Static detection of malware variants plays an important role in system
security and control flow has been shown as an effective characteristic that
represents polymorphic malware. In our research, we propose a similarity search
of malware to detect these variants using novel distance metrics. We describe a
malware signature by the set of control flow graphs the malware contains. We
use a distance metric based on the distance between feature vectors of
string-based signatures. The feature vector is a decomposition of the set of
graphs into either fixed size k-sub graphs, or q-gram strings of the high-level
source after recompilation. We use this distance metric to perform
pre-filtering. We also propose a more effective but less computationally
efficient distance metric based on the minimum matching distance. The minimum
matching distance uses the string edit distances between programs & amp; #8217;
decompiled flow graphs, and the linear sum assignment problem to construct a
minimum sum weight matching between two sets of graphs. We implement the
distance metrics in a complete malware variant detection system. The evaluation
shows that our approach is highly effective in terms of a limited false
positive rate and our system detects more malware variants when compared to the
detection rates of other algorithms.
No comments:
Post a Comment