Eitan Menahem, Asaf Shabtai, Adi Levhar
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications …, 2013
In order to evade detection by anti-virus software, malware writers use techniques, such as polymorphism, metamorphism and code re-writing. The result is that such malware contain a much larger fraction of “new” code, compared to benign programs, which tend to maximize code reuse. In this research we study this interesting property and show that by performing “archaeological” analysis of functions residing within binary files (i.e., estimating the functions` creation date), a new set of informative features can be derived. We show that these features provide a good indication for the existence of malicious code within binary files. Preliminary experiments of the proposed temporal function-based features with a set of over 12,000 files indicates that the proposed set of features can be useful for the detection of malicious files (accuracy of over 90% and AUC of 0.96).