A Graph Mining Approach for Detecting Metamorphic Malwares

Metamorphic malware changes the syntax of its code in each infection. This process makes it extremely hard to detect. While the byte sequence of the metamorphic malware may be quite different from its parent, the main functionality of the malware has to stay the same. Therefore, traditional methods based on static signature detection cannot detect such malwares, and need to be designed semantic methods to detect them. This paper presents a semantic based method to detect metamorphic malwares. The main idea is to extract the control flow graph from PE-files, called API call graph, whose edge label is assigned with corresponding API call. The extracted graph is further simplified by converting it into a feature vector. Feature vectors are utilized to differentiate malwares from benign programs by the mean of classification algorithms. The experimental results show that our approach performs comparable or better than current malware detection algorithms.