scholarly journals A combined method of similar code sequences search in executable files

2019 ◽  
pp. 394-400
Author(s):  
A S Yumaganov
Keyword(s):  
Experimental Studies ◽  
Control Flow ◽  
Structural Description ◽  
Control Flow Graph ◽  
Flow Graph ◽  
Syntax Analysis ◽  
Fixed Order ◽  
Analysis Of Function ◽  
Similar Code ◽  
Flow Graphs

The article is devoted to the development of a method of similar code sequences search in executable files, which is based on both syntax analysis of the code and function’s control flow graphs analysis. The syntax analysis method used in this paper is based on a comparison of the spatial distribution of processor instructions in the function body. The analysis of function control flow graph is used a structural description of fixed-order subgraphs of the function control flow graph. The results of experimental studies, including the comparison of the proposed method and previously known methods of searching for similar code sequences, are presented.

Control Flow Graph Based Multiclass Malware Detection Using Bi-normal Separation

2016 ◽  
Vol 66 (2) ◽  
pp. 138 ◽  
Author(s):  
Akshay Kapoor ◽  
Sunita Dhavale
Keyword(s):  
Detection System ◽  
Malware Detection ◽  
Control Flow ◽  
Detection Accuracy ◽  
Control Flow Graph ◽  
Flow Graph ◽  
Document Frequency ◽  
Normal Separation ◽  
Metamorphic Malware ◽  
Flow Graphs

<p>Control flow graphs (CFG) and OpCodes extracted from disassembled executable files are widely used for malware detection. Most of the research in static analysis is focused on binary class malware detection which only classifies an executable as benign or malware. To overcome this issue, CFG based multiclass malware detection system that automatically classifies the malware into their respective families is proposed. The use Bi-normal separation (BNS) as a feature scoring metric. Experimental results show that proposed method using BNS outperforms compared to hitherto use technique of document Frequency for multiclass metamorphic malware detection and achieves detection accuracy of 99.5 per cent.</p><p> </p>

scholarly journals On the Automatic Analysis of the Practical Resistance of Obfusting Transformations

2019 ◽  
Vol 26 (3) ◽  
pp. 317-331 ◽  
Author(s):  
Petr D. Borisov ◽  
Yu. V. Kosolapov
Keyword(s):  
Execution Time ◽  
Hamming Distance ◽  
Symbolic Execution ◽  
Similarity Index ◽  
Control Flow ◽  
Control Flow Graph ◽  
Flow Graph ◽  
Similarity Indices ◽  
Program Characteristics ◽  
Flow Graphs

A method is developed for assessing the practical persistence of obfuscating transformations of programs based on the calculation of the similarity index for the original, obfuscated and deobfuscated programs. Candidates are proposed for similarity indices, which are based on such program characteristics as the control flow graph, symbolic execution time and degree of coverage for symbolic execution. The control flow graph is considered as the basis for building other candidates for program similarity indicators. On its basis, a new candidate is proposed for the similarity index, which, when calculated, finds the Hamming distance between the adjacency matrices of control flow graphs of compared programs. A scheme for estimating (analyzing) the persistence of obfuscating transformations is constructed, according to which for the original, obfuscated and deobfuscated programs, the characteristics of these programs are calculated and compared in accordance with the chosen comparison model. The developed scheme, in particular, is suitable for comparing programs based on similarity indices. This paper develops and implements one of the key units of the constructed scheme - a block for obtaining program characteristics compiled for the x86/x86 64 architecture. The developed unit allow to find the control flow graph, the time for symbolic execution and the degree of coverage for symbolic execution. Some results of work of the constructed block are given.

Sign in / Sign up

Export Citation Format

Share Document