Title: Opcodes as predictor for malware

Authors: Daniel Bilar

Addresses: Department of Computer Science, Wellesley College, Massachusetts, USA

Abstract: This paper discusses a detection mechanism for malicious code through statistical analysis of opcode distributions. A total of 67 malware executables were sampled statically disassembled and their statistical opcode frequency distribution compared with the aggregate statistics of 20 non-malicious samples. We find that malware opcode distributions differ statistically significantly from non-malicious software. Furthermore, rare opcodes seem to be a stronger predictor, explaining 12–63% of frequency variation.

Keywords: x86 opcodes; malware; structural fingerprint; statistical analysis; predictors; executables; frequency; malicious code detection; electronic security; digital forensics.

DOI: 10.1504/IJESDF.2007.016865

International Journal of Electronic Security and Digital Forensics, 2007 Vol.1 No.2, pp.156 - 168

Published online: 26 Jan 2008 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article