Journal
COMPUTERS & SECURITY
Volume 73, Issue -, Pages 73-86Publisher
ELSEVIER ADVANCED TECHNOLOGY
DOI: 10.1016/j.cose.2017.10.007
Keywords
Dependency graph; Dynamic taint analysis; Malware; Security; System call
Categories
Funding
- Scientific Research Foundation in Shenzhen [JCYJ20160525163756635]
- Natural Science Foundation of Guangdong Province [2016A030313664]
- State Key Laboratory of Computer Architecture, Chinese Academy of Sciences
- Key Laboratory of Network Oriented Intelligent Computation (Shenzhen)
Ask authors/readers for more resources
Graph-based malware detection methods must build a behavior graph for each known malware, and they are difficult to apply in practice. To solve this issue, we study how to build a common behavior graph for each malware family. We represent malware behaviors as dependency graphs. To find the dependency relations between system calls, we use a dynamic taint analysis technique to mark the system call parameters with taint tags, and we then build the system call dependency graph by tracing the propagation of the taint data. Based on the dependency graphs of malware samples, we propose an algorithm to extract the common behavior graph, which is used to represent the behavioral features of a malware family. Finally, a graph matching algorithm that is based on the maximum weight sub graph is used to detect malicious code. The experimental results show that the proposed method has a high detection rate and a low false positive rate and can detect malware variants. (C) 2017 Elsevier Ltd. All rights reserved.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available