Auto-detection of sophisticated malware using lazy-binding control flow graph and deep learning

To date, industrial antivirus tools are mostly using signature-based methods to detect malware occurrences. However, sophisticated malware, such as metamorphic or polymorphic virus, can effectively evade those tools by using some advanced obfuscation techniques, including mutation and the dynamicall...

Full description

Saved in:
Bibliographic Details
Published inComputers & security Vol. 76; pp. 128 - 155
Main Authors Nguyen, Minh Hai, Nguyen, Dung Le, Nguyen, Xuan Mao, Quan, Tho Thanh
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier Ltd 01.07.2018
Elsevier Sequoia S.A
Subjects
Anti-virus software
Binary-based control
Computer programming
Computer viruses
Deep learning
Dynamically executed contents
Flow graph
Graphical representations
Image classification
Lazy-binding CFG
Learning
Malware
Metamorphic virus
Mutation
Packing techniques
Polymorphic virus
Program verification (computers)
Software
Studies
Binary-based control
Deep learning
Packing techniques
Lazy-binding CFG
Polymorphic virus
Dynamically executed contents
Malware
Metamorphic virus
Mutation
Flow graph
Online AccessGet full text

Cover

Abstract To date, industrial antivirus tools are mostly using signature-based methods to detect malware occurrences. However, sophisticated malware, such as metamorphic or polymorphic virus, can effectively evade those tools by using some advanced obfuscation techniques, including mutation and the dynamically executed contents (DEC) methods, which dynamically produce new executable code in the run-time. Common DEC methods used by malware programs are packing or calling external code. In the research community, the approach of program analysis to detect suspicious behaviors has been emerging recently to handle this problem. Control flow graph (CFG) is a suitable representation to capture common behaviors from various mutated samples of virus. However, the current typical CFG forms generated by state-of-the-art binary analysis tools, such as IDA Pro, do not precisely reflect the behaviors of DEC methods. Moreover, this approach suffers from an extremely heavy cost to conduct and analyze the CFGs from binaries. This drawback causes the method of formal behavior analysis to be virtually not applicable with real-world applications. In this paper, we propose an enhanced form of CFG, known as lazy-binding CFG to reflect the DEC behaviors. Then, with the recent advancement of the deep learning techniques, we present a method of producing image-based representation from the generated CFG. As deep learning is very popular to perform image classification on very large dataset, our proposed technique can be applied for malware detection on real-world computer programs and thus enjoying very high accuracy. We also illustrate our analysis results with some well-known malware samples, including WannaCry, Kasperagent and Sality, one of the most sophisticated polymorphic viruses.
AbstractList To date, industrial antivirus tools are mostly using signature-based methods to detect malware occurrences. However, sophisticated malware, such as metamorphic or polymorphic virus, can effectively evade those tools by using some advanced obfuscation techniques, including mutation and the dynamically executed contents (DEC) methods, which dynamically produce new executable code in the run-time. Common DEC methods used by malware programs are packing or calling external code. In the research community, the approach of program analysis to detect suspicious behaviors has been emerging recently to handle this problem. Control flow graph (CFG) is a suitable representation to capture common behaviors from various mutated samples of virus. However, the current typical CFG forms generated by state-of-the-art binary analysis tools, such as IDA Pro, do not precisely reflect the behaviors of DEC methods. Moreover, this approach suffers from an extremely heavy cost to conduct and analyze the CFGs from binaries. This drawback causes the method of formal behavior analysis to be virtually not applicable with real-world applications. In this paper, we propose an enhanced form of CFG, known as lazy-binding CFG to reflect the DEC behaviors. Then, with the recent advancement of the deep learning techniques, we present a method of producing image-based representation from the generated CFG. As deep learning is very popular to perform image classification on very large dataset, our proposed technique can be applied for malware detection on real-world computer programs and thus enjoying very high accuracy. We also illustrate our analysis results with some well-known malware samples, including WannaCry, Kasperagent and Sality, one of the most sophisticated polymorphic viruses.
To date, industrial antivirus tools are mostly using signature-based methods to detect malware occurrences. However, sophisticated malware, such as metamorphic or polymorphic virus, can effectively evade those tools by using some advanced obfuscation techniques, including mutation and the dynamically executed contents (DEC) methods, which dynamically produce new executable code in the run-time. Common DEC methods used by malware programs are packing or calling external code. In the research community, the approach of program analysis to detect suspicious behaviors has been emerging recently to handle this problem. Control flow graph (CFG) is a suitable representation to capture common behaviors from various mutated samples of virus. However, the current typical CFG forms generated by state-of-the-art binary analysis tools, such as IDA Pro, do not precisely reflect the behaviors of DEC methods. Moreover, this approach suffers from an extremely heavy cost to conduct and analyze the CFGs from binaries. This drawback causes the method of formal behavior analysis to be virtually not applicable with real-world applications. In this paper, we propose an enhanced form of CFG, known as lazy-binding CFG to reflect the DEC behaviors. Then, with the recent advancement of the deep learning techniques, we present a method of producing image-based representation from the generated CFG. As deep learning is very popular to perform image classification on very large dataset, our proposed technique can be applied for malware detection on real-world computer programs and thus enjoying very high accuracy. We also illustrate our analysis results with some well-known malware samples, including WannaCry, Kasperagent and Sality, one of the most sophisticated polymorphic viruses.
