. Storlie,et al.  Graph-based malware detection using dynamic analysis , 2011, Journal in Computer Virology.

[17]  Lawrence B. Holder,et al.  Using Graphs to Improve Activity Prediction in Smart Environments Based on Motion Sensor Data , 2011, ICOST.

[18]  Joris Kinable,et al.  Malware classification based on call graph clustering , 2010, Journal in Computer Virology.