Heuristic malware detection via basic block comparison Conference Paper uri icon


  • Each day, malware analysts are tasked with more samples than they have the ability to analyze by hand. To produce this trend, malware authors often reuse a significant portion of their code. In this paper, we introduce a technique to statically decompose malicious software to identify shared code. This technique variably applies a sliding-window methodology to either full files or individual basic blocks to produce representative similarity ratios either between two binaries or between two functionalities within binaries, respectively. This grants the ability to apply heuristic detection via threshold similarity matching as well as full-inclusivity matching for malicious functionality. Additionally, we apply generalization techniques to minimize local assembly variants while still maintaining consistent structural matching. We also identify improvements that this technique provides over previous technologies and demonstrate its success in practical sample detection. Finally, we suggest further applications of this technique and highlight possible contributions to modern malware detection.

name of conference

  • 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE)

published proceedings

  • 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE)

altmetric score

  • 6

author list (cited authors)

  • Adkins, F., Jones, L., Carlisle, M., & Upchurch, J.

citation count

  • 13

complete list of authors

  • Adkins, Francis||Jones, Luke||Carlisle, Martin||Upchurch, Jason

publication date

  • October 2013