DeepCG: Classifying Metamorphic Malware Through Deep Learning of Call Graphs View Full Text


Ontology type: schema:Chapter     


Chapter Info

DATE

2019-12-13

AUTHORS

Shuang Zhao , Xiaobo Ma , Wei Zou , Bo Bai

ABSTRACT

As the state-of-the-art malware obfuscation technique, metamorphism has received wide attention. Metamorphic malware can mutate themselves into countless variants during propagation by obfuscating part of their executable code automatically, thus posing serious challenges to all existing detection methods. To address this problem, a fundamental task is to understand the stable features that are relatively invariant across all variants of a certain type of metamorphic malware while distinguishable from other types. In this paper, we systematically study the obfuscation methods of metamorphic malware, and reveal that, compared to frequently used fragmented features such as byte n-grams and opcode sequences, call graphs are more stable against metamorphism, and can be leveraged to classify metamorphic malware effectively. Based on call graphs, we design a metamorphic malware classification method, dubbed deepCG, which enables automatic feature learning of metamorphic malware via deep learning. Specifically, we encapsulate the information of each call graph into an image that is then fed into deep convolutional neural networks for classifying the malware family. Particularly, due to its built-in training data enhancement approach, deepCG can achieve promising classification accuracy even with small-scale training samples. We evaluate deepCG using a PE malware dataset and the Microsoft BIG2015 dataset, and achieve a test accuracy of above 96%. More... »

PAGES

171-190

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-030-37228-6_9

DOI

http://dx.doi.org/10.1007/978-3-030-37228-6_9

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1123345839


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Artificial Intelligence and Image Processing", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China", 
          "id": "http://www.grid.ac/institutes/grid.410726.6", 
          "name": [
            "Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China", 
            "School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Zhao", 
        "givenName": "Shuang", 
        "id": "sg:person.0671022567.52", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.0671022567.52"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "MOE KLINNS Lab, Faculty of Electronic and Information Engineering, Xi\u2019an Jiaotong University, Xi\u2019an, China", 
          "id": "http://www.grid.ac/institutes/grid.43169.39", 
          "name": [
            "MOE KLINNS Lab, Faculty of Electronic and Information Engineering, Xi\u2019an Jiaotong University, Xi\u2019an, China"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Ma", 
        "givenName": "Xiaobo", 
        "id": "sg:person.015130076215.46", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.015130076215.46"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China", 
          "id": "http://www.grid.ac/institutes/grid.410726.6", 
          "name": [
            "Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China", 
            "School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Zou", 
        "givenName": "Wei", 
        "id": "sg:person.012345512151.06", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012345512151.06"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China", 
          "id": "http://www.grid.ac/institutes/grid.410726.6", 
          "name": [
            "Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China", 
            "School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Bai", 
        "givenName": "Bo", 
        "id": "sg:person.016057020251.04", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016057020251.04"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2019-12-13", 
    "datePublishedReg": "2019-12-13", 
    "description": "As the state-of-the-art malware obfuscation technique, metamorphism has received wide attention. Metamorphic malware can mutate themselves into countless variants during propagation by obfuscating part of their executable code automatically, thus posing serious challenges to all existing detection methods. To address this problem, a fundamental task is to understand the stable features that are relatively invariant across all variants of a certain type of metamorphic malware while distinguishable from other types. In this paper, we systematically study the obfuscation methods of metamorphic malware, and reveal that, compared to frequently used fragmented features such as byte n-grams and opcode sequences, call graphs are more stable against metamorphism, and can be leveraged to classify metamorphic malware effectively. Based on call graphs, we design a metamorphic malware classification method, dubbed deepCG, which enables automatic feature learning of metamorphic malware via deep learning. Specifically, we encapsulate the information of each call graph into an image that is then fed into deep convolutional neural networks for classifying the malware family. Particularly, due to its built-in training data enhancement approach, deepCG can achieve promising classification accuracy even with small-scale training samples. We evaluate deepCG using a PE malware dataset and the Microsoft BIG2015 dataset, and achieve a test accuracy of above 96%.", 
    "editor": [
      {
        "familyName": "Chen", 
        "givenName": "Songqing", 
        "type": "Person"
      }, 
      {
        "familyName": "Choo", 
        "givenName": "Kim-Kwang Raymond", 
        "type": "Person"
      }, 
      {
        "familyName": "Fu", 
        "givenName": "Xinwen", 
        "type": "Person"
      }, 
      {
        "familyName": "Lou", 
        "givenName": "Wenjing", 
        "type": "Person"
      }, 
      {
        "familyName": "Mohaisen", 
        "givenName": "Aziz", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-030-37228-6_9", 
    "isAccessibleForFree": false, 
    "isPartOf": {
      "isbn": [
        "978-3-030-37227-9", 
        "978-3-030-37228-6"
      ], 
      "name": "Security and Privacy in Communication Networks", 
      "type": "Book"
    }, 
    "keywords": [
      "metamorphic malware", 
      "call graph", 
      "deep learning", 
      "deep convolutional neural network", 
      "small-scale training samples", 
      "malware classification method", 
      "automatic feature learning", 
      "convolutional neural network", 
      "byte n-grams", 
      "opcode sequences", 
      "executable code", 
      "malware dataset", 
      "feature learning", 
      "obfuscation techniques", 
      "malware families", 
      "malware", 
      "obfuscation methods", 
      "neural network", 
      "classification accuracy", 
      "fundamental task", 
      "n-grams", 
      "classification method", 
      "training samples", 
      "enhancement approach", 
      "detection method", 
      "graph", 
      "test accuracy", 
      "learning", 
      "dataset", 
      "stable features", 
      "countless variants", 
      "wide attention", 
      "accuracy", 
      "serious challenge", 
      "network", 
      "task", 
      "features", 
      "images", 
      "code", 
      "fragmented features", 
      "information", 
      "method", 
      "challenges", 
      "technique", 
      "certain types", 
      "variants", 
      "attention", 
      "types", 
      "sequence", 
      "state", 
      "part", 
      "propagation", 
      "family", 
      "samples", 
      "paper", 
      "problem", 
      "approach", 
      "metamorphism"
    ], 
    "name": "DeepCG: Classifying Metamorphic Malware Through Deep Learning of Call Graphs", 
    "pagination": "171-190", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1123345839"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-030-37228-6_9"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-030-37228-6_9", 
      "https://app.dimensions.ai/details/publication/pub.1123345839"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2022-09-02T16:16", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20220902/entities/gbq_results/chapter/chapter_435.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-3-030-37228-6_9"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-37228-6_9'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-37228-6_9'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-37228-6_9'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-37228-6_9'


