Extraction of statistically significant malware behaviors

Sirinda Palahan, Domagoj Babic, Swarat Chaudhuri, Daniel Kifer

Research output: Chapter in Book/Report/Conference proceedingConference contribution

23 Scopus citations


Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate - now over 100 thousand new variants each day - there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).

Original languageEnglish (US)
Title of host publicationProceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013
Number of pages10
StatePublished - 2013
Event29th Annual Computer Security Applications Conference, ACSAC 2013 - New Orleans, LA, United States
Duration: Dec 9 2013Dec 13 2013

Publication series

NameACM International Conference Proceeding Series


Other29th Annual Computer Security Applications Conference, ACSAC 2013
Country/TerritoryUnited States
CityNew Orleans, LA

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'Extraction of statistically significant malware behaviors'. Together they form a unique fingerprint.

Cite this