Author Nguyen, Dung Le
Quan, Tho Thanh
Nguyen, Minh Hai
Nguyen, Xuan Mao
Author_xml – sequence: 1
  givenname: Minh Hai
  surname: Nguyen
  fullname: Nguyen, Minh Hai
  organization: Ho Chi Minh City University of Technology, Viet Nam
– sequence: 2
  givenname: Dung Le
  surname: Nguyen
  fullname: Nguyen, Dung Le
  organization: Ho Chi Minh City University of Technology, Viet Nam
– sequence: 3
  givenname: Xuan Mao
  surname: Nguyen
  fullname: Nguyen, Xuan Mao
  organization: YouNet Group, Viet Nam
– sequence: 4
  givenname: Tho Thanh
  surname: Quan
  fullname: Quan, Tho Thanh
  email: qttho@hcmut.edu.vn
  organization: Ho Chi Minh City University of Technology, Viet Nam
BookMark eNp9kE1LAzEQhoNUsH78AU8Bz7tOsl8peJHiFxS86Dlkk9k2ZZusSWrRX-8u9eTB0zDwPjO8zzmZOe-QkGsGOQNW325z7SPmHJjIgecA9QmZM9HwrOYgZmQ-hpqshFKckfMYtwCsqYWYE3m_Tz4zmFAn6x31HY1-2NiYrFYJDd2p_qAC0n20bk179f2VtdaZadHepeB72vX-QNdBDRuqnKEGcaA9quDG0CU57VQf8ep3XpD3x4e35XO2en16Wd6vMl1wkTJVFgaUEKVRYqHLBhemLQpW1F0rtDK6rlgLjHNo21oDdFBBy6uiMaxqVNuI4oLcHO8OwX_sMSa59fvgxpeSw6KsAIpySoljSgcfY8BOapvUVDwFZXvJQE465VZOOuWkUwKXo84R5X_QIdidCl__Q3dHCMfqnxaDjNqi02hsGIVL4-1_-A8riZGp
CitedBy_id crossref_primary_10_1016_j_fsidi_2019_200903
crossref_primary_10_1109_TETCI_2019_2923426
crossref_primary_10_3390_jpm11060515
crossref_primary_10_1371_journal_pone_0231626
crossref_primary_10_1016_j_phycom_2020_101157
crossref_primary_10_1109_ACCESS_2024_3445931
crossref_primary_10_1109_ACCESS_2020_3002842
crossref_primary_10_3390_s25041153
crossref_primary_10_1109_ACCESS_2019_2934012
crossref_primary_10_1109_JIOT_2021_3075694
crossref_primary_10_1155_2019_1043794
crossref_primary_10_1186_s42400_020_00055_5
crossref_primary_10_1109_TIFS_2021_3124725
crossref_primary_10_1109_TIFS_2023_3328431
crossref_primary_10_1155_2022_2959222
crossref_primary_10_1109_JIOT_2023_3312152
crossref_primary_10_1016_j_cose_2018_11_002
crossref_primary_10_1016_j_ins_2023_119598
crossref_primary_10_1145_3638552
crossref_primary_10_1016_j_comnet_2019_06_015
crossref_primary_10_1002_cpe_6004
crossref_primary_10_1016_j_cose_2021_102500
crossref_primary_10_1007_s11831_020_09478_2
crossref_primary_10_1016_j_cose_2021_102400
crossref_primary_10_1109_ACCESS_2021_3093366
crossref_primary_10_3390_e24070919
crossref_primary_10_1016_j_neucom_2023_126534
crossref_primary_10_1016_j_fsidi_2021_301189
crossref_primary_10_1155_2023_8227751
crossref_primary_10_1109_ACCESS_2019_2945787
Cites_doi 10.1016/j.eswa.2016.11.027
10.1109/TC.2012.65
10.1016/j.asoc.2012.08.034
10.1109/TDSC.2013.40
10.1016/0196-6774(85)90023-9
10.1007/s10207-014-0248-7
10.1007/s11416-006-0009-x
10.1016/j.jss.2014.10.031
10.1007/s11416-013-0185-4
10.1145/2522968.2522972
10.1016/j.cose.2014.10.011
10.1145/362686.362692
10.1007/s11416-014-0215-x
10.1109/MSP.2008.126
10.1023/A:1011139631724
10.1016/0004-3702(90)90004-J
ContentType Journal Article
Copyright 2018 Elsevier Ltd
Copyright Elsevier Sequoia S.A. Jul 2018
Copyright_xml – notice: 2018 Elsevier Ltd
– notice: Copyright Elsevier Sequoia S.A. Jul 2018
DBID AAYXX
CITATION
7SC
8FD
JQ2
K7.
L7M
L~C
L~D
DOI 10.1016/j.cose.2018.02.006
DatabaseName CrossRef
Computer and Information Systems Abstracts
Technology Research Database
ProQuest Computer Science Collection
ProQuest Criminal Justice (Alumni)
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
DatabaseTitle CrossRef
ProQuest Criminal Justice (Alumni)
Technology Research Database
Computer and Information Systems Abstracts – Academic
ProQuest Computer Science Collection
Computer and Information Systems Abstracts
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts Professional
DatabaseTitleList
ProQuest Criminal Justice (Alumni)
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 1872-6208
EndPage 155
ExternalDocumentID 10_1016_j_cose_2018_02_006
S0167404818300889
GroupedDBID --K
--M
-~X
.DC
.~1
0R~
1B1
1RT
1~.
1~5
29F
4.4
457
4G.
5GY
5VS
7-5
71M
8P~
9JN
AACTN
AAEDT
AAEDW
AAIAV
AAIKJ
AAKOC
AALRI
AAOAW
AAQFI
AAQXK
AAXUO
AAYFN
ABBOA
ABFSI
ABMAC
ABXDB
ABYKQ
ACDAQ
ACGFO
ACGFS
ACNNM
ACRLP
ACZNC
ADBBV
ADEZE
ADHUB
ADJOM
ADMUD
AEBSH
AEKER
AENEX
AFFNX
AFKWA
AFTJW
AGHFR
AGUBO
AGYEJ
AHHHB
AHZHX
AIALX
AIEXJ
AIKHN
AITUG
AJBFU
AJOXV
ALMA_UNASSIGNED_HOLDINGS
AMFUW
AMRAJ
AOUOD
ASPBG
AVWKF
AXJTR
AZFZN
BKOJK
BKOMP
BLXMC
CS3
DU5
E.L
EBS
EFJIC
EFLBG
EJD
EO8
EO9
EP2
EP3
FDB
FEDTE
FGOYB
FIRID
FNPLU
FYGXN
G-2
G-Q
GBLVA
GBOLZ
HLX
HLZ
HVGLF
HZ~
IHE
J1W
KOM
LG8
LG9
M41
MO0
MS~
N9A
O-L
O9-
OAUVE
OZT
P-8
P-9
P2P
PC.
