I am making available my paper from the AusPDC conference http://sites.google.com/site/silviocesare/academicpublications. Any feedback or comments would be greatly appreciated.
Top Posts
Archives
- September 2010
- August 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
-
Join 12 other subscribers
Twitter Updates
Tweets by silviocesare
Under advice from my University, I have removed access to the paper. I will make the paper available sometime again in the future. JFYI, The reason for removing access is not related to copyright of the conference proceedings.
If you can email the papers I would be very interested.
Could you mail me you papers.
Could you send me your papers
I am a great fan of your past work….can I take a peek at the paper/algorithm?
Thanks.
http://sites.google.com/site/silviocesare/academicpublications
Has my two publications. More to come I hope.
—
Silvio
Thank you for the paper.
I fully appreciate the important of malware classification. Everyday the number of virus is increasing….and from a talk by Kaspersky himself…he mentioned that his AV software never forget any signature. So it really puzzle me how are they copying with the exponential growth in the virus and yet able to match all of these via normal pattern matching. Your control flow approach seemed like not much different from the normal pattern matching approach. Ie, if polymorphism is able to change the pattern, normally polymorphism will introduce new control path to make it look different from past control path. Am I right?
It’s observed that polymorphism does not affact the control flow as much. Most polymorphic techniques affect instruction and byte level content, but leave the control flow relatively unchanged. It is possible to add dead code that incorporates branching as you mention – which would affect the control flow. However, we can perform approximate matching of the control flow also. We can also perform dead code elimination as per usual that might be a useful normalization step. The general observation is that control flow is a stronger feature to use than byte or instruction level content because it captures a hint of what the underlying semantics are.