Identificação de Códigos Maliciosos Metamórficos pela Medição do Nível de Similaridade de Grafos de Dependência
Abstract
In order to correctly identify metamorphic malicious code, different approaches try to model structural characteristics that remain valid even after the application code obfuscation techniques. One approach is based on comparing dependency graphs generated from suspicious code with a baseline graphs generated from previously identified malicious code. However, as the graph comparison process is a NP-Hard problem, the development of methodologies comparison that makes possible this process of identification is required. This article presents the results from a methodology that uses the concepts of differentiation of vertices and adapted topological sort, to propose a metric measuring maximum subgraph isomorphism.
References
Barossa Community Co-operative Store (2014). Pandalabs Annual Report 2014. p. 1–28.
Bomze, I. M., Budinich, M., Pardalos, P. M. and Pelillo, M. (1999). The maximum clique problem. Handbook of combinatorial optimization. Springer US. p. 1–74.
Borello, J.-M. and Mé, L. (21 feb 2008). Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology, v. 4, n. 3, p. 211–220.
Bruschi, D., Martignoni, L. and Monga, M. (mar 2007). Code Normalization for Self-Mutating Malware. IEEE Security and Privacy Magazine, v. 5, n. 2, p. 46–54.
Cozzolino, M. F., Martins, G. B., Souto, E. and Deus, F. E. G. (2012). Detecção de variações de malware metamórfico por meio de normalização de código e identificação de subfluxos. In Anais do XII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais.
Elhadi, A. A. E., Maarof, M. A., Barry, B. I. A. and Hamza, H. (2014). Enhancing the detection of metamorphic malware using call graphs. Computers & Security, v. 46, p. 62–78.
Eppstein, D. (9 nov 1999). Subgraph Isomorphism in Planar Graphs and Related Problems. v. 3, n. 3, p. 27.
Foggia, P., Vento, M. and Elettrica, I. (2007). Challenging Complexity of Maximum Common Subgraph Detection Algorithms : A Performance Analysis of Three Algorithms on a Wide Database of Graphs Donatello Conte. v. 11, n. 1, p. 99–143.
Griffin, K., Schneider, S., Hu, X. and Chiueh, T. C. (2009). Automatic generation of string signatures for malware detection. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), v. 5758 LNCS, p. 101–120.
Hu, X., Chiueh, T. and Shin, K. G. (2009). Large-scale malware indexing using function-call graphs. Proceedings of the 16th ACM conference on Computer and communications security - CCS ’09, p. 611.
Jacob, G., Debar, H. and Filiol, E. (21 feb 2008). Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, v. 4, n. 3, p. 251–266.
Jacob, G., Debar, H. and Filiol, E. (2 feb 2009). Malware detection using attribute-automata to parse abstract behavioral descriptions. arXiv preprint arXiv:0902.0322, n. 1.
Johnson, D. S. (1 jul 2005). The NP-completeness column. ACM Transactions on Algorithms, v. 1, n. 1, p. 160–176.
Kim, K. and Moon, B.-R. (2010). Malware detection based on dependency graph using hybrid genetic algorithm. Proceedings of the 12th annual conference on Genetic and evolutionary computation - GECCO ’10, p. 1211.
Martins, G., Souto, E., Freitas, R. De and Feitosa, E. (2014). Estruturas Virtuais e Diferenciação de Vértices em Grafos de Dependência para Detecção de Malware Metamórfico. https://lbd.dcc.ufmg.br/, p. 237–250.
Newsome, J., Karp, B. and Song, D. (2005). Polygraph: Automatically Generating Signatures for Polymorphic Worms. 2005 IEEE Symposium on Security and Privacy (S&P’05), p. 226–241.
O’Kane, P., Sezer, S. and McLaughlin, K. (2011). Obfuscation: The Hidden Malware. IEEE Security & Privacy, v. 9, n. 5, p. 41–47.
Rad, B. B., Masrom, M. and Ibrahim, S. (2012). Camouflage in Malware : from Encryption to Metamorphism. v. 12, n. 8, p. 74–83.