 

This table displays all metadata directly associated to this object as RDF triples.

162 TRIPLES      22 PREDICATES      82 URIs      75 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-030-37228-6_9 schema:about anzsrc-for:08
2 anzsrc-for:0801
3 schema:author N1707ab188ea6403baff3e8fc03f10ef4
4 schema:datePublished 2019-12-13
5 schema:datePublishedReg 2019-12-13
6 schema:description As the state-of-the-art malware obfuscation technique, metamorphism has received wide attention. Metamorphic malware can mutate themselves into countless variants during propagation by obfuscating part of their executable code automatically, thus posing serious challenges to all existing detection methods. To address this problem, a fundamental task is to understand the stable features that are relatively invariant across all variants of a certain type of metamorphic malware while distinguishable from other types. In this paper, we systematically study the obfuscation methods of metamorphic malware, and reveal that, compared to frequently used fragmented features such as byte n-grams and opcode sequences, call graphs are more stable against metamorphism, and can be leveraged to classify metamorphic malware effectively. Based on call graphs, we design a metamorphic malware classification method, dubbed deepCG, which enables automatic feature learning of metamorphic malware via deep learning. Specifically, we encapsulate the information of each call graph into an image that is then fed into deep convolutional neural networks for classifying the malware family. Particularly, due to its built-in training data enhancement approach, deepCG can achieve promising classification accuracy even with small-scale training samples. We evaluate deepCG using a PE malware dataset and the Microsoft BIG2015 dataset, and achieve a test accuracy of above 96%.
7 schema:editor N7d7ab71ddc774fa194d305b82955b4bf
8 schema:genre chapter
9 schema:isAccessibleForFree false
10 schema:isPartOf N836aa30849d144e4a2f10e02ec5ff45d
11 schema:keywords accuracy
12 approach
13 attention
14 automatic feature learning
15 byte n-grams
16 call graph
17 certain types
18 challenges
19 classification accuracy
20 classification method
21 code
22 convolutional neural network
23 countless variants
24 dataset
25 deep convolutional neural network
26 deep learning
27 detection method
28 enhancement approach
29 executable code
30 family
31 feature learning
32 features
33 fragmented features
34 fundamental task
35 graph
36 images
37 information
38 learning
39 malware
40 malware classification method
41 malware dataset
42 malware families
43 metamorphic malware
44 metamorphism
45 method
46 n-grams
47 network
48 neural network
49 obfuscation methods
50 obfuscation techniques
51 opcode sequences
52 paper
53 part
54 problem
55 propagation
56 samples
57 sequence
58 serious challenge
59 small-scale training samples
60 stable features
61 state
62 task
63 technique
64 test accuracy
65 training samples
66 types
67 variants
68 wide attention
69 schema:name DeepCG: Classifying Metamorphic Malware Through Deep Learning of Call Graphs
70 schema:pagination 171-190
71 schema:productId N1134b71bdc2340c29e443338b035833b
72 Nf4d371ce835f4e98aa6210e81485f5a5
73 schema:publisher N59e1e241783249e49d43099a7e7dfcff
74 schema:sameAs https://app.dimensions.ai/details/publication/pub.1123345839
75 https://doi.org/10.1007/978-3-030-37228-6_9
76 schema:sdDatePublished 2022-09-02T16:16
77 schema:sdLicense https://scigraph.springernature.com/explorer/license/
78 schema:sdPublisher N2c7b9ef944b646bf83715036868cb155
79 schema:url https://doi.org/10.1007/978-3-030-37228-6_9
80 sgo:license sg:explorer/license/
81 sgo:sdDataset chapters
82 rdf:type schema:Chapter
83 N1134b71bdc2340c29e443338b035833b schema:name dimensions_id
84 schema:value pub.1123345839
85 rdf:type schema:PropertyValue
86 N1707ab188ea6403baff3e8fc03f10ef4 rdf:first sg:person.0671022567.52
