SSSM-semantic set and string matching based malware detection

Abstract

Malware is a program used to disrupt computer operation or to gather the sensitive information or to gain access to private computer system. Malware detection methods can only work well on some specific types of malware. For example, API/function based methods can detect malware quickly, but are unable to identify advanced transformable malwares or unknown malwares. To deal with these malwares, researchers proposed data mining methods which can recognize various types of malware. However, these method not only requires more overhead for training and detecting process but also is still ineffective to identify metamorphic malwares. A semantic set, a set of changed values of registers and variables allocated in memory when a program is executed, supports detecting most of malware variants even when they use complicated transformation techniques such as metamorphic malwares. Nevertheless, this approach requires that malware files must be disassembled. Based on analyzed results of these methods, we concluded that these methods can be combined together to create a powerful malware detection system because each method's advantages can cover the others' disadvantages. Namely, each of method is able to perform effectively in the specific range of malwares, so this combined system can detect all types of malware while separately each method could not. In this paper, we proposed an SSSM system (semantic set and string matching detection) which combined three methods: API/function signature based method, data mining method and semantic set method. SSSM system has been experimented on different datasets and achieved the accuracy up to 99.07% and detection rate nearly 100%•