Paper Info
Title
SigMal: a static signal processing based malware triage
Abstract
In this work, we propose SigMal, a fast and precise malware detection framework based on signal processing techniques. SigMal is designed to operate with systems that process large amounts of binary samples. It has been observed that many samples received by such systems are variants of previously-seen malware, and they retain some similarity at the binary level. Previous systems used this notion of malware similarity to detect new variants of previously-seen malware. SigMal improves the state-of-the-art by leveraging techniques borrowed from signal processing to extract noise-resistant similarity signatures from the samples. SigMal uses an efficient nearest-neighbor search technique, which is scalable to millions of samples. We evaluate SigMal on 1.2 million recent samples, both packed and unpacked, observed over a duration of three months. In addition, we also used a constant dataset of known benign executables. Our results show that SigMal can classify 50% of the recent incoming samples with above 99% precision. We also show that SigMal could have detected, on average, 70 malware samples per day before any antivirus vendor detected them.
Year
DOI
Venue
2013
10.1145/2523649.2523682
ACSAC
Keywords
Field
DocType
binary sample,noise-resistant similarity signature,malware triage,malware similarity,precise malware detection framework,recent incoming sample,million recent sample,previously-seen malware,binary level,signal processing,static signal processing,malware sample
Data mining,Signal processing,Computer science,Computer security,Triage,Malware,Executable,Binary number,Scalability
Conference
Citations 
PageRank 
References 
11
0.57
26
Authors
4
Name
Order
Citations
PageRank
Dhilung Kirat11748.38
Lakshmanan Nataraj213810.35
Giovanni Vigna37121507.72
B. S. Manjunath47561783.37