Abstract for AusPDC


Classification of Malware Using Structured Control Flow

Malware is a pervasive problem in distributed computer and network systems. Identification of malware variants provides great benefit in early detection. Control flow has been proposed as a characteristic that can be identified across variants, resulting in flowgraph based malware classification. Static analysis is widely used for the classification but can be ineffective if malware undergoes a code packing transformation to hide its real content. This paper proposes a novel algorithm for constructing a control flow graph signature using the decompilation technique of structuring. Similarity between structured graphs can be quickly determined using string edit distances. To reverse the code packing transformation, a fast application level emulator is proposed. To demonstrate the effectiveness of the automated unpacking and flowgraph based classification, we implement a complete system and evaluate it using synthetic and real malware. The evaluation shows our system is highly effective in terms of accuracy in revealing all the hidden code, execution time for unpacking, and accuracy in classification.


9 responses to “Abstract for AusPDC

  1. Silvio, might you please upload your paper here?

    The conference was already over, so I think there is no problem putting it to the public.


    • Hi Ng. I’ve been waiting until the paper is archived on the ACM Portal. There may be some typographical changes between my camera ready version and the publisher’s version. I’m quite new to the academic publishing business, but for those who are interested in my paper I can probably send you a copy of my version or perhaps give you the conference proceedings which contains a single pdf containing all the papers from the conference. This would be under the proviso the recipients do not redistribute copies.

  2. Silvio, actually that is not necessary to wait like that. You can always put your paper to public any time, because you keep the full copyright.

    Nowadays, a lot of people even put their papers to public even before the conference starts, or as early as they can. The reason is that it make their papers more known to public, thus get a better chance to be quickly referred by other papers. As a result, that increases their paper impact.

    If you dont believe me, look at major ones like Usenix or ACM CCS, and see what the authors did before the conference. Some even publish their papers 2 months before the conference.

    So you are encouraged to do so, because that is only good for you, and does no harm at all. There is no reason to keep it private, especially now it is already presented to the public (at conference)

  3. Remember that you keep the *full* copyright, so you dont need to ask for permission of *anybody* whenever you want to put it to public.

    Keep up the good work, thanks!

  4. Sorry to forget this: it might take 2-3 months for your paper to be archived online at ACM. That is too long, I think.

    In my case, I even encourage others to redistribute my papers, because that only brings good thing back to me, but does no harm at all ๐Ÿ™‚

  5. You’ve convinced me ๐Ÿ™‚

  6. excellent, i will look at that.

    a recommendation: if you are confident, publish your future papers in major conferences, but not minor ones. papers published in small conferences have little impact, if at all.

    remember that in science, quality matters, not quantity. thus one paper in good conference counted more than 10 in crappy ones.

    keep it up,

  7. Yes. This was a small conference. It is primarily for Australasion researchers. It was on the suggestion of my supervisor. I have a related (but novel) paper at the AINA conference which is a significantly larger and more highly ranked.

    I am confident in my AusPDC paper – I think it has a novel and interesting contribution., in addition to giving an academic source for unpacking using emulation in the style of AV. However, I think it will see very few citations (if any) until it is archived by ACM. I am not entirely sure what the process is for why some papers have more impact. Is it just the fact that higher quality publications are in bigger conferences, so they have more impact as a result – or is it because a publication is in a conference that normally has high impact.

  8. My take on citations: if you publish your paper on a highly-ranked, well-known conference, more people will read it compared to small conferences/workshops. Furthermore, these well-known conferences have typically higher standards and the acceptance rate is often below 20%. As a result of both factors, more people will likely cite the paper.

    There are a few websites that list rankings, e.g., http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm or http://icsd.i2r.a-star.edu.sg/staff/jianying/conference-ranking.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s