Malware similarity analysis based on graph similarity flooding algorithm

Abstract

Malware is a pervasive problem in computer security. The traditional signature-based detecting method is ineffective to recognize the dramatically increased malware. Researches show that many of the malicious samples are just variations of previously encountered malware. Therefore, it would be preferable to analysis the similarity of malware to determine whether submitted samples are merely variations of existing ones. Static analysis of polymorphic malware variants plays an important role. Function call graph has shown to be an effective feature that represents functionality of malware semantically. In this paper we propose a novel algorithm by comparing the function call graph based on similarity flooding algorithm to analyze the similarity of malware. Similarity between malware can be determined by graph matching method. The evaluation shows that our algorithm is highly effective in terms of accuracy and computational complexity.