PQQKQ
Q38
R2-
RIG
RNS
ROL
RPZ
RXW
SBC
SBM
SDF
SDG
SDP
SES
SEW
SPC
SPCBC
SSV
SSZ
T5K
TAE
TN5
TWZ
WH7
WUQ
XJE
XPP
XSW
YK3
ZMT
~G-
AATTM
AAXKI
AAYWO
AAYXX
ABJNI
ABWVN
ACRPL
ACVFH
ADCNI
ADNMO
AEIPS
AEUPX
AFJKZ
AFPUW
AFXIZ
AGCQF
AGQPQ
AGRNS
AIGII
AIIUN
AKBMS
AKRWK
AKYEP
ANKPU
APXCP
BNPGV
CITATION
SSH
7SC
8FD
EFKBS
JQ2
K7.
L7M
L~C
L~D
ID FETCH-LOGICAL-c328t-a43d0a884da89c47e9db33136fb8cadc651b01220bb6c00f050b2537d157ab783
IEDL.DBID .~1
ISSN 0167-4048
IngestDate Fri Jul 25 08:22:01 EDT 2025
Tue Jul 01 03:48:15 EDT 2025
Thu Apr 24 23:04:07 EDT 2025
Fri Feb 23 02:33:37 EST 2024
IsPeerReviewed true
IsScholarly true
Keywords Binary-based control
Deep learning
Packing techniques
Lazy-binding CFG
Polymorphic virus
Dynamically executed contents
Malware
Metamorphic virus
Mutation
Flow graph
Language English
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c328t-a43d0a884da89c47e9db33136fb8cadc651b01220bb6c00f050b2537d157ab783
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
PQID 2094500348
PQPubID 46289
PageCount 28
ParticipantIDs proquest_journals_2094500348
crossref_citationtrail_10_1016_j_cose_2018_02_006
crossref_primary_10_1016_j_cose_2018_02_006
elsevier_sciencedirect_doi_10_1016_j_cose_2018_02_006
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate July 2018
2018-07-00
20180701
PublicationDateYYYYMMDD 2018-07-01
PublicationDate_xml – month: 07
  year: 2018
  text: July 2018
PublicationDecade 2010
PublicationPlace Amsterdam
PublicationPlace_xml – name: Amsterdam
PublicationTitle Computers & security
PublicationYear 2018
Publisher Elsevier Ltd
Elsevier Sequoia S.A
Publisher_xml – name: Elsevier Ltd
– name: Elsevier Sequoia S.A
References Kinder, Katzenbeisser, Schallhart, Veith (bib0220) 2005
Santos, Ugarte-Pedrero, Sanz, Laorden, Bringas (bib0345) 2011
Song, Touili (bib0385) 2012
Song, Touili (bib0395) 2014
Nguyen, Tho (bib0280) 2017
Filiol (bib0145) 2006; 2
Nappa, Rafique, Caballero (bib0265) 2015; 14
Szor (bib0415) 2005
Batista, Bazzan, Monard (bib0075) 2003
Oliva, Torralba (bib0300) 2001; 42
Roundy, Miller (bib0335) 2013; 46
Cesare, Xiang, Zhou (bib0115) 2014; 11
Izumida, Futatsugi, Mori (bib0190) 2010
Hinton (bib0165) 1990; 46
Royal, Halpin, Dagon, Edmonds, Lee (bib0340) 2006
Baysa, Low, Stamp (bib0080) 2013; 9
Chen, Narayanan, Pang, Tao (bib9005) 2012
Shah, Jani, Shetty, Bhowmick (bib0360) 2013; 84
Kinder, Zuleger, Veith (bib0225) 2009
IDA Pro (bib0180) 2017
Anderson, Storlie, Lane (bib0045) 2012
BitDefender (bib0085) 2007
Le Cun (bib0240) 1989
Redmon, Divvala, Girshick, Farhadi (bib0325) 2016
Yan, Zhang, Ansari (bib0470) 2008; 6
Cesare, Xiang, Zhou (bib0110) 2013; 62
Nguyen, Ogawa, Tho (bib0295) 2017
Afaneh, Zitar, Al-Hamami (bib0010) 2013; 13
Bardin, Herrmann, Leroux, Ly, Tabary, Vincent (bib0070) 2011; vol. 6806
Song, Brumley, Yin, Caballero, Jager, Kang (bib0380) 2008
Al-Enezi, Abbod, AI-Sharhan (bib0020) 2010; 3
Nguyen, Nguyen, Quan, Ogawa (bib0285) 2013; vol. 2
Trinius, Holz, Gobel, Freiling (bib0430) 2009
Nataraj, Karthikeyan, Jacob, Manjunath (bib0275) 2011
Holzmann (bib0170) 1991
Jenatton, Roux, Bordes, Obozinski (bib0195) 2012
Saxe, Mentis, Greamo (bib0355) 2012
Nguyen, Anh, Khang, Ngan, Thai, Quoc (bib9020) 2014; vol. 279
Alazab (bib0030) 2015; 100
Gheorghescu (bib0160) 2005
John, Alejandro, Richard, Victor, Biplab, Sravana (bib0205) 2014
Wojnowicz, Chisholm, Wallace, Wolff, Zhao, Luan (bib0455) 2017; 71
Rijsbergen (bib0330) 1979
Ugarte-Pedrero, Balzarotti, Santos, Bringas (bib0440) 2015
Alam, Horspool, Traore, Sogukpinar (bib0025) 2015; 48
Bloom (bib0090) 1970; 13
CERT (bib0120) 2017
Al-Anezi (bib0015) 2014; 5
Kang, Poosankam, Yin (bib0215) 2007
Torralba, Murphy, Freeman, Rubin (bib0425) 2003
Conti, Dean, Sinda, Sangster (bib0135) 2008
Osaghae (bib0310) 2016; 5
Rassam, Maarof (bib0320) 2012; 3
Annachhatre, Austin, Stamp (bib0050) 2015; 11
Balakrishnan, Reps, Kidd, Lai, Lim (bib0060) 2005
OllyBonE (bib0305) 2007
You, Yim (bib0480) 2010
Ukkonen (bib0445) 1985; 6
Kruegel, Kirda (bib0230) 2005
McAfee (bib0255) 2017
Nguyen, Ogawa, Tho (bib0290) 2015
Aycock (bib0055) 2006
Clarke, Grumberg, Long (bib0130) 1999
Santos (10.1016/j.cose.2018.02.006_bib0345) 2011
Kinder (10.1016/j.cose.2018.02.006_bib0220) 2005
Alazab (10.1016/j.cose.2018.02.006_bib0030) 2015; 100
Ugarte-Pedrero (10.1016/j.cose.2018.02.006_bib0440) 2015
Nataraj (10.1016/j.cose.2018.02.006_bib0275) 2011
Nguyen (10.1016/j.cose.2018.02.006_bib0295) 2017
Rassam (10.1016/j.cose.2018.02.006_bib0320) 2012; 3
Bardin (10.1016/j.cose.2018.02.006_bib0070) 2011; vol. 6806
Filiol (10.1016/j.cose.2018.02.006_bib0145) 2006; 2
Aycock (10.1016/j.cose.2018.02.006_bib0055) 2006
Song (10.1016/j.cose.2018.02.006_bib0385) 2012
