Semantic Malware Detection by Deploying Graph Mining

Today malware is a serious threat to our society. Several researchers are studying detection and mitigation of malware threats. On the other hand malware authors try to use obfuscation techniques for evading detection. Unfortunately usual approach (e.g., antivirus software) use signature based method which can easily be evaded. For addressing these shortcomings dynamic methods have been introduced. The aim of dynamic methods is to detect the semantic of malware family. Obfuscation of semantic based method is too difficult and results of these methods are promising. However deploying semantic based methods for real time detection have several complications. Current semantic methods are too timeconsuming and usually need a robust virtual machine to obtain the behavior. In this paper we present an automatic detection method based on graph mining techniques with near optimal detection rate. That is 96.6% accuracy and only 3.4% false positive. In our method, first the malware is analyzed in a virtual machine environment to observe its semantic. A graph representation of malware behavior is constructed. The representation is based on relationships between system calls and allows rearrangement of system calls. Graph is used for representing the behavior of application because graph, especially labeled graph, can be used to model lots of complicated relation between data. At the next step we mine information graph and extract the most discriminative graphs that separate malware from benign. Finally, a classification method is used and the mentioned accuracy was obtained.