Abstract
Recent work has shown that a function call graph technique can perform well on some challenging malware detection problems. In this chapter, we compare this function call graph approach to elementary machine learning techniques that are trained on simpler features. We find that the machine learning techniques are generally more robust than the function call graphs, in the sense that the malware must be modified to a far greater extent before the machine learning techniques are significantly degraded. This work provides evidence that machine learning is likely to perform better than ad hoc approaches, particularly when faced with intelligent attackers who can attempt to exploit the inherent weaknesses in a given detection strategy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Shang S, Zheng N, Xu J, Xu M, Zhang H (2015) Detecting malware variants via function-call graph similarity. In: MALWARE 2015 Proceedings of malicious and unwanted software, pp 113–120
Xu, M., Wu, L., Qi, S., Xu, J., Zhang, H., Ren, Y., Zheng, N.: A similarity metric method of obfuscated malware using function-call graph. J Comput Virol Hacking Tech 9(1), 35–47 (2013)
Singh, T., Troia, F.D., Visaggio, C.A., Austin, T.H., Stamp, M.: Support vector machines and malware detection. J Comput Virol Hacking Tech 12(4), 203–212 (2016). https://doi.org/10.1007/s11416-015-0252-0
Christodorescu M, Jha S (2003) Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th conference on USENIX security symposium, SSYM’03, USENIX Association, Berkeley, CA, USA, pp 169–186. http://dl.acm.org/citation.cfm?id=1251353.1251365
Alam, S., Traor, I., Sogukpinar, I.: Annotated control flow graph for metamorphic malware detection. Comput J 58(10), 2608–2621 (2015)
Deshpande, P., Stamp, M.: Metamorphic detection using function call graph analysis. MIS Rev Int J 21(1/2), 15–34 (2015)
Xin K, Li G, Qin Z, Zhang Q (2012) Malware detection in smartphone using hidden Markov model. In: Fourth international conference on multimedia information networking and security, MINES 2012, pp 857–860
Qin Z, Chen N, Zhang Q, Di Y (2011) Mobile phone viruses detection based on HMM. In: Third international conference on multimedia information networking and security, MINES 2011, pp 516–519
Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J Comput Virol 5(2), 151–169 (2009). https://doi.org/10.1007/s11416-008-0105-1
Damodaran, A., Troia, F.D., Visaggio, C.A., Austin, T.H., Stamp, M.: A comparison of static, dynamic, and hybrid analysis for malware detection. J Comput Virol Hacking Tech 13(1), 1–12 (2017). https://doi.org/10.1007/s11416-015-0261-z
Zhang B, Yin J, Hao J, Zhang D, Wang S (2007) Malicious codes detection based on ensemble learning. In: Proceedings of the 4th international conference on autonomic and trusted computing, ATC’07. Springer, Berlin, pp 468–477. http://dl.acm.org/citation.cfm?id=2394798.2394857
Lu, Y.-B., Din, S.-C., Zheng, C.-F., Gao, B.-J.: Using multi-feature and classifier ensembles to improve malware detection. CCIT J 32(2), 57–72 (2010)
Menahem, E., Shabtai, A., Rokach, L., Elovici, Y.: Improving malware detection by applying multi-inducer ensemble. Comput Stat Data Anal 53(4), 1483–1494 (2009)
Rajeswaran D (2015) Function call graph score for malware detection. Master’s Project, Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/445/
Hex-Rays (2017). https://www.hex-rays.com
Kingsford C (2015) Graph traversals. http://www.cs.cmu.edu/~ckingsf/class/02713-s13/lectures/lec07-dfsbfs.pdf
Stamp M (2004) A revealing introduction to hidden Markov models. https://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf
Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J Comput Virol 8(1–2), 37–52 (2012). https://doi.org/10.1007/s11416-012-0160-5
Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J Comput Virol Hacking Tech 9(3), 159–170 (2013). https://doi.org/10.1007/s11416-013-0184-5
Jakobsen, T.: A fast method for the cryptanalysis of substitution ciphers. Cryptologia 19, 265–274 (1995)
Wang R (2016) Introduction to support vector machines. http://fourier.eng.hmc.edu/e161/lectures/svm
Ng A (2015) Support vector machines. http://cs229.stanford.edu/notes/cs229-notes3.pdf
Statsoft: support vector machines (SVM) introductory overview (2015). http://www.statsoft.com/textbook/support-vector-machines
Symantec: Trojan.Zbot (2015). http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
Symantec: Trojan.ZeroAccess (2015). http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
Panda Security. Harebot. M (2015). http://www.pandasecurity.com/homeusers/security-info/220319/Harebot.M
Malicia Project (2015). http://malicia-project.com/
Nappa A, Rafique MZ, Caballero J (2013) Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Proceedings of the 10th international conference on detection of intrusions and malware, and vulnerability assessment, DIMVA’13. Springer, Berlin, pp 1–20
Wong, W., Stamp, M.: Hunting for metamorphic engines. J Comput Virol 2(3), 211–229 (2006). https://doi.org/10.1007/s11416-006-0028-7
Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognit 30(7), 1145–1159 (1997)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Rajeswaran, D., Di Troia, F., Austin, T.H., Stamp, M. (2018). Function Call Graphs Versus Machine Learning for Malware Detection. In: Parkinson, S., Crampton, A., Hill, R. (eds) Guide to Vulnerability Analysis for Computer Networks and Systems. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-92624-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-92624-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-92623-0
Online ISBN: 978-3-319-92624-7
eBook Packages: Computer ScienceComputer Science (R0)