Institutional Repository
| depsim: a dependency-based malware similarity comparison system | |
| Yi Yang; Lingyun Ying; Rui Wang; Purui Su; Dengguo Feng | |
| 2011 | |
| Conference Name | 6th China International Conference on Information Security and Cryptology, Inscrypt 2010 |
| Source | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
| Pages | 503-522 |
| Conference Date | 20-Oct |
| Conference Place | Shanghai, China |
| Indexed Type | EI |
| Publish Place | Germany |
| ISSN | 3029743 |
| ISBN | 9783642215179 |
| Department | (1) State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China; (2) State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, Beijing 100049, China; (3) National Engineering Research Center for Information Security, Beijing 100190, China |
| English Abstract | It is important for malware analysis that comparing unknown files to previously-known malicious samples to quickly characterize the type of behavior and generate signatures. Malware writers often use obfuscation, such as packing, junk-insertion and other means of techniques to thwart traditional similarity comparison methods. In this paper, we introduce DepSim, a novel technique for finding dependency similarities between malicious binary programs. DepSim constructs dependency graphs of control flow and data flow of the program by taint analysis, and then conducts similarity analysis using a new graph isomorphism technique. In order to promote the accuracy and anti-interference capability, we reduce redundant loops and remove junk actions at the dependency graph pre-processing phase, which can also greatly improve the performance of our comparison algorithm. We implemented a prototype of DepSim and evaluated it to malware in the wild. Our prototype system successfully identified some semantic similarities between malware and revealed their inner similarity in program logic and behavior. The results demonstrate that our technique is accurate. © 2011 Springer-Verlag. |
| Keyword | Behavioral Research Computer Crime Cryptography Dynamic Analysis Network Security Program Processors Semantics |
| Sponsorship | State Key Laboratory of Information Security; Chinese Academy of Sciences; Chinese Association for Cryptologic Research |
| Content Type | 会议论文 |
| URI | http://ir.iscas.ac.cn/handle/311060/14329 |
| Collection | 信息安全国家重点实验室 |
| Recommended Citation GB/T 7714 | Yi Yang,Lingyun Ying,Rui Wang,et al. depsim: a dependency-based malware similarity comparison system[C]. Germany,2011:503-522. |
| Files in This Item: | ||||||
| File Name/Size | DocType | Version | Access | License | ||
| depsim a dependency (912KB) | 开放获取 | -- | Application Full Text | |||
Items in the repository are protected by copyright, with all rights reserved, unless otherwise indicated.
Edit Comment