DOI QR코드

DOI QR Code

Generating Call Graph for PE file

PE 파일 분석을 위한 함수 호출 그래프 생성 연구

  • Kim, DaeYoub (Dept. of Information Security, Suwon University)
  • Received : 2021.08.18
  • Accepted : 2021.09.23
  • Published : 2021.09.30

Abstract

As various smart devices spread and the damage caused by malicious codes becomes more serious, malicious code detection technology using machine learning technology is attracting attention. However, if the training data of machine learning is constructed based on only the fragmentary characteristics of the code, it is still easy to create variants and new malicious codes that avoid it. To solve such a problem, a research using the function call relationship of malicious code as training data is attracting attention. In particular, it is expected that more advanced malware detection will be possible by measuring the similarity of graphs using GNN. This paper proposes an efficient method to generate a function call graph from binary code to utilize GNN for malware detection.

다양한 스마트 기기의 보급으로 인하여 악성코드로 인한 피해를 더욱 심각해지면서 머신러닝 기술을 활용한 악성코드 탐지 기술이 주목 받고 있다. 그러나 코드의 단편적인 특성만을 기반으로 머시러닝의 학습 데이터를 구성할 경우, 이를 회피하는 변종 및 신종 악성코드는 여전히 제작하기 쉽다. 이와 같은 문제를 해결하기 위한 방법으로 악성코드의 함수호출 관계를 학습 데이터로 사용하는 연구가 주목받고 있다. 특히, GNN을 활용하여 그래프의 유사도를 측정함으로써 보다 향상된 악성코드 탐지가 가능할 것으로 예상된다. 본 논문에서는 GNN을 악성코드 탐지에 활용하기 위해 바이너리 코드로부터 함수 호출 그래프를 생성하는 효율적인 방안을 제안한다.

Keywords

Acknowledgement

This work was supported by the National Research Foundation of Korea(NRF) grant funded by the Korea government (MSIT)(No. NRF-2021R1F1A1062954).

References

  1. "Malware hidden site detection trend report in the second half of 2020," Korea Internet & Security Agency, 2021. online: https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=35872
  2. M. Singh and S. Kim, "Security analysis of intelligent vehicles: Challenges and scope," 2017 International SoC Design Conference (ISOCC), pp.5-8 2017. DOI: 10.1109/ISOCC.2017.8368805
  3. E. Amer and I. Zelinka, "A dynamic Windows malware detection and prediction method based on contextual understanding of API call sequence," Computers & Security, 2020. DOI: 10.1016/j.cose.2020.101760
  4. A. Ahmed, E. Elhadi1, M. A. Maarof1 and B. I. A. Barry, "Improving the Detection of Malware Behaviour Using Simplified Data Dependent API Call Graph," International Journal of Security and Its Applications, vol.7, no.5, pp.29-42, 2013. DOI: 10.14257/ijsia.2013.7.5.03
  5. Lee, Taejin, "Trends in intelligent malware analysis technology using machine learning," Korea Institute of Information Security and Cryptology, Vol.28, No.2, pp.12-19, 2018.
  6. "Malware characteristic information for using artificial intelligence technology," Korea Internet & Security Agency, 2021. online: https://krcert.or.kr/data/reportView.do?bulletin_writing_sequence=36076
  7. P. Deshpande, "Metamorphic Detection Using Function Call Graph Analysis," Master's Theses and Graduate Research, 2013, online: https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1334&context=etd_projects
  8. D. Rajeswaran, "Function Call Graph Score for Malware Detection," Master's Theses and Graduate Research, 2015, online: https://core.ac.uk/download/pdf/70424797.pdf
  9. D. Rajeswaran, F. D. Troia, T. H. Austin and M. Stamp, "Function Call Graphs Versus Machine Learning for Malware Detection," In book: Guide to Vulnerability Analysis for Computer Networks and Systems, pp.259-279, 2018. DOI: 10.1007/978-3-319-92624-7_11
  10. J. Bai ,Q. Shi, and S. Mu, "A Malware and Variant Detection Method Using Function Call Graph Isomorphism," Security and Communication Networks, vol.2019. 2019. DOI: 10.1155/2019/1043794
  11. Z. Liu and J. Zhou, "Introducation to Graph Neural Networks," Morgan & Claypool Publishers, 2020.
  12. M. Caia, Y. Jiangab, C. Gaoa, H. Lia, and W. Yuan, "Learning features from enhanced function call graphs for Android malware detection," Neurocomputing, vol.423, pp.301-307, 2021. DOI: 10.1016/j.neucom.2020.10.054
  13. T. Toma and M Islam, "An efficient mechanism of generating call graph for JavaScript using dynamic analysis in web application," International Conference on Informatics, Electronics & Vision (ICIEV), 2014. DOI: 10.1109/ICIEV.2014.6850807
  14. D. Andriesse, X. Chen, V. Veen, A. Slowinska, and H. Bos, "An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries," the Proceedings of the 25th USENIX Security Symposium, pp.583-600, 2016. DOI: 10.5555/3241094.3241140
  15. S. Yang, S. Li, W. Chen, and Y. LIU, "A Real-Time and adaptive-Learning Malware Detection Method Based On API-Pair Graph," IEEE Access, vol.8, pp.120-135, 2020. DOI: 10.1109/ACCESS.2020.3038453