KyoungSoo Han
ABSTRACT
Malware authors have been generating and disseminating malware variants through various ways, such as reusing modules or using automated malware generation tools. With the help of the malware generation techniques, the number of malware keeps increasing every year. Therefore, new malware analysis techniques are needed to reduce malware analysis overheads. Recently several malware visualization methods were proposed to help malware analysts. In this paper, we proposed a novel method to visually analyze malware by transforming malware binary information into image matrices. Our experimental results show that the image matrices of malware can effectively classify malware families.
- Christodorescu, M. and Jha, S., 2004. Testing malware detectors. ACM SIGSOFT Software Engineering Notes 29, 4, 34--44. Google Scholar
Digital Library
- Kang, B., Kim, T., Kwon, H., Choi, Y., and Im, E. G., 2012. Malware classification method via binary content comparison. In Proceedings of the 2012 ACM Research in Applied Computation Symposium ACM, 316--321. Google ScholarDigital Library
- Moser, A., Kruegel, C., and Kirda, E., 2007. Limits of static analysis for malware detection. In Proceedings of the Twenty-Third Annual IEEE Computer Security Applications Conference (ACSAC) 2007., 421--430.Google ScholarCross Ref
- Cesare, S. and Xiang, Y., 2010. A fast flowgraph based classification system for packed and polymorphic malware on the endhost. In Proceedings of the 24th IEEE International Conference on IEEE Advanced Information Networking and Applications (AINA), 2010, 721--728. Google ScholarDigital Library
- Kinable, J. and Kostakis, O., 2011. Malware classification based on call graph clustering. Journal in computer virology 7, 4, 233--245. Google ScholarDigital Library
- Shang, S., Zheng, N., Xu, J., Xu, M., and Zhang, H., 2010. Detecting malware variants via function-call graph similarity. In Proceedings of the 5th International Conference on IEEE Malicious and Unwanted Software (MALWARE), 2010, 113--120.Google Scholar
- Tabish, S. M., Shafiq, M. Z., and Farooq, M., 2009. Malware detection using statistical analysis of byte-level file content. In Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, ACM, 23--31. Google ScholarDigital Library
- Bilar, D., 2007. Opcodes as predictor for malware. International Journal of Electronic Security and Digital Forensics 1, 2, 156--168. Google ScholarDigital Library
- Han, K. S., Kim, S.-R., and Im, E. G., 2012. Instruction frequency-based malware classification method. INFORMATION - An International Interdisciplinary Journal 15, 7, 2973--2984.Google Scholar
- Santos, I., Brezo, F., Nieves, J., Penya, Y. K., Sanz, B., Laorden, C., and Bringas, P. G., 2010. Idea: Opcode-sequence-based malware detection. Engineering Secure Software and Systems, Springer, 35--43. Google ScholarDigital Library
- Sung, A. H., Xu, J., Chavez, P., and Mukkamala, S., 2004. Static analyzer of vicious executables (save). In Proceedings of the 20th Annual IEEE Computer Security Applications Conference, 2004., 326--334. Google ScholarDigital Library
- Walenstein, A., Venable, M., Hayes, M., Thompson, C., and Lakhotia, A., 2007. Exploiting similarity between variants to defeat malware. In Proceedings of the BlackHat DC Conference.Google Scholar
- Trinius, P., Holz, T., Gobel, J., and Freiling, F. C., 2009. Visual analysis of malware behavior using treemaps and thread graphs. In Proceedings of the 6th International Workshop on IEEE Visualization for Cyber Security (VizSec) 2009., 33--38.Google Scholar
- Saxe, J., Mentis, D., and Greamo, C., 2012. Visualization of shared system call sequence relationships in large malware corpora. In Proceedings of the Ninth International Symposium on Visualization for Cyber Security, ACM, 33--40. Google ScholarDigital Library
- Conti, G., Dean, E., Sinda, M., and Sangster, B., 2008. Visual reverse engineering of binary and data files. Visualization for Computer Security, Springer, 1--17. Google ScholarDigital Library
- Anderson, B., Storlie, C., and Lane, T., 2012. Improving malware classification: bridging the static/dynamic gap. In Proceedings of the 5th ACM workshop on Security and artificial intelligence, ACM, 3--14. Google ScholarDigital Library
- Nataraj, L., Karthikeyan, S., Jacob, G., and Manjunath, B., 2011. Malware images: visualization and automatic classification. In Proceedings of the 8th International Symposium on Visualization for Cyber Security,,ACM. Google ScholarDigital Library
- Oliva, A. and Torralba, A., 2001. Modeling the shape of the scene: A holistic representation of the spatial envelope. International journal of computer vision, 42, 3, 145--175. Google ScholarDigital Library
- Torralba, A., Murphy, K. P., Freeman, W. T., and Rubin, M. A., 2003. Context-based vision system for place and object recognition. In Proceedings of the Ninth IEEE International Conference on Computer Vision, 273--280. Google ScholarDigital Library
- Nataraj, L., Yegneswaran, V., Porras, P., and Zhang, J., 2011. A comparative assessment of malware classification using binary texture analysis and dynamic analysis. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, ACM, 21--30. Google ScholarDigital Library
- Eagle, C., 2008. The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler. No Starch Press. Google ScholarDigital Library
- Yuschuk, O., 2007. Ollydbg. http://www.ollydbg.de/Google Scholar
- Charikar, M. S., 2002. Similarity estimation techniques from rounding algorithms. In Proceedings of the thiry-fourth annual ACM symposium on Theory of computing, ACM, 380--388. Google ScholarDigital Library
- D. Bernstein. Usenet posting, comp.lang.c. http://groups.google.com/group/comp.lang.c/msg/6b82e964887d73d9, Dec. 1990.Google Scholar
- Androutsos, D., Plataniotis, K., and Venetsanopoulos, A. N., 1999. A novel vector-based approach to color image retrieval using a vector angular-based distance measure. Computer Vision and Image Understanding,75, 1, 46--58. Google ScholarDigital Library
Index Terms
- Malware analysis method using visualization of binary files
Recommendations
Malware classification method via binary content comparison
RACS '12: Proceedings of the 2012 ACM Research in Applied Computation SymposiumWith the wide spread uses of the Internet, the number of Internet attacks keeps increasing, and malware is the main cause of most Internet attacks. Malware is used by attackers to infect normal users' computers and to acquire private information as well ...
A framework for metamorphic malware analysis and real-time detection
Metamorphism is a technique that mutates the binary code using different obfuscations. It is difficult to write a new metamorphic malware and in general malware writers reuse old malware. To hide detection the malware writers change the obfuscations (...
Malware analysis using visualized images and entropy graphs
Today, along with the development of the Internet, the number of malicious software, or malware, distributed especially for monetary profits, is exponentially increasing, and malware authors are developing malware variants using various automated tools ...
Comments