Fingerprinting Executable Programs Based on Color Moments of a Novel Abstract Call Graph

In this paper we propose a new method for finding the fingerprint of executable programs. Our method based on the statistical analysis of the 2-dimensional graph named novel abstract call graph which is in component of the colored pixels arranged according to the adjacency matrix of the call flow graph, the color of the pixel is determined by the in-degree and out-degree of function node and the function call relationship. Through the experiments we can perceive that the color moments can be used to identify different executable programs as a fingerprint for the following reasons: it is the unique property that different executable programs map to different abstract call graphs with different color moments; it is sensitive to the changes of the function call relationship that the value of color moments will present different as long as there exists call relationship modifications; it is robust to the local normal instruction modifications that the value of color moments will not change as long as the modifications do not change any function call relationship. This paper show that this fingerprint can be used to intrusion detection since the malicious code may change the function call relationship of the infected program, and can be also used to measure the N versions of a program and so on. In this paper we mainly introduce the process of forming the fingerprint, its properties and forecasting its application.