Detecting malwares using dynamic call graphs and opcode patterns

Abstract

Classification and detection of malware includes detecting instances and variants of the existing known malwares. Traditional signature based approaches fails when byte level content of the malware undergoes modification. Different static, dynamic and hybrid approaches exist and are classified based on the form in which the executable is analyzed. Static approaches include signature based methods that uses byte or opcode sequences, printable string information, control flow graphs based on code and so on. Dynamic approaches analyze the runtime behavior of the malwares and constructs features. Hybrid methods provide an effective combination of static and dynamic approaches. This work compares the classification accuracy of static approach that employs opcode sequence analysis and dynamic approach that uses the call graph generated from the function calls made by the program and an integrated approach that combines both these approaches. Integrated approach shows an improvement of 2.89% than static and 0.82% than dynamic approach.