Balakrishnan (10.1016/j.cose.2018.02.006_bib0060) 2005
Batista (10.1016/j.cose.2018.02.006_bib0075) 2003
Cesare (10.1016/j.cose.2018.02.006_bib0110) 2013; 62
John (10.1016/j.cose.2018.02.006_bib0205)
Song (10.1016/j.cose.2018.02.006_bib0395) 2014
Annachhatre (10.1016/j.cose.2018.02.006_bib0050) 2015; 11
Gheorghescu (10.1016/j.cose.2018.02.006_bib0160) 2005
Redmon (10.1016/j.cose.2018.02.006_bib0325) 2016
Le Cun (10.1016/j.cose.2018.02.006_bib0240) 1989
Kruegel (10.1016/j.cose.2018.02.006_bib0230) 2005
Nguyen (10.1016/j.cose.2018.02.006_bib9020) 2014; vol. 279
Oliva (10.1016/j.cose.2018.02.006_bib0300) 2001; 42
Afaneh (10.1016/j.cose.2018.02.006_bib0010) 2013; 13
McAfee (10.1016/j.cose.2018.02.006_bib0255)
Royal (10.1016/j.cose.2018.02.006_bib0340) 2006
Conti (10.1016/j.cose.2018.02.006_bib0135) 2008
Osaghae (10.1016/j.cose.2018.02.006_bib0310) 2016; 5
You (10.1016/j.cose.2018.02.006_bib0480) 2010
OllyBonE (10.1016/j.cose.2018.02.006_bib0305)
Shah (10.1016/j.cose.2018.02.006_bib0360) 2013; 84
Song (10.1016/j.cose.2018.02.006_bib0380) 2008
Holzmann (10.1016/j.cose.2018.02.006_bib0170) 1991
Al-Anezi (10.1016/j.cose.2018.02.006_bib0015) 2014; 5
Cesare (10.1016/j.cose.2018.02.006_bib0115) 2014; 11
Jenatton (10.1016/j.cose.2018.02.006_bib0195) 2012
CERT (10.1016/j.cose.2018.02.006_bib0120)
Hinton (10.1016/j.cose.2018.02.006_bib0165) 1990; 46
Wojnowicz (10.1016/j.cose.2018.02.006_bib0455) 2017; 71
Nguyen (10.1016/j.cose.2018.02.006_bib0285) 2013; vol. 2
Ukkonen (10.1016/j.cose.2018.02.006_bib0445) 1985; 6
Chen (10.1016/j.cose.2018.02.006_bib9005) 2012
BitDefender (10.1016/j.cose.2018.02.006_bib0085) 2007
Torralba (10.1016/j.cose.2018.02.006_bib0425) 2003
Trinius (10.1016/j.cose.2018.02.006_bib0430) 2009
Roundy (10.1016/j.cose.2018.02.006_bib0335) 2013; 46
Saxe (10.1016/j.cose.2018.02.006_bib0355) 2012
Alam (10.1016/j.cose.2018.02.006_bib0025) 2015; 48
Kang (10.1016/j.cose.2018.02.006_bib0215) 2007
Nguyen (10.1016/j.cose.2018.02.006_bib0280) 2017
Izumida (10.1016/j.cose.2018.02.006_bib0190) 2010
Kinder (10.1016/j.cose.2018.02.006_bib0225) 2009
Szor (10.1016/j.cose.2018.02.006_bib0415) 2005
Baysa (10.1016/j.cose.2018.02.006_bib0080) 2013; 9
Bloom (10.1016/j.cose.2018.02.006_bib0090) 1970; 13
IDA Pro (10.1016/j.cose.2018.02.006_bib0180)
Nappa (10.1016/j.cose.2018.02.006_bib0265) 2015; 14
Yan (10.1016/j.cose.2018.02.006_bib0470) 2008; 6
Al-Enezi (10.1016/j.cose.2018.02.006_bib0020) 2010; 3
Clarke (10.1016/j.cose.2018.02.006_bib0130) 1999
Nguyen (10.1016/j.cose.2018.02.006_bib0290) 2015
Anderson (10.1016/j.cose.2018.02.006_bib0045) 2012
Rijsbergen (10.1016/j.cose.2018.02.006_bib0330) 1979
References_xml – year: 2017
  ident: bib0295
  article-title: Packer identification based on metadata signature
– volume: 84
  start-page: 17
  year: 2013
  end-page: 23
  ident: bib0360
  article-title: Virus detection using artificial neural networks
  publication-title: Int J Comput Appl
– start-page: 1
  year: 2008
  end-page: 25
  ident: bib0380
  article-title: BitBlaze: A New Approach to Computer Security via Binary Analysis
– start-page: 33
  year: 2012
  end-page: 40
  ident: bib0355
  article-title: Visualization of shared system call sequence relationships in large malware corpora
– volume: 71
  start-page: 301
  year: 2017
  end-page: 318
  ident: bib0455
  article-title: SUSPEND: determining software suspiciousness by non-stationary time series modeling of entropy signals
  publication-title: Expert Syst Appl
– start-page: 294
  year: 2005
  end-page: 300
  ident: bib0160
  article-title: An automated virus classification system
– volume: vol. 279
  year: 2014
  ident: bib9020
  article-title: A combination of clonal selection algorithm and artificial neural networks for virus detection
  publication-title: Advances in computer science and its applications
– start-page: 273
  year: 2003
  end-page: 280
  ident: bib0425
  article-title: Context-based vision system for place and object recognition
– start-page: 261
  year: 2012
  end-page: 265
  ident: bib9005
  article-title: Multiple sequence alignment and artificial neural networks for malicious software detection
  publication-title: Proceedings of the 2012 eight international conference on natural computation
– start-page: 297
  year: 2010
  end-page: 300
  ident: bib0480
  article-title: Malware obfuscation techniques: a brief survey
– volume: 13
  start-page: 239
  year: 2013
  end-page: 246
  ident: bib0010
  article-title: Virus detection using clonal selection algorithm with genetic algorithm (VDC Algorithm)
  publication-title: Appl Soft Comput
– volume: 42
  start-page: 145
  year: 2001
  end-page: 175
  ident: bib0300
  article-title: Modeling the shape of the scene: a holistic representation of the spatial envelope
