SigMal: A Static Signal Processing Based Malware Triage

Abstract

In this work, we propose SigMal, a fast and precise malware detection framework based on signal processing techniques. SigMal is designed to operate with systems that process large amounts of binary samples. It has been observed that many samples received by such systems are variants of previously-seen malware, and they retain some similarity at the binary level. Previous systems used this notion of malware similarity to detect new variants of previously-seen malware. SigMal improves the state-of-the-art by leveraging techniques borrowed from signal processing to extract noise-resistant similarity signatures from the samples. SigMal uses an efficient nearest-neighbor search technique, which is scalable to millions of samples. We evaluate SigMal on 1.2 million recent samples, both packed and unpacked, observed over a duration of three months. In addition, we also used a constant dataset of known benign executables. Our results show that SigMal can detect 50% of the recent incoming samples with above 99% precision. We also show that SigMal could have detected, on average, 70 malware samples per day before any antivirus vendor detected them.

[PDF] [BibTex]
Dhilung Kirat, Lakshmanan Nataraj, Giovanni Vigna and B.S. Manjunath,
Annual Computer Security Applications Conference (ACSAC), Dec. 2013.
Node ID: 606 , DB ID: 416 , Lab: VRL , Target: Proceedings