A Malware and Variant Detection Method Using Function Call Graph Isomorphism

The huge influx of malware variants are generated using packing and obfuscating techniques. Current antivirus software use byte signature to identify known malware, and this method is easy to be deceived and generally ineffective for identifying malware variants. Antivirus experts use hash signature to verify if captured sample is one of the malware databases, and this method cannot recognize malware variants whose hash signatures have changed completely. Function call graph is a high-level abstraction representation of a program and more stable and resilient than byte or hash signature. In this paper, function call graph is used as signature of a program, and two kinds of graph isomorphism algorithms are employed to identify known malware and its variants. Four experiments are designed to evaluate the performance of the proposed method. Experimental results indicate that the proposed method is effective and efficient for identifying known malware and a portion of their variants. The proposed method can also be used to index and locate a large-scale malware database and group malware to the corresponding family.

[1]  Fritz Wysotzki,et al.  Solving inexact graph isomorphism problems using neural networks , 2005, Neurocomputing.

[2]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[3]  Jian Xu,et al.  A similarity metric method of obfuscated malware using function-call graph , 2012, Journal of Computer Virology and Hacking Techniques.

[4]  Julian R. Ullmann,et al.  An Algorithm for Subgraph Isomorphism , 1976, J. ACM.

[5]  Joris Kinable,et al.  Improved call graph comparison using simulated annealing , 2011, SAC.

[6]  Amin Azmoodeh,et al.  Graph embedding as a new approach for unknown malware detection , 2017, Journal of Computer Virology and Hacking Techniques.

[7]  Joris Kinable,et al.  Malware classification based on call graph clustering , 2010, Journal in Computer Virology.

[8]  Mario Vento,et al.  An Improved Algorithm for Matching Large Graphs , 2001 .

[9]  Guillaume Bonfante,et al.  Architecture of a morphological malware detector , 2009, Journal in Computer Virology.

[10]  Jean-Michel Jolion,et al.  Graph Based Representations in Pattern Recognition , 1998, Computing Supplement.

[11]  Kang G. Shin,et al.  Large-scale malware indexing using function-call graphs , 2009, CCS.

[12]  Alexander Pretschner,et al.  Leveraging Compression-Based Graph Mining for Behavior-Based Malware Detection , 2019, IEEE Transactions on Dependable and Secure Computing.

[13]  Minh Hai Nguyen,et al.  Auto-detection of sophisticated malware using lazy-binding control flow graph and deep learning , 2018, Comput. Secur..

[14]  Wanlei Zhou,et al.  Control Flow-Based Malware VariantDetection , 2014, IEEE Transactions on Dependable and Secure Computing.

[15]  Sheng Chen,et al.  A malware detection method based on family behavior graph , 2018, Comput. Secur..

[16]  Edwin R. Hancock,et al.  Inexact graph matching using genetic search , 1997, Pattern Recognit..

[17]  Philip K. Chan,et al.  Scalable Function Call Graph-based Malware Classification , 2017, CODASPY.

[18]  Stavros D. Nikolopoulos,et al.  A Graph-based Model for Malicious Software Detection Exploiting Domination Relations between System-call Groups , 2018, CompSysTech.

[19]  Julian C. Bradfield,et al.  A general definition of malware , 2010, Journal in Computer Virology.

[20]  Enrique V. Carrera,et al.  Digital genome mapping: ad-vanced binary malware analysis , 2004 .