  publication-title: Int J Comput Vis
– start-page: 207
  year: 2005
  end-page: 226
  ident: bib0230
  article-title: Polymorphic worm detection using structural information of executable
– volume: vol. 2
  start-page: 159
  year: 2013
  end-page: 164
  ident: bib0285
  publication-title: A hybrid approach for control flow graph construction from binary code
– start-page: 174
  year: 2005
  end-page: 187
  ident: bib0220
  article-title: Detecting Malicious Code by Model Checking
– year: 1979
  ident: bib0330
  article-title: Information Retrieval
– year: 2014
  ident: bib0205
  article-title: The Link between Pirated Software and Cybersecurity Breaches
– volume: vol. 6806
  start-page: 165
  year: 2011
  end-page: 170
  ident: bib0070
  publication-title: The BINCOA Framework for Binary Code Analysis
– start-page: 214
  year: 2009
  end-page: 228
  ident: bib0225
  article-title: An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries
– year: 2005
  ident: bib0415
  article-title: The art of computer virus research and defense
– year: 1991
  ident: bib0170
  article-title: Design and validation of computer protocols
– volume: 3
  start-page: 118
  year: 2010
  end-page: 131
  ident: bib0020
  article-title: Artificial immune systems – models, algorithms and applications
  publication-title: Int J Res Rev Appl Sci
– volume: 3
  start-page: 147
  year: 2012
  end-page: 154
  ident: bib0320
  article-title: Artificial immune network clustering approach for anomaly intrusion detection
  publication-title: J Adv Inf Technol
– volume: 46
  start-page: 1
  year: 2013
  end-page: 4
  ident: bib0335
  article-title: Binary-code obfuscations in prevalent packer tools
  publication-title: ACM Comput Surv
– volume: 5
  start-page: 22
  year: 2016
  end-page: 25
  ident: bib0310
  article-title: Classifying packed programs as malicious software detected
  publication-title: J Inf Technol Electr Eng
– year: 2017
  ident: bib0255
  article-title: The Good, the Bad, and the Unknown
– volume: 5
  start-page: 7
  year: 2014
  end-page: 14
  ident: bib0015
  article-title: Generic packing detection using several complexity analysis for accurate malware detection
  publication-title: Int J Adv Comput Sci
– year: 2017
  ident: bib0180
  article-title: IDA: About
– volume: 62
  start-page: 1193
  year: 2013
  end-page: 1206
  ident: bib0110
  article-title: Malwise – an effective and efficient classification system for packed and polymorphic malware
  publication-title: IEEE Trans Comput
– start-page: 3
  year: 2012
  end-page: 14
  ident: bib0045
  article-title: Improving malware classification: bridging the static/dynamic gap
– volume: 6
  start-page: 65
  year: 2008
  end-page: 69
  ident: bib0470
  article-title: Revealing packed malware
  publication-title: IEEE Secur Priv
– volume: 48
  start-page: 212
  year: 2015
  end-page: 233
  ident: bib0025
  article-title: A framework for metamorphic malware analysis and real-time detection
  publication-title: Comput Secur
– start-page: 46
  year: 2007
  end-page: 53
  ident: bib0215
  article-title: Renovo: A Hidden Code Extractor for Packed Executables
– volume: 100
  start-page: 91
  year: 2015
  end-page: 102
  ident: bib0030
  article-title: Profiling and classifying the behavior of malicious codes
  publication-title: J Syst Softw
– start-page: 1
  year: 2008
  end-page: 17
  ident: bib0135
  article-title: Visual reverse engineering of binary and data files
– year: 1999
  ident: bib0130
  article-title: Model checking
– start-page: 199
  year: 2010
  end-page: 216
  ident: bib0190
  article-title: A generic binary analysis method for malware
– volume: 11
  start-page: 307
  year: 2014
  end-page: 317
  ident: bib0115
  article-title: Control flow-based malware variant detection
  publication-title: IEEE Trans Dependable Secure Comput
– year: 2007
  ident: bib0085
  article-title: Anti-virus Technology Whitepaper
  publication-title: Technical report
– year: 2017
  ident: bib0120
  article-title: THE WANNACRY RANSOMWARE”, Whitepaper
– year: 1989
  ident: bib0240
  article-title: Generalization and network design strategies”. Technical Report CRG-TR-89-4, University of Toronto Connectionist Research Group, June 1989
  publication-title: Connectionism in perspective
– year: 2006
  ident: bib0055
  article-title: Computer Viruses and Malware
– volume: 9
  start-page: 179
  year: 2013
  end-page: 192
  ident: bib0080
  article-title: Structural entropy and metamorphic malware
  publication-title: J Comput Virol Hack Tech
– start-page: 35
  year: 2003
  end-page: 43
  ident: bib0075
  article-title: Balancing Training Data for Automated Annotation of Keywords: A Case Study
