Skip to main content
SpringerLink
Log in

Function Call Graphs Versus Machine Learning for Malware Detection

  • Chapter
  • First Online:
Book cover Guide to Vulnerability Analysis for Computer Networks and Systems

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

Recent work has shown that a function call graph technique can perform well on some challenging malware detection problems. In this chapter, we compare this function call graph approach to elementary machine learning techniques that are trained on simpler features. We find that the machine learning techniques are generally more robust than the function call graphs, in the sense that the malware must be modified to a far greater extent before the machine learning techniques are significantly degraded. This work provides evidence that machine learning is likely to perform better than ad hoc approaches, particularly when faced with intelligent attackers who can attempt to exploit the inherent weaknesses in a given detection strategy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 59.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Shang S, Zheng N, Xu J, Xu M, Zhang H (2015) Detecting malware variants via function-call graph similarity. In: MALWARE 2015 Proceedings of malicious and unwanted software, pp 113–120

    Google Scholar 

  2. Xu, M., Wu, L., Qi, S., Xu, J., Zhang, H., Ren, Y., Zheng, N.: A similarity metric method of obfuscated malware using function-call graph. J Comput Virol Hacking Tech 9(1), 35–47 (2013)

    Article  Google Scholar 

  3. Singh, T., Troia, F.D., Visaggio, C.A., Austin, T.H., Stamp, M.: Support vector machines and malware detection. J Comput Virol Hacking Tech 12(4), 203–212 (2016). https://doi.org/10.1007/s11416-015-0252-0

    Article  Google Scholar 

  4. Christodorescu M, Jha S (2003) Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th conference on USENIX security symposium, SSYM’03, USENIX Association, Berkeley, CA, USA, pp 169–186. http://dl.acm.org/citation.cfm?id=1251353.1251365

  5. Alam, S., Traor, I., Sogukpinar, I.: Annotated control flow graph for metamorphic malware detection. Comput J 58(10), 2608–2621 (2015)

    Article  Google Scholar 

  6. Deshpande, P., Stamp, M.: Metamorphic detection using function call graph analysis. MIS Rev Int J 21(1/2), 15–34 (2015)

    Google Scholar 

  7. Xin K, Li G, Qin Z, Zhang Q (2012) Malware detection in smartphone using hidden Markov model. In: Fourth international conference on multimedia information networking and security, MINES 2012, pp 857–860

    Google Scholar 

  8. Qin Z, Chen N, Zhang Q, Di Y (2011) Mobile phone viruses detection based on HMM. In: Third international conference on multimedia information networking and security, MINES 2011, pp 516–519

    Google Scholar 

  9. Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J Comput Virol 5(2), 151–169 (2009). https://doi.org/10.1007/s11416-008-0105-1

    Article  Google Scholar 

  10. Damodaran, A., Troia, F.D., Visaggio, C.A., Austin, T.H., Stamp, M.: A comparison of static, dynamic, and hybrid analysis for malware detection. J Comput Virol Hacking Tech 13(1), 1–12 (2017). https://doi.org/10.1007/s11416-015-0261-z

    Article  Google Scholar 

  11. Zhang B, Yin J, Hao J, Zhang D, Wang S (2007) Malicious codes detection based on ensemble learning. In: Proceedings of the 4th international conference on autonomic and trusted computing, ATC’07. Springer, Berlin, pp 468–477. http://dl.acm.org/citation.cfm?id=2394798.2394857

  12. Lu, Y.-B., Din, S.-C., Zheng, C.-F., Gao, B.-J.: Using multi-feature and classifier ensembles to improve malware detection. CCIT J 32(2), 57–72 (2010)

    Google Scholar 

  13. Menahem, E., Shabtai, A., Rokach, L., Elovici, Y.: Improving malware detection by applying multi-inducer ensemble. Comput Stat Data Anal 53(4), 1483–1494 (2009)

    Article  MathSciNet  Google Scholar 

  14. Rajeswaran D (2015) Function call graph score for malware detection. Master’s Project, Department of Computer Science, San Jose State University. http://scholarworks.sjsu.edu/etd_projects/445/

  15. Hex-Rays (2017). https://www.hex-rays.com

  16. Kingsford C (2015) Graph traversals. http://www.cs.cmu.edu/~ckingsf/class/02713-s13/lectures/lec07-dfsbfs.pdf

  17. Stamp M (2004) A revealing introduction to hidden Markov models. https://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf

  18. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J Comput Virol 8(1–2), 37–52 (2012). https://doi.org/10.1007/s11416-012-0160-5

    Article  Google Scholar 

  19. Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J Comput Virol Hacking Tech 9(3), 159–170 (2013). https://doi.org/10.1007/s11416-013-0184-5

    Article  Google Scholar 

  20. Jakobsen, T.: A fast method for the cryptanalysis of substitution ciphers. Cryptologia 19, 265–274 (1995)

    Article  Google Scholar 

  21. Wang R (2016) Introduction to support vector machines. http://fourier.eng.hmc.edu/e161/lectures/svm

  22. Ng A (2015) Support vector machines. http://cs229.stanford.edu/notes/cs229-notes3.pdf

  23. Statsoft: support vector machines (SVM) introductory overview (2015). http://www.statsoft.com/textbook/support-vector-machines

  24. Symantec: Trojan.Zbot (2015). http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

  25. Symantec: Trojan.ZeroAccess (2015). http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

  26. Panda Security. Harebot. M (2015). http://www.pandasecurity.com/homeusers/security-info/220319/Harebot.M

  27. Malicia Project (2015). http://malicia-project.com/

  28. Nappa A, Rafique MZ, Caballero J (2013) Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Proceedings of the 10th international conference on detection of intrusions and malware, and vulnerability assessment, DIMVA’13. Springer, Berlin, pp 1–20

    Google Scholar 

  29. Wong, W., Stamp, M.: Hunting for metamorphic engines. J Comput Virol 2(3), 211–229 (2006). https://doi.org/10.1007/s11416-006-0028-7

    Article  Google Scholar 

  30. Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognit 30(7), 1145–1159 (1997)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. San Jose State University, San Jose, CA, USA

    Deebiga Rajeswaran, Fabio Di Troia, Thomas H. Austin & Mark Stamp

Authors
  1. Deebiga Rajeswaran
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabio Di Troia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas H. Austin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mark Stamp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Stamp .

Editor information

Editors and Affiliations

  1. Department of Computer Science, School of Computing and Engineering, University of Huddersfield, Huddersfield, UK

    Simon Parkinson

  2. Department of Computer Science, School of Computing and Engineering, University of Huddersfield, Huddersfield, UK

    Andrew Crampton

  3. Department of Computer Science, School of Computing and Engineering, University of Huddersfield, Huddersfield, UK

    Richard Hill

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Rajeswaran, D., Di Troia, F., Austin, T.H., Stamp, M. (2018). Function Call Graphs Versus Machine Learning for Malware Detection. In: Parkinson, S., Crampton, A., Hill, R. (eds) Guide to Vulnerability Analysis for Computer Networks and Systems. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-92624-7_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-92624-7_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-92623-0

  • Online ISBN: 978-3-319-92624-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation