Control Flow Change in Assembly as a Classifier in Malware Analysis

Files in This Item:
File Description SizeFormat 
42_ISDFS16_CFC_AA.pdf368.62 kBAdobe PDFDownload
Title: Control Flow Change in Assembly as a Classifier in Malware Analysis
Authors: Linke, Andree
Le-Khac, Nhien-An
Permanent link:
Date: 27-Apr-2016
Online since: 2016-05-17T14:49:04Z
Abstract: As currently classical malware detection methods based on signatures fail to detect new malware, they are not always efficient with new obfuscation techniques. Besides, new malware is easily created and old malware can be recoded to produce new one. Therefore, classical Antivirus becomes consistently less effective in dealing with those new threats. Also malware gets hand tailored to bypass network security and Antivirus. But as analysts do not have enough time to dissect suspected malware by hand, automated approaches have been developed. To cope with the mass of new malware, statistical and machine learning methods proved to be a good approach classifying programs, especially when using multiple approaches together to provide a l ikelihood of software b e ing malicious. In normal approach, some steps have been taken, mostly by analyzing the opcodes or mnemonics of disassembly and their distribution. In this paper, we focus on the control flow change (CFC) itself and finding out if it is significant to detect malware. In the scope of this work, only relative control flow changes are contemplated, as these are easier to extract from the first chosen disassembler library and are within a range of 256 addresses. These features are analyze d as a raw feature, as n-grams of length 2, 4 and 6 and the even more abstract feature of the occurrences of the n-grams is used. Statistical methods were used as well as the Naïve-Bayes algorithm to find out if there is significant data in CFC. We also test our approach with real-world datasets.
Type of material: Conference Publication
Publisher: IEEE
Copyright (published version): 2016 IEEE
Keywords: Malware analysisControl flow changeNaïve-Bayes analysisn-gram signatures
DOI: 10.1109/ISDFS.2016.7473514
Other versions:
Language: en
Status of Item: Peer reviewed
Conference Details: 2016 4th IEEE International Symposium on Digital Forensics and Security (ISDFS), Arkansas, USA, 25 - 27 April 2016
Appears in Collections:Computer Science Research Collection

Show full item record

Citations 50

Last Week
Last month
checked on Feb 12, 2019

Google ScholarTM



This item is available under the Attribution-NonCommercial-NoDerivs 3.0 Ireland. No item may be reproduced for commercial purposes. For other possible restrictions on use please refer to the publisher's URL where this is made available, or to notes contained in the item itself. Other terms may apply.