Skip to main content
SpringerLink
Log in

ECFGM: enriched control flow graph miner for unknown vicious infected code detection

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Vicious codes, especially viruses, as a kind of impressive malware have caused many disasters and continue to exploit more vulnerabilities. These codes are injected inside benign programs in order to abuse their hosts and ease their propagation. The offsets of injected virus codes are unknown and their targets usually are latent until they are executed and activated, what in turn makes viruses very hard to detect. In this paper enriched control flow graph miner, ECFGM in short, is presented to detect infected files corrupted by unknown viruses. ECFGM uses enriched control flow graph model to represent the benign and vicious codes. This model has more information than traditional control flow graph (CFG) by utilizing statistical information of dependent assembly instructions and API calls. To the best of our knowledge, the presented approach in this paper, for the first time, can recognize the offset of infected code of unknown viruses in the victim files. The main contributions of this paper are two folds: first, the presented model is able to detect unknown vicious code using ECFG model with reasonable complexity and desirable accuracy. Second, our approach is resistant against metamorphic viruses which utilize dead code insertion, variable renaming and instruction reordering methods.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Aggarwal C., Wang H.: Managing and Mining Graph Data vol 40. Springer, New York (2010)

    Book  Google Scholar 

  2. Anju, S., Harmya, P., Jagadeesh, N., Darsana, R.: Malware detection using assembly code and control flow graph optimization. In: Proceedings of the 1st Amrita ACM-W Celebration on Women in Computing in India, p. 65. ACM (2010)

  3. Bayer U., Moser A., Kruegel C., Kirda E.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006)

    Article  Google Scholar 

  4. Bilar D.: On callgraphs and generative mechanisms. J. Comput. Virol. 3(4), 285–297 (2007)

    Article  MathSciNet  Google Scholar 

  5. Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. Detection of Intrusions and Malware & Vulnerability Assessment pp. 129–143 (2006)

  6. Harley D.: Making sense of anti-malware comparative testing. Inf. Secur. Tech. Rep. 14(1), 7–15 (2009)

    Article  Google Scholar 

  7. Hofmeyr S., Forrest S., Somayaji A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)

    Google Scholar 

  8. Idika N., Mathur A.: A survey of malware detection techniques, pp. 48. Purdue University, USA (2007)

    Google Scholar 

  9. Kostakis, O., Kinable, J., Mahmoudi, H., Mustonen, K.: Improved call graph comparison using simulated annealing. In: Proceedings of the 2011 ACM Symposium on Applied Computing, pp. 1516–1523. ACM (2011)

  10. Lai, Y.: A feature selection for malicious detection. In: Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2008. SNPD’08. Ninth ACIS International Conference on, pp. 365–370. IEEE (2008)

  11. Menahem E., Shabtai A., Rokach L., Elovici Y.: Improving malware detection by applying multi-inducer ensemble. Comput. Stat. Data Anal. 53(4), 1483–1494 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  12. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pp. 421–430. IEEE (2007)

  13. PE-Explorer:(2011) http://www.pe-explorer.com/peexplorer-tour-disassembler.htm

  14. Perdisci R., Lanzi A., Lee W.: Classification of packed executables for accurate computer virus detection. Pattern Recognit. Lett. 29(14), 1941–1946 (2008)

    Article  Google Scholar 

  15. Picard, R., Cook, R.: Cross-validation of regression models. Journal of the American Statistical Association pp. 575–583(1984)

  16. Shankarapani M., Ramamoorthy S., Movva R., Mukkamala S.: Malware detection using assembly and api call sequences. J. Comput. Virol. 7(2), 107–119 (2011)

    Article  Google Scholar 

  17. Sulaiman, A., Ramamoorthy, K., Mukkamala, S., Sung, A.: Malware examiner using disassembled code (medic). In: Information Assurance Workshop, 2005. IAW’05. Proceedings from the Sixth Annual IEEE SMC, pp. 428–429. IEEE (2005)

  18. Szor P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, (2005)

  19. Tesauro G., Kephart J., Sorkin G.: Neural networks for computer virus recognition. IEEE expert 11(4), 5–6 (1996)

    Article  Google Scholar 

  20. Tong, W., Jin, R.: Semi-supervised learning by mixed label propagation. In: Proceedings of the National Conference on Artificial Intelligence, vol. 22, p. 651. AAAI Press, Menlo Park, MIT Press, London 1999 (2007)

  21. Vinod, P., Laxmi, V., Gaur, M., Kumar, G., Chundawat, Y.: Static CFG Analyzer for Metamorphic Malware Code. In: Proceedings of the 2nd International Conference on Security of Information and Networks, pp. 225–228. ACM (2009)

  22. Wang, J., Deng, P., Fan, Y., Jaw, L., Liu, Y.: Virus detection using data mining techinques. In: Security Technology, 2003. In: Proceedings. IEEE 37th Annual 2003 International Carnahan Conference. pp. 71–76. IEEE (2003)

  23. Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Recent advances in intrusion detection, pp. 110–129. Springer (2000)

  24. You, I., Yim, K.: Malware obfuscation techniques: A brief survey. In: Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on, pp. 297–300. IEEE (2010)

  25. Zaidan A., Zaidan B., Othman F.: New technique of hidden data in pe-file with in unused area one. Int. J. Comput. Electr. Eng. (IJCEE) 1(5), 669–678 (2009)

    Google Scholar 

  26. Zhang, B., Yin, J., Hao, J., Wang, S., Zhang, D.: New malicious code detection based on n-gram analysis and rough set theory. Computational Intelligence and Security pp. 626–633 (2007)

  27. Zolkipli, M., Jantan, A.: A framework for malware detection using combination technique and signature generation. In: Computer Research and Development, 2010 Second International Conference on, pp. 196–199. IEEE (2010)

  28. Zuo Z., Zhou M.: Some further theoretical results about computer viruses. Comput. J. 47(6), 627–633 (2004)

    Article  Google Scholar 

  29. Zuo Z., Zhu Q., Zhou M.: On the time complexity of computer viruses. IEEE Trans. Inf. Theory 51(8), 2962–2966 (2005)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Shiraz University, Shiraz, Iran

    Mojtaba Eskandari & Sattar Hashemi

Authors
  1. Mojtaba Eskandari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sattar Hashemi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mojtaba Eskandari.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Eskandari, M., Hashemi, S. ECFGM: enriched control flow graph miner for unknown vicious infected code detection. J Comput Virol 8, 99–108 (2012). https://doi.org/10.1007/s11416-012-0169-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-012-0169-9

Keywords

Search

Navigation