Universiti Teknologi Malaysia Institutional Repository

Enhancing the detection of metamorphic malware using call graphs

E. Elhadi, Ammar Ahmed and Maarof, Mohd. Aizaini and Barry, Bazara I. A. and Hamza, Hentabli (2014) Enhancing the detection of metamorphic malware using call graphs. Computers and Security, 46 . pp. 62-78. ISSN 0167-4048

Full text not available from this repository.

Official URL: https://dx.doi.org/10.1016/j.cose.2014.07.004

Abstract

Malware stands for malicious software. It is software that is designed with a harmful intent. A malware detector is a system that attempts to identify malware using Application Programming Interface (API) call graph technique and/or other techniques. API call graph techniques follow two main steps, namely, transformation of malware samples into an API call graph using API call graph construction algorithm, and matching the constructed graph against existing malware call graph samples using graph matching algorithm. A major issue facing malware API call graph construction algorithms is building a precise call graph from information collected about malware samples. On the other hand call graph matching is an NP-complete problem and is slow because of computational complexity. In this study, a malware detection system based on API call graph is proposed. In the proposed system, each malware sample is represented as an API call graph. API call graph construction algorithm is used to transform input malware samples into API call graph by integrating API calls and operating system resource to represent graph nodes. Moreover, the dependence between different types of nodes is identified and represented using graph edges. After that, graph matching algorithm is used to calculate similarity between the input sample and malware API call graph samples that are stored in a database. The graph matching algorithm is based on an enhanced graph edit distance algorithm that simplifies the computational complexity using a greedy approach to select best common subgraphs from the integrating API call graph with high similarity, which helps in terms of detecting metamorphic malware. Experimental results on 514 malware samples demonstrate that the proposed system has 98% accuracy and 0 false positive rates. Detailed comparisons against other detection methods have been carried out and significant improvement over them is shown.

Item Type:Article
Uncontrolled Keywords:computer security, malware, malware detection, API call graph, API call graph construction algorithm, API call graph matching algorithm
Subjects:Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Divisions:Computing
ID Code:52710
Deposited By: Siti Nor Hashidah Zakaria
Deposited On:01 Feb 2016 03:53
Last Modified:30 Jun 2018 00:14

Repository Staff Only: item control page