Control Flow Change in Assembly as a Classifier in Malware Analysis

Files in This Item:
 File SizeFormat
Download42_ISDFS16_CFC_AA.pdf368.62 kBAdobe PDF
Title: Control Flow Change in Assembly as a Classifier in Malware Analysis
Authors: Linke, AndreeLe-Khac, Nhien-An
Permanent link: http://hdl.handle.net/10197/7619
Date: 27-Apr-2016
Online since: 2016-05-17T14:49:04Z
Abstract: As currently classical malware detection methods based on signatures fail to detect new malware, they are not always efficient with new obfuscation techniques. Besides, new malware is easily created and old malware can be recoded to produce new one. Therefore, classical Antivirus becomes consistently less effective in dealing with those new threats. Also malware gets hand tailored to bypass network security and Antivirus. But as analysts do not have enough time to dissect suspected malware by hand, automated approaches have been developed. To cope with the mass of new malware, statistical and machine learning methods proved to be a good approach classifying programs, especially when using multiple approaches together to provide a l ikelihood of software b e ing malicious. In normal approach, some steps have been taken, mostly by analyzing the opcodes or mnemonics of disassembly and their distribution. In this paper, we focus on the control flow change (CFC) itself and finding out if it is significant to detect malware. In the scope of this work, only relative control flow changes are contemplated, as these are easier to extract from the first chosen disassembler library and are within a range of 256 addresses. These features are analyze d as a raw feature, as n-grams of length 2, 4 and 6 and the even more abstract feature of the occurrences of the n-grams is used. Statistical methods were used as well as the Naïve-Bayes algorithm to find out if there is significant data in CFC. We also test our approach with real-world datasets.
Type of material: Conference Publication
Publisher: IEEE
Copyright (published version): 2016 IEEE
Keywords: Malware analysisControl flow changeNaïve-Bayes analysisn-gram signatures
DOI: 10.1109/ISDFS.2016.7473514
Other versions: http://bweb.host.ualr.edu/
Language: en
Status of Item: Peer reviewed
Conference Details: 2016 4th IEEE International Symposium on Digital Forensics and Security (ISDFS), Arkansas, USA, 25 - 27 April 2016
This item is made available under a Creative Commons License: https://creativecommons.org/licenses/by-nc-nd/3.0/ie/
Appears in Collections:Computer Science Research Collection

Show full item record

SCOPUSTM   
Citations 50

4
Last Week
0
Last month
0
checked on Sep 12, 2020

Page view(s)

1,350
Last Week
3
Last month
19
checked on Jan 23, 2022

Download(s) 50

323
checked on Jan 23, 2022

Google ScholarTM

Check

Altmetric


If you are a publisher or author and have copyright concerns for any item, please email research.repository@ucd.ie and the item will be withdrawn immediately. The author or person responsible for depositing the article will be contacted within one business day.