Control Flow Change in Assembly as a Classifier in Malware Analysis
|Title:||Control Flow Change in Assembly as a Classifier in Malware Analysis||Authors:||Linke, Andree
|Permanent link:||http://hdl.handle.net/10197/7619||Date:||27-Apr-2016||Online since:||2016-05-17T14:49:04Z||Abstract:||As currently classical malware detection methods based on signatures fail to detect new malware, they are not always efficient with new obfuscation techniques. Besides, new malware is easily created and old malware can be recoded to produce new one. Therefore, classical Antivirus becomes consistently less effective in dealing with those new threats. Also malware gets hand tailored to bypass network security and Antivirus. But as analysts do not have enough time to dissect suspected malware by hand, automated approaches have been developed. To cope with the mass of new malware, statistical and machine learning methods proved to be a good approach classifying programs, especially when using multiple approaches together to provide a l ikelihood of software b e ing malicious. In normal approach, some steps have been taken, mostly by analyzing the opcodes or mnemonics of disassembly and their distribution. In this paper, we focus on the control flow change (CFC) itself and finding out if it is significant to detect malware. In the scope of this work, only relative control flow changes are contemplated, as these are easier to extract from the first chosen disassembler library and are within a range of 256 addresses. These features are analyze d as a raw feature, as n-grams of length 2, 4 and 6 and the even more abstract feature of the occurrences of the n-grams is used. Statistical methods were used as well as the Naïve-Bayes algorithm to find out if there is significant data in CFC. We also test our approach with real-world datasets.||Type of material:||Conference Publication||Publisher:||IEEE||Copyright (published version):||2016 IEEE||Keywords:||Malware analysis; Control flow change; Naïve-Bayes analysis; n-gram signatures||DOI:||10.1109/ISDFS.2016.7473514||Other versions:||http://bweb.host.ualr.edu/||Language:||en||Status of Item:||Peer reviewed||Conference Details:||2016 4th IEEE International Symposium on Digital Forensics and Security (ISDFS), Arkansas, USA, 25 - 27 April 2016|
|Appears in Collections:||Computer Science Research Collection|
Show full item record
This item is available under the Attribution-NonCommercial-NoDerivs 3.0 Ireland. No item may be reproduced for commercial purposes. For other possible restrictions on use please refer to the publisher's URL where this is made available, or to notes contained in the item itself. Other terms may apply.