On callgraphs and generative mechanisms

Bilar, Daniel

doi:10.1007/s11416-007-0057-x

Cited by 7 publications

(7 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the maximum detection rate with the lowest false negative is achieved for the longest program run‐lengths, a good detection rate with an acceptable false negative rate is obtained with ‘logic and arithmetic’ opcodes with a program run length of 1 K. This is consistent with present understanding of malware in that, in the early stages of start‐up, it needs to unpack or decipher the executable code. Bilar et al [3] show that the structure complexity of malware is less than that of non‐malicious software, which has been borne out by the finding produced by the SVM. Fig. 5 presents the data in a format that – The opcodes used for the maximum detection are summed across all the different program run‐lengths and weighted with their respective percentage detection rates.…”

Section: Discussionmentioning

confidence: 99%

“…In another research, Bilar [3] compared the statically generated CFG of benign and malicious code. His findings showed a difference in the basic block count for benign and malicious code.…”

Section: Related Workmentioning

confidence: 99%

“…Prior to implementing a classifier, attributes are extracted from the raw data to create meaningful information in the form of features that can be used to train the classifier so that it can successfully predict the classifications of unknown samples. Bilar [3] have shown that a difference in structure between benign and malicious software exists. Therefore, the hypothesis is that this structural difference is present in the opcode population density.…”

Section: Dataset Creationmentioning

confidence: 99%

“…Therefore, representing a program as a set of instructions; where a program trace p can be defined as a sequence of instructions I and n is the number of instructions

p = I 1, I 2, \dots, I n

A program instruction is a 2‐tuple composed of an opcode and one or more operands. Opcodes are significant in themselves [3] and therefore the operand component of the instruction is discarded.…”

Section: Dataset Creationmentioning

confidence: 99%

See 3 more Smart Citations

Malware detection: program run length against detection rate

et al. 2014

View full text Add to dashboard Cite

N-gram analysis is an approach that investigates the structure of a program using bytes, characters or text strings. This research uses dynamic analysis to investigate malware detection using a classification approach based on N-gram analysis. A key issue with dynamic analysis is the length of time a program has to be run to ensure a correct classification. The motivation for this research is to find the optimum subset of operational codes (opcodes) that make the best indicators of malware and to determine how long a program has to be monitored to ensure an accurate support vector machine (SVM) classification of benign and malicious software. The experiments within this study represent programs as opcode density histograms gained through dynamic analysis for different program run periods. A SVM is used as the program classifier to determine the ability of different program run lengths to correctly determine the presence of malicious software. The findings show that malware can be detected with different program run lengths using a small number of opcodes.

show abstract

Section: Discussionmentioning

confidence: 99%

“…In another research, Bilar [3] compared the statically generated CFG of benign and malicious code. His findings showed a difference in the basic block count for benign and malicious code.…”

Section: Related Workmentioning

confidence: 99%

Section: Dataset Creationmentioning

confidence: 99%

“…Therefore, representing a program as a set of instructions; where a program trace p can be defined as a sequence of instructions I and n is the number of instructions

p = I 1, I 2, \dots, I n

Section: Dataset Creationmentioning

confidence: 99%

See 2 more Smart Citations

Malware detection: program run length against detection rate

et al. 2014

View full text Add to dashboard Cite

show abstract

“…Bilar 16 analyzes the struct of malware and goodware callgraphs regarding some properties, such as amount of normal internal function calls, amount of calls to external functions statically (libraries) or dynamically (imports) and amount of thunks (usually function envelopes). The results are presented in a statistical way and with several scatter-plots where each point color is proportional to the executable file size.…”

Section: Security Data Visualizationmentioning

confidence: 99%

Visualization techniques for malware behavior analysis

Grégio

Santos

2011

SPIE Proceedings

View full text Add to dashboard Cite

Malware spread via Internet is a great security threat, so studying their behavior is important to identify and classify them. Using SSDT hooking we can obtain malware behavior by running it in a controlled environment and capturing interactions with the target operating system regarding file, process, registry, network and mutex activities. This generates a chain of events that can be used to compare them with other known malware. In this paper we present a simple approach to convert malware behavior into activity graphs and show some visualization techniques that can be used to analyze malware behavior, individually or grouped.

show abstract

ECFGM: enriched control flow graph miner for unknown vicious infected code detection

Eskandari

Hashemi

2012

J Comput Virol

View full text Add to dashboard Cite

On callgraphs and generative mechanisms

Cited by 7 publications

References 35 publications

Malware detection: program run length against detection rate

Malware detection: program run length against detection rate

Visualization techniques for malware behavior analysis

ECFGM: enriched control flow graph miner for unknown vicious infected code detection

Contact Info

Product

Resources

About