– start-page: 23
  year: 2011
  end-page: 30
  ident: bib0345
  article-title: Collective classification for packed executable identification
– start-page: 418
  year: 2012
  end-page: 433
  ident: bib0385
  article-title: Efficient malware detection using model-checking
– start-page: 4
  year: 2011
  ident: bib0275
  article-title: Malware images: visualization and automatic classification
– year: 2017
  ident: bib0280
  article-title: Packer identification using hidden Markov model
– volume: 6
  start-page: 132
  year: 1985
  end-page: 137
  ident: bib0445
  article-title: Finding approximate patterns in strings
  publication-title: J Algorithms
– volume: 46
  start-page: 47
  year: 1990
  end-page: 75
  ident: bib0165
  article-title: Mapping part-whole hierarchies into connectionist networks
  publication-title: Artif Intel
– start-page: 229
  year: 2015
  end-page: 247
  ident: bib0290
  article-title: Obfuscation code localization based on CFG Generation of Malware
– start-page: 147
  year: 2014
  end-page: 173
  ident: bib0395
  article-title: Pushdown Model Checking for Malware Detection
– volume: 11
  start-page: 59
  year: 2015
  end-page: 73
  ident: bib0050
  article-title: Hidden Markov models for malware classification
  publication-title: J Comput Virol Hacking Tech
– year: 2007
  ident: bib0305
  article-title: OllyBonE v0.1
– volume: 2
  start-page: 35
  year: 2006
  end-page: 50
  ident: bib0145
  article-title: Malware pattern scanning schemes secure against black-box analysis
  publication-title: J Comput Virol
– start-page: 659
  year: 2015
  end-page: 673
  ident: bib0440
  article-title: SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers
– volume: 14
  start-page: 15
  year: 2015
  end-page: 33
  ident: bib0265
  article-title: The MALICIA dataset: identification and analysis of drive-by download operations
  publication-title: J Int J Inf Secur
– start-page: 158
  year: 2005
  end-page: 163
  ident: bib0060
  article-title: Model checking x86 executables with CodeSurfer/x86 and WPDS++
  publication-title: Edinburgh, Scotland, UK
– start-page: 33
  year: 2009
  end-page: 38
  ident: bib0430
  article-title: Visual analysis of malware behavior using treemaps and thread graphs
– start-page: 289
  year: 2006
  end-page: 300
  ident: bib0340
  article-title: PolyUnpack: automating the hidden-code extraction of unpack-executing malware
– volume: 13
  start-page: 422
  year: 1970
  end-page: 426
  ident: bib0090
  article-title: Space/time trade-offs in hash coding with allowable errors
  publication-title: Commun ACM
– start-page: 3176
  year: 2012
  end-page: 3184
  ident: bib0195
  article-title: A latent factor model for highly multi-relational data
– year: 2016
  ident: bib0325
  article-title: You only look once: unified, real-time object detection
– ident: 10.1016/j.cose.2018.02.006_bib0305
– ident: 10.1016/j.cose.2018.02.006_bib0120
– volume: 84
  start-page: 17
  issue: Issue: 5
  year: 2013
  ident: 10.1016/j.cose.2018.02.006_bib0360
  article-title: Virus detection using artificial neural networks
  publication-title: Int J Comput Appl
– start-page: 294
  year: 2005
  ident: 10.1016/j.cose.2018.02.006_bib0160
– start-page: 207
  year: 2005
  ident: 10.1016/j.cose.2018.02.006_bib0230
– volume: vol. 2
  start-page: 159
  year: 2013
  ident: 10.1016/j.cose.2018.02.006_bib0285
– start-page: 418
  year: 2012
  ident: 10.1016/j.cose.2018.02.006_bib0385
– start-page: 4
  year: 2011
  ident: 10.1016/j.cose.2018.02.006_bib0275
– volume: 71
  start-page: 301
  year: 2017
  ident: 10.1016/j.cose.2018.02.006_bib0455
  article-title: SUSPEND: determining software suspiciousness by non-stationary time series modeling of entropy signals
  publication-title: Expert Syst Appl
  doi: 10.1016/j.eswa.2016.11.027
– volume: vol. 6806
  start-page: 165
  year: 2011
  ident: 10.1016/j.cose.2018.02.006_bib0070
– volume: 62
  start-page: 1193
  issue: 6
  year: 2013
  ident: 10.1016/j.cose.2018.02.006_bib0110
  article-title: Malwise – an effective and efficient classification system for packed and polymorphic malware
  publication-title: IEEE Trans Comput
  doi: 10.1109/TC.2012.65
– start-page: 214
  year: 2009
  ident: 10.1016/j.cose.2018.02.006_bib0225
– start-page: 158
  year: 2005
  ident: 10.1016/j.cose.2018.02.006_bib0060
  article-title: Model checking x86 executables with CodeSurfer/x86 and WPDS++
– volume: 13
  start-page: 239
  issue: Issue: 1
  year: 2013
  ident: 10.1016/j.cose.2018.02.006_bib0010
  article-title: Virus detection using clonal selection algorithm with genetic algorithm (VDC Algorithm)
  publication-title: Appl Soft Comput
  doi: 10.1016/j.asoc.2012.08.034
