Detecting metamorphic malwares using code graphs

Jusuk Lee, Kyoochang Jeong, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

86 Citations (Scopus)


Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. Packing and code obfuscation are two popular evasion techniques. When these techniques are applied to malwares, they are able to change their instruction sequence while maintaining their intended function. We propose a detection mechanism defeating these self-defense techniques to improve malware detection. Since an obfuscated malware is able to change the syntax of its code while preserving its semantics, the proposed mechanism uses the semantic invariant. We convert the API call sequence of the malware into a graph, commonly known as a call graph, to extract the semantic of the malware. The call graph can be reduced to a code graph used for semantic signatures of the proposed mechanism. We show that the code graph can represent the characteristics of a program exactly and uniquely. Next, we evaluate the proposed mechanism by experiment. The mechanism has an 91% detection ratio of real-world malwares and detects 300 metamorphic malwares that can evade AV scanners. In this paper, we show how to analyze malwares by extracting program semantics using static analysis. It is shown that the proposed mechanism provides a high possibility of detecting malwares even when they attempt self-protection.

Original languageEnglish
Title of host publicationAPPLIED COMPUTING 2010 - The 25th Annual ACM Symposium on Applied Computing
Number of pages8
Publication statusPublished - 2010
Event25th Annual ACM Symposium on Applied Computing, SAC 2010 - Sierre, Switzerland
Duration: 2010 Mar 222010 Mar 26

Publication series

NameProceedings of the ACM Symposium on Applied Computing


Other25th Annual ACM Symposium on Applied Computing, SAC 2010


  • code graph
  • code obfuscation
  • metamorphic malware
  • static analysis

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'Detecting metamorphic malwares using code graphs'. Together they form a unique fingerprint.

Cite this