Malicious Code Detection Using Opcode Running Tree Representation

Author

Ding Yuxin ; Dai Wei ; Zhang Yibin ; Xue Chenglong

Author_Institution

Shenzhen Grad. Sch., Dept. of Comput. Sci., Harbin Inst. of Technol., Shenzhen, China

fYear

2014

fDate

8-10 Nov. 2014

Firstpage

616

Lastpage

621

Abstract

An opcode behavior based method is proposed to detect malware. Opcode behaviors are represented as opcode sequences from a decompiled executable. To accurately describe the malware behaviors, we construct the opcode running tree to simulate the dynamic execution of a program, and opcode n-grams are extracted to represent the features of an executable. The experimental results show that the opcode behaviors extracted by this method can fully represent the behavior characteristics of an executable. Compared with the detection method based the opcode distributions, the proposed method has higher overall accuracy and a lower false positive rate.

Keywords

invasive software; trees (mathematics); dynamic program execution; executable decompilation; malicious code detection; malware detection; opcode behavior based method; opcode n-gram extraction; opcode running tree representation; opcode sequences; Accuracy; Feature extraction; Flow graphs; Image edge detection; Malware; Support vector machines; Training; opcode behavior; malware detection; control flow; machine learning; security;

fLanguage

English

Publisher

ieee

Conference_Titel

P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2014 Ninth International Conference on

Conference_Location

Guangdong

Type

conf

DOI

10.1109/3PGCIC.2014.140

Filename

7024656