Opcodes as predictor for malware

被引:180
作者
Bilar, Daniel [1 ]
机构
[1] Wellesley Coll, Dept Comp Sci, Wellesley, MA 02181 USA
来源
INTERNATIONAL JOURNAL OF ELECTRONIC SECURITY AND DIGITAL FORENSICS | 2007年 / 1卷 / 02期
关键词
x86; opcodes; malware; structural fingerprint; statistical analysis; predictor; executable; frequency;
D O I
10.1504/IJESDF.2007.016865
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
This paper discusses a detection mechanism for malicious code through statistical analysis of opcode distributions. A total of 67 malware executables were sampled statically disassembled and their statistical opcode frequency distribution compared with the aggregate statistics of 20 non-malicious samples. We find that malware opcode distributions differ statistically significantly from non-malicious software. Furthermore, rare opcodes seem to be a stronger predictor, explaining 12-63% of frequency variation.
引用
收藏
页码:156 / 168
页数:13
相关论文
共 43 条
[1]  
AccessData Inc, 2005, FOR TOOLK
[2]  
[Anonymous], 2005, IDA INTERACTIVE DISA
[3]  
[Anonymous], [No title captured]
[4]  
Bilar D., 2007, AI COMMUNICATIONS SP
[5]  
CHINCHANI R, 2005, P INT S REC ADV INTR
[6]  
Christodorescu M, 2003, USENIX ASSOCIATION PROCEEDINGS OF THE 12TH USENIX SECURITY SYMPOSIUM, P169
[7]  
Clementi A., 2007, ANTIVIRUS COMP, P7
[8]  
Commtouch Inc, 2007, MALW REP SERV SID PO
[9]  
Computer Economics Inc, 2007, 2007 MALW REP EC IMP
[10]  
Connor-Linton J, 2003, CHI SQUARE TUTORIAL
12345