Abstract
Malware detection is an important method for maintaining the security and privacy in cyberspace. As the most mainstream method currently, signature-based detecting is confronted with many obfuscation methods which can hide the true signature of malware. In our research, we propose a logic signature-based malware detecting method to overcome the shortcoming of being susceptible to disturbance in data signature-based method. Firstly, we achieve the logic of basic block based on Symbolic execution and Static Single Assignment, and then use a set of expression trees to represent the basic block logic, the trees set will be filtered to pick out the remarkable items. Depending on basic block logic trees set, we use n-gram method to select features for the discrimination of malicious and benign software. Every feature of program is a sequence of basic block logic and the feature matching is based on edit distance calculating. We design and implement a detector and evaluate its effectiveness by comparing with data signature-based detector. The experimental results indicate that the proposed malware detector using logic signature of basic block sequence has a higher performance than data signature-based detectors.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Idika, N., Mathur, A.P.: A survey of malware detection techniques. Purdue University (2007)
Griffin, K., Schneider, S., Hu, X., Chiueh, T.: Automatic generation of string signatures for malware detection. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 101–120. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04342-0_6
Martín, A., Menéndez, Héctor D., Camacho, D.: String-based malware detection for android environments. Intelligent Distributed Computing X. SCI, vol. 678, pp. 99–108. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-48829-5_10
Santos, I., et al.: Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf. Sci. 231(9), 64–82 (2013)
Ding, Y., et al.: Control flow-based opcode behavior analysis for Malware detection. Comput. Secur. 44(2), 65–74 (2014)
Vinod, P., et al.: Static CFG analyzer for metamorphic Malware code. In: International Conference on Security of Information and Networks, Sin 2009, Gazimagusa, North Cyprus, October, pp. 225–228. DBLP (2009)
Adkins, F., et al.: Heuristic malware detection via basic block comparison. In: International Conference on Malicious and Unwanted Software, pp. 11–18. The Americas IEEE (2014)
Mehdi, B., et al.: Towards a theory of generalizing system call representation for in-execution malware detection. In: IEEE International Conference on Communications, pp. 1–5. IEEE (2010)
Elhadi, A.A.E., Maarof, M.A., Osman, A.H.: Malware detection based on hybrid signature behaviour application programming interface call graph. Am. J. Appl. Sci. 9(3), 283–288 (2012)
Natani, P., Vidyarthi, D.: Malware detection using API function frequency with ensemble based classifier. In: Thampi, S.M., Atrey, P.K., Fan, C.-I., Perez, G.M. (eds.) SSCC 2013. CCIS, vol. 377, pp. 378–388. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40576-1_37
Chandramohan, M., Tan, H.B.K., Shar, L.K.: Scalable malware clustering through coarse-grained behavior modeling. In: ACM SIGSOFT, International Symposium on the Foundations of Software Engineering, p. 27. ACM (2012)
You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300. IEEE (2010)
Jensen, F.V., Nielsen, T.D.: Bayesian networks and decision graphs. Technometrics 50(1), 97 (2007)
Denœux, T.: A k-nearest neighbor classification rule based on dempster-shafer theory. In: Yager, R.R., Liu, L. (eds.) Classic Works of the Dempster-Shafer Theory of Belief Functions. STUDFUZZ, vol. 219, pp. 737–760. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-44792-4_29
Landgrebe, D.: A survey of decision tree classifier methodology. IEEE Trans. Syst. Man Cybern. 21(3), 660–674 (2002)
Suykens, J.A.K., Vandewalle, J.: least squares support vector machine classifiers. Neural Process. Lett. 9(3), 293–300 (1999)
Van Emmerik, M.: Static single assignment for decompilation. UQ Theses (RHD) - UQ staff and students only (2007)
Khurshid, S., PĂsĂreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 553–568. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36577-X_40
Mira, F., Huang, W., Brown, A.: Improving malware detection time by using RLE and N-gram. In: International Conference on Automation and Computing, pp. 1–5 (2017)
Bille, P.: A survey on tree edit distance and related problems. Theor. Comput. Sci. 337(1), 217–239 (2005)
Shoshitaishvili, Y., et al.: SOK: (state of) the art of war: offensive techniques in binary analysis. In: Security and Privacy, pp. 138–157. IEEE (2016)
Acknowledgment
This research was supported by the National Natural Science Foundation of China (91318301), and the National High Technology Research and Development Program (“863” Program) of China (2012AA7111043).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Shi, D., Xu, Q. (2019). Malware Detection Using Logic Signature of Basic Block Sequence. In: Li, S. (eds) Green, Pervasive, and Cloud Computing. GPC 2018. Lecture Notes in Computer Science(), vol 11204. Springer, Cham. https://doi.org/10.1007/978-3-030-15093-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-15093-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-15092-1
Online ISBN: 978-3-030-15093-8
eBook Packages: Computer ScienceComputer Science (R0)