– start-page: 147
  year: 2014
  ident: 10.1016/j.cose.2018.02.006_bib0395
– start-page: 659
  year: 2015
  ident: 10.1016/j.cose.2018.02.006_bib0440
– volume: 11
  start-page: 307
  year: 2014
  ident: 10.1016/j.cose.2018.02.006_bib0115
  article-title: Control flow-based malware variant detection
  publication-title: IEEE Trans Dependable Secure Comput
  doi: 10.1109/TDSC.2013.40
– volume: 5
  start-page: 22
  year: 2016
  ident: 10.1016/j.cose.2018.02.006_bib0310
  article-title: Classifying packed programs as malicious software detected
  publication-title: J Inf Technol Electr Eng
– year: 2017
  ident: 10.1016/j.cose.2018.02.006_bib0280
– volume: 3
  start-page: 147
  year: 2012
  ident: 10.1016/j.cose.2018.02.006_bib0320
  article-title: Artificial immune network clustering approach for anomaly intrusion detection
  publication-title: J Adv Inf Technol
– volume: 6
  start-page: 132
  issue: 1
  year: 1985
  ident: 10.1016/j.cose.2018.02.006_bib0445
  article-title: Finding approximate patterns in strings
  publication-title: J Algorithms
  doi: 10.1016/0196-6774(85)90023-9
– year: 1979
  ident: 10.1016/j.cose.2018.02.006_bib0330
– ident: 10.1016/j.cose.2018.02.006_bib0255
– start-page: 229
  year: 2015
  ident: 10.1016/j.cose.2018.02.006_bib0290
– start-page: 33
  year: 2009
  ident: 10.1016/j.cose.2018.02.006_bib0430
– year: 2016
  ident: 10.1016/j.cose.2018.02.006_bib0325
– start-page: 297
  year: 2010
  ident: 10.1016/j.cose.2018.02.006_bib0480
– year: 2017
  ident: 10.1016/j.cose.2018.02.006_bib0295
– start-page: 199
  year: 2010
  ident: 10.1016/j.cose.2018.02.006_bib0190
– start-page: 3
  year: 2012
  ident: 10.1016/j.cose.2018.02.006_bib0045
– volume: 14
  start-page: 15
  year: 2015
  ident: 10.1016/j.cose.2018.02.006_bib0265
  article-title: The MALICIA dataset: identification and analysis of drive-by download operations
  publication-title: J Int J Inf Secur
  doi: 10.1007/s10207-014-0248-7
– volume: 2
  start-page: 35
  year: 2006
  ident: 10.1016/j.cose.2018.02.006_bib0145
  article-title: Malware pattern scanning schemes secure against black-box analysis
  publication-title: J Comput Virol
  doi: 10.1007/s11416-006-0009-x
– ident: 10.1016/j.cose.2018.02.006_bib0205
– year: 2007
  ident: 10.1016/j.cose.2018.02.006_bib0085
  article-title: Anti-virus Technology Whitepaper
– volume: 100
  start-page: 91
  year: 2015
  ident: 10.1016/j.cose.2018.02.006_bib0030
  article-title: Profiling and classifying the behavior of malicious codes
  publication-title: J Syst Softw
  doi: 10.1016/j.jss.2014.10.031
– volume: 9
  start-page: 179
  year: 2013
  ident: 10.1016/j.cose.2018.02.006_bib0080
  article-title: Structural entropy and metamorphic malware
  publication-title: J Comput Virol Hack Tech
  doi: 10.1007/s11416-013-0185-4
– start-page: 1
  year: 2008
  ident: 10.1016/j.cose.2018.02.006_bib0135
– start-page: 273
  year: 2003
  ident: 10.1016/j.cose.2018.02.006_bib0425
– volume: 5
  start-page: 7
  issue: 1
  year: 2014
  ident: 10.1016/j.cose.2018.02.006_bib0015
  article-title: Generic packing detection using several complexity analysis for accurate malware detection
  publication-title: Int J Adv Comput Sci
– volume: 3
  start-page: 118
  issue: Issue: 2
  year: 2010
  ident: 10.1016/j.cose.2018.02.006_bib0020
  article-title: Artificial immune systems – models, algorithms and applications
  publication-title: Int J Res Rev Appl Sci
– start-page: 174
  year: 2005
  ident: 10.1016/j.cose.2018.02.006_bib0220
– start-page: 261
  year: 2012
  ident: 10.1016/j.cose.2018.02.006_bib9005
  article-title: Multiple sequence alignment and artificial neural networks for malicious software detection
– volume: 46
  start-page: 1
  issue: 1
  year: 2013
  ident: 10.1016/j.cose.2018.02.006_bib0335
  article-title: Binary-code obfuscations in prevalent packer tools
  publication-title: ACM Comput Surv
  doi: 10.1145/2522968.2522972
– start-page: 35
  year: 2003
  ident: 10.1016/j.cose.2018.02.006_bib0075
– year: 1991
  ident: 10.1016/j.cose.2018.02.006_bib0170
– volume: vol. 279
  year: 2014
  ident: 10.1016/j.cose.2018.02.006_bib9020
  article-title: A combination of clonal selection algorithm and artificial neural networks for virus detection
– start-page: 33
  year: 2012
  ident: 10.1016/j.cose.2018.02.006_bib0355
– start-page: 23
  year: 2011
  ident: 10.1016/j.cose.2018.02.006_bib0345
– year: 2006
  ident: 10.1016/j.cose.2018.02.006_bib0055
– year: 1989
  ident: 10.1016/j.cose.2018.02.006_bib0240
  article-title: Generalization and network design strategies”. Technical Report CRG-TR-89-4, University of Toronto Connectionist Research Group, June 1989
– start-page: 3176
  year: 2012
