Detection and Classification of Malicious Software based on Regional Matching of Temporal Graphs

Abstract

In this paper we present an integrated graph-based framework that utilizes relations between groups of System-calls, in order to detect whether an unknown software sample is malicious or benign, and to a further extent to classify it to a known malware family. A novel graph-based approach for the representation of software samples over the depiction of the structural evolution over time, the so-called Temporal Graphs, is discussed, and a method for measuring graph similarity among specific Regions of such graphs is proposed, the so-called Regional Matching. The partitioning of the Temporal Graphs that depicts their structural evolution over time is defined by specific time-slots, while the quantitative characteristics that depict the commonalities appeared over the weights of the vertices are measured by a similarity metric in order to conduct the malware detection and classification procedures. Finally, we evaluate the detection and classification ability of our proposed graph-based framework performing an experimental study over the achieved results utilizing a set of known malicious samples that are indexed into malware families.