Abstract
Malware is a pervasive problem in computer security. The traditional signature-based detecting method is ineffective to recognize the dramatically increased malware. Researches show that many of the malicious samples are just variations of previously encountered malware. Therefore, it would be preferable to analysis the similarity of malware to determine whether submitted samples are merely variations of existing ones. Static analysis of polymorphic malware variants plays an important role. Function call graph has shown to be an effective feature that represents functionality of malware semantically. In this paper we propose a novel algorithm by comparing the function call graph based on similarity flooding algorithm to analyze the similarity of malware. Similarity between malware can be determined by graph matching method. The evaluation shows that our algorithm is highly effective in terms of accuracy and computational complexity.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Kolter, J.Z., Maloof, M.A.: Learning to Detect and Classify Malicious Executables in the Wild. J. Mach. Learn. Res. 7, 2721–2744 (2006)
Flake, H.: Structural comparison of executable objects. In: Flegel, U., Meier, M. (eds.) DIMVA, vol. 46, pp. 161–173. GI (2004)
Gao, D., Reiter, M., Song, D.: Behavioral distance for intrusion detection. In: Valdes, A., Zamboni, D. (eds.) Recent Advances in Intrusion Detection, vol. 3858, pp. 63–81. Springer, Heidelberg (2006)
Hu, X., Chiueh, T.-C., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 611–620. ACM, Chicago (2009)
Shankarapani, M., Ramamoorthy, S., Movva, R., Mukkamala, S.: Malware detection using assembly and API call sequences. J. Comput. Virol. 7, 107–119 (2011)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: 12th Asia-Pacific Computer Systems Architecture Conference, pp. 421–430. IEEE Press, Miami Beach (2007)
Bayer, U., Comparetti, P.M., Hlauschek, C., Krügel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. NDSS. The Internet Society (2009)
Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) Recent Advances in Intrusion Detection, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)
Melnik, S., Garcia-Molina, H., Rahm, E.: Similarity flooding: a versatile graph matching algorithm and its application to schema matching. In: 18th International Conference on Data Engineering, pp. 117–128 (2002)
Kuhn, H.W.: The Hungarian method for the assignment problem. Naval Research Logistics Quarterly (1955)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer Science+Business Media Singapore
About this paper
Cite this paper
Liu, J., Wang, Y., Xie, P., Wang, Y., Huang, Z. (2015). Malware Similarity Analysis Based on Graph Similarity Flooding Algorithm. In: Park, DS., Chao, HC., Jeong, YS., Park, J. (eds) Advances in Computer Science and Ubiquitous Computing. Lecture Notes in Electrical Engineering, vol 373. Springer, Singapore. https://doi.org/10.1007/978-981-10-0281-6_5
Download citation
DOI: https://doi.org/10.1007/978-981-10-0281-6_5
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-0280-9
Online ISBN: 978-981-10-0281-6
eBook Packages: Computer ScienceComputer Science (R0)