  ident: 10.1016/j.cose.2018.02.006_bib0195
– year: 1999
  ident: 10.1016/j.cose.2018.02.006_bib0130
– start-page: 1
  year: 2008
  ident: 10.1016/j.cose.2018.02.006_bib0380
– volume: 48
  start-page: 212
  year: 2015
  ident: 10.1016/j.cose.2018.02.006_bib0025
  article-title: A framework for metamorphic malware analysis and real-time detection
  publication-title: Comput Secur
  doi: 10.1016/j.cose.2014.10.011
– volume: 13
  start-page: 422
  issue: 7
  year: 1970
  ident: 10.1016/j.cose.2018.02.006_bib0090
  article-title: Space/time trade-offs in hash coding with allowable errors
  publication-title: Commun ACM
  doi: 10.1145/362686.362692
– volume: 11
  start-page: 59
  issue: 2
  year: 2015
  ident: 10.1016/j.cose.2018.02.006_bib0050
  article-title: Hidden Markov models for malware classification
  publication-title: J Comput Virol Hacking Tech
  doi: 10.1007/s11416-014-0215-x
– volume: 6
  start-page: 65
  issue: Issue: 5
  year: 2008
  ident: 10.1016/j.cose.2018.02.006_bib0470
  article-title: Revealing packed malware
  publication-title: IEEE Secur Priv
  doi: 10.1109/MSP.2008.126
– ident: 10.1016/j.cose.2018.02.006_bib0180
– volume: 42
  start-page: 145
  issue: 3
  year: 2001
  ident: 10.1016/j.cose.2018.02.006_bib0300
  article-title: Modeling the shape of the scene: a holistic representation of the spatial envelope
  publication-title: Int J Comput Vis
  doi: 10.1023/A:1011139631724
– start-page: 46
  year: 2007
  ident: 10.1016/j.cose.2018.02.006_bib0215
– volume: 46
  start-page: 47
  issue: 1–2
  year: 1990
  ident: 10.1016/j.cose.2018.02.006_bib0165
  article-title: Mapping part-whole hierarchies into connectionist networks
  publication-title: Artif Intel
  doi: 10.1016/0004-3702(90)90004-J
– year: 2005
  ident: 10.1016/j.cose.2018.02.006_bib0415
– start-page: 289
  year: 2006
  ident: 10.1016/j.cose.2018.02.006_bib0340
SSID ssj0017688
Score 2.438509
Snippet To date, industrial antivirus tools are mostly using signature-based methods to detect malware occurrences. However, sophisticated malware, such as metamorphic...
SourceID proquest
crossref
elsevier
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 128
SubjectTerms Anti-virus software
Binary-based control
Computer programming
Computer viruses
Deep learning
Dynamically executed contents
Flow graph
Graphical representations
Image classification
Lazy-binding CFG
Learning
Malware
Metamorphic virus
Mutation
Packing techniques
Polymorphic virus
Program verification (computers)
Software
Studies
Title Auto-detection of sophisticated malware using lazy-binding control flow graph and deep learning
URI https://dx.doi.org/10.1016/j.cose.2018.02.006
https://www.proquest.com/docview/2094500348
Volume 76
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1LS8NAEF6KXrz4Fh9V9uBNYjfJZrM5lmKpir1owduyr5RKTUtNKXrwt7uTbAoKevCYZCeEmdmZCfvNNwhd5oya3Og8MLnOAsosD6QJWaClIdZYzpiE5uSHIRuM6N1z8txCvaYXBmCVPvbXMb2K1v5Ox2uzM59MOo8VgB7oTnhMAKwDHew0BS-__lzDPEJXTvM1v7db7RtnaowXYMIB3sVr3k72W3L6Eaar3NPfRdu-aMTd-rv2UMsW-2inGciA_f48QKK7LGeBsWWFryrwLMcwpaDiYnY1pcGvcrqSC4sB7T7GU_nxDn_GkL6wx6zjfDpb4YrGGsvCYGPtHPvREuNDNOrfPPUGgZ-gEOg44mUgaWyI5JwayTNNU5sZFcdhzHLFnTU0S0IFZ2tEKaYJyUlCVJTEqQmTVKqUx0doo5gV9hjhCHI7iHCmqM5kFhmjiZQuIrBUS36CwkZ1Qnt6cZhyMRUNjuxFgLoFqFuQSDh1n6Crtcy8Jtf4c3XSWER8cxHhov-fcu3GfMJv0Df3PKMJkPPw03--9gxtwVUN3W2jjXKxtOeuQCnVReWBF2ize3s_GH4BlDbnNg
linkProvider Elsevier
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV07T8MwELZ4DLDwRpSnBzYU6iSO44wIgcqjXQCJzfIrFSikVQlCMPDb8SVOJZDowBr7rOjO94jy3XcIHeeMmtzoPDC5zgLKLA-kCVmgpSHWWM6YhObk_oD1Huj1Y_I4h87bXhiAVfrY38T0Olr7J12vze746al7VwPoge6ExwTAOvNokTr3hTEGp19TnEfo6mk-Jfh2233nTAPyAlA44Lt4Q9zJ_spOv-J0nXwu19CKrxrxWfNi62jOlhtotZ3IgL2DbiJx9laNAmOrGmBV4lGOYUxBTcbsikqDX2TxLicWA9x9iAv5-QGfxpC_sAet47wYveOaxxrL0mBj7Rj72RLDLfRweXF_3gv8CIVAxxGvAkljQyTn1EieaZrazKg4DmOWK-7MoVkSKvi5RpRimpCcJERFSZyaMEmlSnm8jRbKUWl3EI4guYMIZ4rqTGaRMZpI6UICS7XkHRS2qhPa84vDmItCtECyZwHqFqBuQSLh1N1BJ1OZccOuMXN30lpE_LgjwoX_mXL7rfmE99BXt57RBNh5-O4_jz1CS737_q24vRrc7KFlWGlwvPtooZq82QNXrVTqsL6N3-0w6MQ
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Auto-detection+of+sophisticated+malware+using+lazy-binding+control+flow+graph+and+deep+learning&rft.jtitle=Computers+%26+security&rft.au=Nguyen%2C+Minh+Hai&rft.au=Nguyen%2C+Dung+Le&rft.au=Nguyen%2C+Xuan+Mao&rft.au=Quan%2C+Tho+Thanh&rft.date=2018-07-01&rft.pub=Elsevier+Sequoia+S.A&rft.issn=0167-4048&rft.eissn=1872-6208&rft.volume=76&rft.spage=128&rft_id=info:doi/10.1016%2Fj.cose.2018.02.006&rft.externalDBID=NO_FULL_TEXT
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0167-4048&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0167-4048&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0167-4048&client=summon