Fingerprinting Executable Programs Based on Color Moments of a Novel Abstract Call Graph

In this paper we propose a new method for finding the fingerprint of executable programs. Our method based on the statistical analysis of the 2-dimensional graph named novel abstract call graph which is in component of the colored pixels arranged according to the adjacency matrix of the call flow graph, the color of the pixel is determined by the in-degree and out-degree of function node and the function call relationship. Through the experiments we can perceive that the color moments can be used to identify different executable programs as a fingerprint for the following reasons: it is the unique property that different executable programs map to different abstract call graphs with different color moments; it is sensitive to the changes of the function call relationship that the value of color moments will present different as long as there exists call relationship modifications; it is robust to the local normal instruction modifications that the value of color moments will not change as long as the modifications do not change any function call relationship. This paper show that this fingerprint can be used to intrusion detection since the malicious code may change the function call relationship of the infected program, and can be also used to measure the N versions of a program and so on. In this paper we mainly introduce the process of forming the fingerprint, its properties and forecasting its application.

[1]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[2]  Thomas M. Chen Intrusion Detection for Viruses and Worms , 2004 .

[3]  Halvar Flake,et al.  Graph-based binary analysis , 2002 .

[4]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[5]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[6]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[7]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[8]  Halvar Flake,et al.  Structural Comparison of Executable Objects , 2004, DIMVA.

[9]  U. Flegel,et al.  Detection of Intrusions and Malware & Vulnerability Assessment , 2004 .

[10]  Daniel Bilar Callgraph properties of executables , 2007, AI Commun..

[11]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[12]  Zhenkai Liang,et al.  Fast and automated generation of attack signatures: a basis for building self-protecting servers , 2005, CCS '05.

[13]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[14]  Marc Dacier,et al.  Intrusion Detection Using Variable-Length Audit Trail Patterns , 2000, Recent Advances in Intrusion Detection.

[15]  Jules Desharnais,et al.  Static Detection of Malicious Code in Executable Programs , 2000 .

[16]  Markus A. Stricker,et al.  Similarity of color images , 1995, Electronic Imaging.