The Community for Technology Leaders
Green Image
Issue No. 06 - June (2013 vol. 62)
ISSN: 0018-9340
pp: 1193-1206
Yang Xiang , Deakin University, Victoria
Silvio Cesare , Deakin University, Victoria
Wanlei Zhou , Deakin University, Victoria
ABSTRACT
Signature-based malware detection systems have been a much used response to the pervasive problem of malware. Identification of malware variants is essential to a detection system and is made possible by identifying invariant characteristics in related samples. To classify the packed and polymorphic malware, this paper proposes a novel system, named Malwise, for malware classification using a fast application-level emulator to reverse the code packing transformation, and two flowgraph matching algorithms to perform classification. An exact flowgraph matching algorithm is employed that uses string-based signatures, and is able to detect malware with near real-time performance. Additionally, a more effective approximate flowgraph matching algorithm is proposed that uses the decompilation technique of structuring to generate string-based signatures amenable to the string edit distance. We use real and synthetic malware to demonstrate the effectiveness and efficiency of Malwise. Using more than 15,000 real malware, collected from honeypots, the effectiveness is validated by showing that there is an 88 percent probability that new malware is detected as a variant of existing malware. The efficiency is demonstrated from a smaller sample set of malware where 86 percent of the samples can be classified in under 1.3 seconds.
INDEX TERMS
Malware, Flow graphs, Entropy, Databases, Emulation, Classification algorithms, Approximation algorithms, unpacking, Computer security, malware, control flow, structural classification, structured control flow
CITATION
Yang Xiang, Silvio Cesare, Wanlei Zhou, "Malwise—An Effective and Efficient Classification System for Packed and Polymorphic Malware", IEEE Transactions on Computers, vol. 62, no. , pp. 1193-1206, June 2013, doi:10.1109/TC.2012.65
108 ms
(Ver 3.1 (10032016))