Large-Scale Malware Indexing Using Function-Call Graphs

Date Added: Nov 2009
Format: PDF

A major challenge of the Anti-Virus (AV) industry is how to effectively process the huge influx of malware samples they receive every day. One possible solution to this problem is to quickly determine if a new malware sample is similar to any previously-seen malware program. This paper designs, implements and evaluates a malware database management system called SMIT (Symantec Malware Indexing Tree) that can efficiently make such determination based on malware's function-call graphs, which is a structural representation known to be less susceptible to instruction-level obfuscations commonly employed by malware writers to evade detection of AV software.