Large-Scale Malware Indexing Using Function-Call Graphs

3/15 黃瀚嶙

REFERENCES

Large-Scale Malware Indexing Using Function-Call Graphs

Xin Hu ,Kang G. Shin, Tzi-cker Chiueh, CCS’09

Outline

Introduction Function-Call Graph Extraction Graph-Similarity Metric Multi-Resolution Indexing Evaluation Conclusion

Introduction

SMIT:Symantec Malware Indexing Tree

Function-Call Graph Extraction

Definition (Function-Call Graph): g = (Vg,Eg, Ig,Lg), -Vg:function -Eg:directed edge -Ig:symbolic function name,

mnemonic sequence and CRC value -Lg:labeling function from Vg->Ig

Function-Call Graph Extraction

Graph-Similarity Metric-Graph Edit Distance

Vertex-edit operations -σR : relabel a vertex -σIV :insert an isolated vertex -σRV :remove an isolated vertex Edge-edit operations -σIE :insert an edge -σRE : remove an edge

Graph-Similarity Metric-Graph Edit Distance

edit path Pg,h:if Pg,h = (σ1, σ2, . . . , σn) then h =σn(σn-1(. . . σ1(g) . . . )) Cost :C(P)=sum of path cost edit distance:ed(g,h) =min c(Pg,h).

Multi-Resolution Indexing

Multi-Resolution Indexing-B+-tree Index

feature vector v = (Ni,Nf,Nx,Nm) Ni :total number of instructions Nf :total number of functions Nx :total number of control transfer

instructions Nm :median number of instructions

per function

Multi-Resolution Indexing-B+-tree Index

Multi-Resolution Indexing-Optimistic Vantage Point Tree

query graph g, KNN search of a VPT with a root pivot p

Prune:high[i] < d(p, q) − δnow or

low[i] > d(p, q) + δnow

Evaluation

1

Evaluation

1

Conclusion

Contributions -efficient graph-distance computation

algorithm -multi-resolution indexing -performance