Classification of Malware Using Structured Control Flow

Posted on January 29, 2010 | 8 Comments

I am making available my paper from the AusPDC conference http://sites.google.com/site/silviocesare/academicpublications. Any feedback or comments would be greatly appreciated.

This entry was posted in Uncategorized. Bookmark the permalink.

8 responses to “Classification of Malware Using Structured Control Flow

  1. silviocesare | January 29, 2010 at 4:28 am | Reply

    Under advice from my University, I have removed access to the paper. I will make the paper available sometime again in the future. JFYI, The reason for removing access is not related to copyright of the conference proceedings.

  2. Matthew Wollenweber | January 29, 2010 at 8:23 pm | Reply

    If you can email the papers I would be very interested.

  3. Legolas | February 6, 2010 at 5:46 pm | Reply

    Could you mail me you papers.

  4. Legolas | February 7, 2010 at 1:27 pm | Reply

    Could you send me your papers

  5. Peter Teoh | August 6, 2010 at 4:15 pm | Reply

    I am a great fan of your past work….can I take a peek at the paper/algorithm?

  6. Peter Teoh | August 9, 2010 at 8:47 am | Reply

    Thank you for the paper.

    I fully appreciate the important of malware classification. Everyday the number of virus is increasing….and from a talk by Kaspersky himself…he mentioned that his AV software never forget any signature. So it really puzzle me how are they copying with the exponential growth in the virus and yet able to match all of these via normal pattern matching. Your control flow approach seemed like not much different from the normal pattern matching approach. Ie, if polymorphism is able to change the pattern, normally polymorphism will introduce new control path to make it look different from past control path. Am I right?

  7. silviocesare | August 9, 2010 at 9:03 am | Reply

    It’s observed that polymorphism does not affact the control flow as much. Most polymorphic techniques affect instruction and byte level content, but leave the control flow relatively unchanged. It is possible to add dead code that incorporates branching as you mention – which would affect the control flow. However, we can perform approximate matching of the control flow also. We can also perform dead code elimination as per usual that might be a useful normalization step. The general observation is that control flow is a stronger feature to use than byte or instruction level content because it captures a hint of what the underlying semantics are.

Leave a comment