Executable Code Recognition in Network Flows Using Instruction Transition Probabilities

Ikkyun KIM  Koohong KANG  Yangseo CHOI  Daewon KIM  Jintae OH  Jongsoo JANG  Kijun HAN  

IEICE TRANSACTIONS on Information and Systems   Vol.E91-D   No.7   pp.2076-2078
Publication Date: 2008/07/01
Online ISSN: 1745-1361
DOI: 10.1093/ietisy/e91-d.7.2076
Print ISSN: 0916-8532
Type of Manuscript: LETTER
Category: Application Information Security
executable code,  malware detection,  IA-32 Instruction,  

Full Text: PDF(332.9KB)>>
Buy this Article

The ability to recognize quickly inside network flows to be executable is prerequisite for malware detection. For this purpose, we introduce an instruction transition probability matrix (ITPX) which is comprised of the IA-32 instruction sets and reveals the characteristics of executable code's instruction transition patterns. And then, we propose a simple algorithm to detect executable code inside network flows using a reference ITPX which is learned from the known Windows Portable Executable files. We have tested the algorithm with more than thousands of executable and non-executable codes. The results show that it is very promising enough to use in real world.