1 / 15

Large-Scale Malware Indexing Using Function-Call Graphs

Large-Scale Malware Indexing Using Function-Call Graphs. 3/15 黃瀚嶙. REFERENCES. Large-Scale Malware Indexing Using Function-Call Graphs Xin Hu ,Kang G. Shin, Tzi-cker Chiueh, CCS ’ 09. Outline. Introduction Function-Call Graph Extraction Graph-Similarity Metric Multi-Resolution Indexing

kirsi
Download Presentation

Large-Scale Malware Indexing Using Function-Call Graphs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Large-Scale Malware Indexing Using Function-Call Graphs 3/15 黃瀚嶙

  2. REFERENCES • Large-Scale Malware Indexing Using Function-Call Graphs Xin Hu ,Kang G. Shin, Tzi-cker Chiueh, CCS’09

  3. Outline • Introduction • Function-Call Graph Extraction • Graph-Similarity Metric • Multi-Resolution Indexing • Evaluation • Conclusion

  4. Introduction • SMIT:Symantec Malware Indexing Tree

  5. Function-Call Graph Extraction • Definition(Function-Call Graph): • g = (Vg,Eg, Ig,Lg), -Vg:function -Eg:directed edge -Ig:symbolic function name, mnemonic sequence and CRC value -Lg:labeling function from Vg->Ig

  6. Function-Call Graph Extraction

  7. Graph-Similarity Metric-Graph Edit Distance • Vertex-edit operations -σR : relabel a vertex -σIV :insert an isolated vertex -σRV :remove an isolated vertex • Edge-edit operations -σIE :insert an edge -σRE : remove an edge

  8. Graph-Similarity Metric-Graph Edit Distance • edit path Pg,h:if Pg,h = (σ1, σ2, . . . , σn) then h =σn(σn-1(. . . σ1(g) . . . )) • Cost :C(P)=sum of path cost • edit distance:ed(g,h) =min c(Pg,h).

  9. Multi-Resolution Indexing

  10. Multi-Resolution Indexing-B+-tree Index • feature vector v = (Ni,Nf,Nx,Nm) Ni :total number of instructions Nf :total number of functions Nx :total number of control transfer instructions Nm :median number of instructions per function

  11. Multi-Resolution Indexing-B+-tree Index

  12. Multi-Resolution Indexing-Optimistic Vantage Point Tree • query graph g, KNN search of a VPT with a root pivot p • Prune:high[i] < d(p, q) − δnow or low[i] > d(p, q) + δnow

  13. Evaluation • 1

  14. Evaluation • 1

  15. Conclusion • Contributions -efficient graph-distance computation algorithm -multi-resolution indexing -performance

More Related