Authors: Daniel Bilar
Addresses: Department of Computer Science, Wellesley College, Massachusetts, USA
Abstract: This paper discusses a detection mechanism for malicious code through statistical analysis of opcode distributions. A total of 67 malware executables were sampled statically disassembled and their statistical opcode frequency distribution compared with the aggregate statistics of 20 non-malicious samples. We find that malware opcode distributions differ statistically significantly from non-malicious software. Furthermore, rare opcodes seem to be a stronger predictor, explaining 12–63% of frequency variation.
Keywords: x86 opcodes; malware; structural fingerprint; statistical analysis; predictors; executables; frequency; malicious code detection; electronic security; digital forensics.
International Journal of Electronic Security and Digital Forensics, 2007 Vol.1 No.2, pp.156 - 168
Available online: 26 Jan 2008 *Full-text access for editors Access for subscribers Purchase this article Comment on this article