Skip to main content
Springer Nature Link
Log in

Idea: Opcode-Sequence-Based Malware Detection

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5965))

Included in the following conference series:

Abstract

Malware is every malicious code that has the potential to harm any computer or network. The amount of malware is increasing faster every year and poses a serious security threat. Hence, malware detection has become a critical topic in computer security. Currently, signature-based detection is the most extended method within commercial antivirus. Although this method is still used on most popular commercial computer antivirus software, it can only achieve detection once the virus has already caused damage and it is registered. Therefore, it fails to detect new variations of known malware. In this paper, we propose a new method to detect variants of known malware families. This method is based on the frequency of appearance of opcode sequences. Furthermore, we describe a method to mine the relevance of each opcode and, thereby, weigh each opcode sequence frequency. We show that this method provides an effective way to detect variants of known malware families.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Karsperky-Labs: Kaspersky Security Bulletin: Statistics 2008 (2009)

    Google Scholar 

  2. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, February 2003, pp. 169–186 (2003)

    Google Scholar 

  3. Morley, P.: Processing virus collections. In: Proceedings of the 2001 Virus Bulletin Conference (VB 2001), Virus Bulletin, pp. 129–134 (2001)

    Google Scholar 

  4. Bilar, D.: Opcodes as predictor for malware. International Journal of Electronic Security and Digital Forensics 1(2), 156–168 (2007)

    Article  Google Scholar 

  5. VX heavens (2009), http://vx.netlux.org/ (Last accessed: September 29, 2009)

  6. NewBasic - An x86 Assembler/Disassembler for DOS, http://www.frontiernet.net/~fys/newbasic.htm (Last accessed: September 29, 2009)

  7. Peng, H., Long, F., Ding, C.: Feature selection based on mutual information: criteria of max-dependency, max-relevance, and min-redundancy. IEEE Transactions on Pattern Analysis and Machine Intelligence, 1226–1238 (2005)

    Google Scholar 

  8. McGill, M., Salton, G.: Introduction to modern information retrieval. McGraw-Hill, New York (1983)

    MATH  Google Scholar 

  9. Tata, S., Patel, J.: Estimating the Selectivity of tf-idf based Cosine Similarity Predicates. SIGMOD Record 36(2), 75–80 (2007)

    Article  Google Scholar 

  10. Carrera, E., Erdélyi, G.: Digital genome mapping–advanced binary malware analysis. In: Virus Bulletin Conference, pp. 187–197 (2004)

    Google Scholar 

  11. Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: Proceedings of the 23rd IEEE Symposium on Security and Privacy, pp. 143–159 (2002)

    Google Scholar 

  12. Schultz, M., Eskin, E., Zadok, F., Stolfo, S.: Data mining methods for detection of new malicious executables. In: Proceedings of the 22nd IEEE Symposium on Security and Privacy, pp. 38–49 (2001)

    Google Scholar 

  13. Kolter, J.Z., Maloof, M.A.: Learning to detect malicious executables in the wild. In: Proceedings of the 10th ACM SIGKDD international conference on Knowledge discovery and data mining (KDD), pp. 470–478. ACM, New York (2004)

    Chapter  Google Scholar 

  14. Santos, I., Penya, Y., Devesa, J., Bringas, P.: N-Grams-based file signatures for malware detection. In: Proceedings of the 11th International Conference on Enterprise Information Systems (ICEIS), Volume AIDSS, pp. 317–320 (2009)

    Google Scholar 

  15. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware malware detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp. 32–46 (2005)

    Google Scholar 

  16. Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  17. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. Journal in Computer Virology 2(1), 67–77 (2006)

    Article  Google Scholar 

  18. King, S., Chen, P.: SubVirt: Implementing malware with virtual machines. In: 2006 IEEE Symposium on Security and Privacy, pp. 314–327 (2006)

    Google Scholar 

  19. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy 5(2), 32–39 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. S3 Lab,  

    Igor Santos, Felix Brezo, Javier Nieves, Borja Sanz, Carlos Laorden & Pablo G. Bringas

  2. eNergy Lab, University of Deusto, Bilbao, Spain

    Yoseba K. Penya

Authors
  1. Igor Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Felix Brezo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Javier Nieves
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yoseba K. Penya
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Borja Sanz
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Carlos Laorden
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Pablo G. Bringas
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento Ingegneria e Scienza dell’Informazione, Università di Trento, Via Sommarive 14, 38050, Povo (Trento), Italy

    Fabio Massacci

  2. Department of Computer Science, Rice University, 3122 Duncan Hall, 6100 Main Street, TX 77005, Houston, USA

    Dan Wallach

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612, Eindhoven, AZ, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Santos, I. et al. (2010). Idea: Opcode-Sequence-Based Malware Detection. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-11747-3_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-11746-6

  • Online ISBN: 978-3-642-11747-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics