Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Empirical Network Structure of Malicious Programs

John Musgrave, Alina Campan, Temesguen Messay-Kebede, David Kapp, Anca Ralescu

TL;DR

This study conducts an empirical network analysis of malicious binaries by constructing control flow graphs (CFG), data dependency graphs (DDG), and program dependence graphs (PDG) to capture the full structural properties of programs. It demonstrates that DDG and CFG networks exhibit Scale-Free degree distributions, with DDG also showing Small-World characteristics, while CFGs display neutral degree assortativity and larger diameters. The findings provide a quantitative basis for more fine-grained structural features in labeled malware datasets, enabling better interpretation and potential improvements in classifiers trained on graph features. The work advances static malware analysis by linking network structure to operational semantics, supporting future use of network-derived features in supervised learning for malware classification and semantic mapping.

Abstract

A modern binary executable is a composition of various networks. Control flow graphs are commonly used to represent an executable program in labeled datasets used for classification tasks. Control flow and term representations are widely adopted, but provide only a partial view of program semantics. This study is an empirical analysis of the networks composing malicious binaries in order to provide a complete representation of the structural properties of a program. This is accomplished by the measurement of structural properties of program networks in a malicious binary executable dataset. We demonstrate the presence of Scale-Free properties of network structure for program data dependency and control flow graphs, and show that data dependency graphs also have Small-World structural properties. We show that program data dependency graphs have a degree correlation that is structurally disassortative, and that control flow graphs have a neutral degree assortativity, indicating the use of random graphs to model the structural properties of program control flow graphs would show increased accuracy. By providing an increase in feature resolution within labeled datasets of executable programs we provide a quantitative basis to interpret the results of classifiers trained on CFG graph features. An increase in feature resolution allows for the structural properties of program classes to be analyzed for patterns as well as their component parts. By capturing a complete picture of program graphs we can enable theoretical solutions for the mapping a program's operational semantics to its structure.

Empirical Network Structure of Malicious Programs

TL;DR

This study conducts an empirical network analysis of malicious binaries by constructing control flow graphs (CFG), data dependency graphs (DDG), and program dependence graphs (PDG) to capture the full structural properties of programs. It demonstrates that DDG and CFG networks exhibit Scale-Free degree distributions, with DDG also showing Small-World characteristics, while CFGs display neutral degree assortativity and larger diameters. The findings provide a quantitative basis for more fine-grained structural features in labeled malware datasets, enabling better interpretation and potential improvements in classifiers trained on graph features. The work advances static malware analysis by linking network structure to operational semantics, supporting future use of network-derived features in supervised learning for malware classification and semantic mapping.

Abstract

A modern binary executable is a composition of various networks. Control flow graphs are commonly used to represent an executable program in labeled datasets used for classification tasks. Control flow and term representations are widely adopted, but provide only a partial view of program semantics. This study is an empirical analysis of the networks composing malicious binaries in order to provide a complete representation of the structural properties of a program. This is accomplished by the measurement of structural properties of program networks in a malicious binary executable dataset. We demonstrate the presence of Scale-Free properties of network structure for program data dependency and control flow graphs, and show that data dependency graphs also have Small-World structural properties. We show that program data dependency graphs have a degree correlation that is structurally disassortative, and that control flow graphs have a neutral degree assortativity, indicating the use of random graphs to model the structural properties of program control flow graphs would show increased accuracy. By providing an increase in feature resolution within labeled datasets of executable programs we provide a quantitative basis to interpret the results of classifiers trained on CFG graph features. An increase in feature resolution allows for the structural properties of program classes to be analyzed for patterns as well as their component parts. By capturing a complete picture of program graphs we can enable theoretical solutions for the mapping a program's operational semantics to its structure.
Paper Structure (14 sections, 1 equation, 6 figures)

This paper contains 14 sections, 1 equation, 6 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Current Work and Motivations
  4. Outline
  5. Experiments
  6. Data Collection
  7. Network Metrics
  8. Scale-Free
  9. Small-World
  10. Degree Assortativity
  11. Results
  12. Data Dependency Networks are Degree Disassortative
  13. Conclusion
  14. Acknowledgements

Figures (6)

  • Figure 1: Basic block segment of assembly instructions and its data dependency graph. The data dependency graph shown is constructed from data movement instruction dependencies. $mov$ instructions are the primary instructions with respect to term frequency.
  • Figure 2: The program's Control Flow Graph has a power law degree distribution - Figure showing a network with Degree Histogram, and Degree Rank Plot of a program's Control Flow Graph (CFG), which shows a power law degree distribution with a positive skew, in that most nodes have very few connections and a small number of nodes have a high degree.
  • Figure 3: Comparison of network structure between data dependency networks of operands for largest 5 DDG networks.
  • Figure 5: Data Dependency Graph sizes for this program are skewed positively and follow a power law distribution - This histogram shows network sizes $N$ of data dependency networks (DDG) extracted from $mov$ instructions per block segment in a single program. This shows a power law distribution where most data dependency networks for $mov$ instructions are very small, $N$ less than 5.
  • Figure 6: Data Dependency Networks' Degree Correlations are Disassortative and are not random for the sample - Scatter plot of network size $N$ on the x-axis and Pearson correlation of the network in terms of degree on the y-axis for data dependency networks of $mov$ instructions, $DDG$, per block segment. This shows that the degree correlation coefficient for a majority of networks is below 0, meaning that a majority of the data dependency networks in this program are Degree Disassortative, and do not link to nodes with high degree.
  • ...and 1 more figures