Malware Classification Based on Graph Convolutional Neural Networks and Static Call Graph Features

“…A multitude of research papers are presented from the past decade, and it is clearly shown that one particular feature is by far the most frequently used in this domain -the static call graph. Our previous work [17] presents a detailed overview on the literature of PE analysis, based on this survey paper, visualizing the distribution of research work with histograms of the features and methods applied. The motivation to use one particularly interesting static feature, the call graph, is that it includes both topological information of an executable file regarding function call sequences, and also the x86 assembly instruction list of each local subroutine -one presumption of the analysis process is that each of these local subroutines may be an original code of a malicious actor or APT group.…”

“…In order to obtain the assembly code of each subroutine, "agf" command is called on each node of the call graph. In a similar manner to generating the call graph using IDA Pro 6, merging the output of "GenCallGdl" and "GenFuncGdl" [17,18,19], the same logic applies in Radare2 as well. Both the global function graph ("agC") and global references graph ("agR") is needed to be analyzed, furthermore, each function block ("agf") must be processed in order to obtain the final, complete call graph.…”

“…function/import calls) and node-level (x86 instruction list of the functions), and follows the following steps. The PE file is scanned with IDA Pro 6, using the method described in our previous works [17,18,19] -DFS traversal is applied on the control flow graph obtained by GenFuncGdl and it is then merged with theGenCallGdl API's output. The file is then scanned using Radare2, with the method described in Section 3.3.…”

“…In this work, we present a malware analysis framework using Radare2 to extract the static call graph of a PE file and offer a detailed comparison with an alternative disassembler, IDA Pro 6. Our previous work [17,18,19] relies solely on IDA Pro 6 -this experience led to the need to try out an alternative disassembler tool which enables containerized, parallel processing of samples. Other alternatives were taken into consideration as well, but due to its popularity in the literature -as described in Section 2, our tool of choice became Radare2.…”

Malware Analysis and Static Call Graph Generation with Radare2

“…A multitude of research papers are presented from the past decade, and it is clearly shown that one particular feature is by far the most frequently used in this domain -the static call graph. Our previous work [17] presents a detailed overview on the literature of PE analysis, based on this survey paper, visualizing the distribution of research work with histograms of the features and methods applied. The motivation to use one particularly interesting static feature, the call graph, is that it includes both topological information of an executable file regarding function call sequences, and also the x86 assembly instruction list of each local subroutine -one presumption of the analysis process is that each of these local subroutines may be an original code of a malicious actor or APT group.…”

“…In order to obtain the assembly code of each subroutine, "agf" command is called on each node of the call graph. In a similar manner to generating the call graph using IDA Pro 6, merging the output of "GenCallGdl" and "GenFuncGdl" [17,18,19], the same logic applies in Radare2 as well. Both the global function graph ("agC") and global references graph ("agR") is needed to be analyzed, furthermore, each function block ("agf") must be processed in order to obtain the final, complete call graph.…”

“…function/import calls) and node-level (x86 instruction list of the functions), and follows the following steps. The PE file is scanned with IDA Pro 6, using the method described in our previous works [17,18,19] -DFS traversal is applied on the control flow graph obtained by GenFuncGdl and it is then merged with theGenCallGdl API's output. The file is then scanned using Radare2, with the method described in Section 3.3.…”

“…In this work, we present a malware analysis framework using Radare2 to extract the static call graph of a PE file and offer a detailed comparison with an alternative disassembler, IDA Pro 6. Our previous work [17,18,19] relies solely on IDA Pro 6 -this experience led to the need to try out an alternative disassembler tool which enables containerized, parallel processing of samples. Other alternatives were taken into consideration as well, but due to its popularity in the literature -as described in Section 2, our tool of choice became Radare2.…”

Malware Analysis and Static Call Graph Generation with Radare2

MalGNE: Enhancing the Performance and Efficiency of CFG-Based Malware Detector by Graph Node Embedding in Low Dimension Space