You, I. and Yim, K. (2010). Malware Obfuscation Techniques : A Brief Survey. 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, p. 297–300.
Bomze, I. M., Budinich, M., Pardalos, P. M. and Pelillo, M. (1999). The maximum clique problem. Handbook of combinatorial optimization. Springer US. p. 1–74.
Borello, J.-M. and Mé, L. (21 feb 2008). Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology, v. 4, n. 3, p. 211–220.
Bruschi, D., Martignoni, L. and Monga, M. (mar 2007). Code Normalization for Self-Mutating Malware. IEEE Security and Privacy Magazine, v. 5, n. 2, p. 46–54.
Cozzolino, M. F., Martins, G. B., Souto, E. and Deus, F. E. G. (2012). Detecção de variações de malware metamórfico por meio de normalização de código e identificação de subfluxos. In Anais do XII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais.
Elhadi, A. A. E., Maarof, M. A., Barry, B. I. A. and Hamza, H. (2014). Enhancing the detection of metamorphic malware using call graphs. Computers & Security, v. 46, p. 62–78.
Eppstein, D. (9 nov 1999). Subgraph Isomorphism in Planar Graphs and Related Problems. v. 3, n. 3, p. 27.
Foggia, P., Vento, M. and Elettrica, I. (2007). Challenging Complexity of Maximum Common Subgraph Detection Algorithms : A Performance Analysis of Three Algorithms on a Wide Database of Graphs Donatello Conte. v. 11, n. 1, p. 99–143.
Griffin, K., Schneider, S., Hu, X. and Chiueh, T. C. (2009). Automatic generation of string signatures for malware detection. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), v. 5758 LNCS, p. 101–120.
Hu, X., Chiueh, T. and Shin, K. G. (2009). Large-scale malware indexing using function-call graphs. Proceedings of the 16th ACM conference on Computer and communications security - CCS ’09, p. 611.
Jacob, G., Debar, H. and Filiol, E. (21 feb 2008). Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, v. 4, n. 3, p. 251–266.
Jacob, G., Debar, H. and Filiol, E. (2 feb 2009). Malware detection using attribute-automata to parse abstract behavioral descriptions. arXiv preprint arXiv:0902.0322, n. 1.
Johnson, D. S. (1 jul 2005). The NP-completeness column. ACM Transactions on Algorithms, v. 1, n. 1, p. 160–176.
Kim, K. and Moon, B.-R. (2010). Malware detection based on dependency graph using hybrid genetic algorithm. Proceedings of the 12th annual conference on Genetic and evolutionary computation - GECCO ’10, p. 1211.
Martins, G., Souto, E., Freitas, R. De and Feitosa, E. (2014). Estruturas Virtuais e Diferenciação de Vértices em Grafos de Dependência para Detecção de Malware Metamórfico. https://lbd.dcc.ufmg.br/, p. 237–250.
Newsome, J., Karp, B. and Song, D. (2005). Polygraph: Automatically Generating Signatures for Polymorphic Worms. 2005 IEEE Symposium on Security and Privacy (S&P’05), p. 226–241.
O’Kane, P., Sezer, S. and McLaughlin, K. (2011). Obfuscation: The Hidden Malware. IEEE Security & Privacy, v. 9, n. 5, p. 41–47.
Rad, B. B., Masrom, M. and Ibrahim, S. (2012). Camouflage in Malware : from Encryption to Metamorphism. v. 12, n. 8, p. 74–83.
You, I. and Yim, K. (2010). Malware Obfuscation Techniques : A Brief Survey. 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, p. 297–300.
Published
2016-11-07
How to Cite
MARTINS, Gilbert B.; SANTOS, Paulo dos; DANRLEY, Vitor; SOUTO, Eduardo; FREITAS, Rosiane de.
Identificação de Códigos Maliciosos Metamórficos pela Medição do Nível de Similaridade de Grafos de Dependência. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 16. , 2016, Niterói.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2016
.
p. 296-309.
DOI: https://doi.org/10.5753/sbseg.2016.19315.