87 rdf:rest N4f220f5df6fe4dbfa9ba8bbe2f230d9d
88 N238d0d7399a04941981bdec4a75aa275 schema:familyName Chen
89 schema:givenName Songqing
90 rdf:type schema:Person
91 N2c7b9ef944b646bf83715036868cb155 schema:name Springer Nature - SN SciGraph project
92 rdf:type schema:Organization
93 N42cf24bc3ee143209c508af3389dc2d1 rdf:first sg:person.012345512151.06
94 rdf:rest Ndfcff99ceb7347e1ba3d001b5b180859
95 N4f220f5df6fe4dbfa9ba8bbe2f230d9d rdf:first sg:person.015130076215.46
96 rdf:rest N42cf24bc3ee143209c508af3389dc2d1
97 N59e1e241783249e49d43099a7e7dfcff schema:name Springer Nature
98 rdf:type schema:Organisation
99 N6543e11f49e04d1ba5010f44db1ffbee schema:familyName Mohaisen
100 schema:givenName Aziz
101 rdf:type schema:Person
102 N78178ec6e1c241dfa117ccd28e9569c6 rdf:first N7f454cafce8e4d7587e6622779314f9f
103 rdf:rest Nf5f778ba9b5243d98494c2538c2017db
104 N7d7ab71ddc774fa194d305b82955b4bf rdf:first N238d0d7399a04941981bdec4a75aa275
105 rdf:rest Ne392bb9d42c943cebca13fa1f6a7108d
106 N7f454cafce8e4d7587e6622779314f9f schema:familyName Fu
107 schema:givenName Xinwen
108 rdf:type schema:Person
109 N836aa30849d144e4a2f10e02ec5ff45d schema:isbn 978-3-030-37227-9
110 978-3-030-37228-6
111 schema:name Security and Privacy in Communication Networks
112 rdf:type schema:Book
113 N85abba9b207f41e29540a72743cad9fa schema:familyName Lou
114 schema:givenName Wenjing
115 rdf:type schema:Person
116 Na27bcb3ba29440f9b4e270757b082c64 rdf:first N6543e11f49e04d1ba5010f44db1ffbee
117 rdf:rest rdf:nil
118 Ncc6c51f10b5443109fa38ff47196ce42 schema:familyName Choo
119 schema:givenName Kim-Kwang Raymond
120 rdf:type schema:Person
121 Ndfcff99ceb7347e1ba3d001b5b180859 rdf:first sg:person.016057020251.04
122 rdf:rest rdf:nil
123 Ne392bb9d42c943cebca13fa1f6a7108d rdf:first Ncc6c51f10b5443109fa38ff47196ce42
124 rdf:rest N78178ec6e1c241dfa117ccd28e9569c6
125 Nf4d371ce835f4e98aa6210e81485f5a5 schema:name doi
126 schema:value 10.1007/978-3-030-37228-6_9
127 rdf:type schema:PropertyValue
128 Nf5f778ba9b5243d98494c2538c2017db rdf:first N85abba9b207f41e29540a72743cad9fa
129 rdf:rest Na27bcb3ba29440f9b4e270757b082c64
130 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
131 schema:name Information and Computing Sciences
132 rdf:type schema:DefinedTerm
133 anzsrc-for:0801 schema:inDefinedTermSet anzsrc-for:
134 schema:name Artificial Intelligence and Image Processing
135 rdf:type schema:DefinedTerm
136 sg:person.012345512151.06 schema:affiliation grid-institutes:grid.410726.6
137 schema:familyName Zou
138 schema:givenName Wei
139 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012345512151.06
140 rdf:type schema:Person
141 sg:person.015130076215.46 schema:affiliation grid-institutes:grid.43169.39
142 schema:familyName Ma
143 schema:givenName Xiaobo
144 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.015130076215.46
145 rdf:type schema:Person
146 sg:person.016057020251.04 schema:affiliation grid-institutes:grid.410726.6
147 schema:familyName Bai
148 schema:givenName Bo
149 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016057020251.04
150 rdf:type schema:Person
151 sg:person.0671022567.52 schema:affiliation grid-institutes:grid.410726.6
152 schema:familyName Zhao
153 schema:givenName Shuang
154 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.0671022567.52
155 rdf:type schema:Person
156 grid-institutes:grid.410726.6 schema:alternateName School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
157 schema:name Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
158 School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
159 rdf:type schema:Organization
160 grid-institutes:grid.43169.39 schema:alternateName MOE KLINNS Lab, Faculty of Electronic and Information Engineering, Xi’an Jiaotong University, Xi’an, China
161 schema:name MOE KLINNS Lab, Faculty of Electronic and Information Engineering, Xi’an Jiaotong University, Xi’an, China
162 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...