Article

Article title CLASSIFICATION OF MALICIOUS SOFTWARE BASED ON BEHAVIOR FEATURES
Authors L.K. Babenko, E.P. Tumoyan, K.V. Tsyganok, M.V. Anikeev
Section SECTION II. SECURITY IN DATA PROCESSING TECHNOLOGIES
Month, Year 04, 2012 @en
Index UDC 004.491
DOI
Abstract Classification is a common problem of malware analysis and signature generation. Estimation of similarity measure between malware samples made by virus analyst is a common approach to the classification. This paper describes the new method of malware classification based on behavior features extracted from WinAPI calls, their arguments and files created by the analyzed application. The method allows to obtain a two-dimensional feature vector for each program. Sets of characteristic features are clusterized with a novel algorithm of fuzzy clusterization. Obtained clusters characterize groups of programs that demonstrate similar behavior. The method was investigated experimentally with packed and encrypted executables as well as real samples of malware.

Download PDF

Keywords Malware detection; metamorphic transformations; clustering; computer security.
References 1. Sai Sathyanarayan V., Kohli P., Bruhadeshwar B. Signature Generation and Detection of Malware Families // Proceedings of the 13th Australasian conference on Information Security
and Privacy, Australia, Wollongong. – 2008. – P. 336-349.
2. Lee H., Jeong K. Code graph for malware detection // Proceedings of International conference on Information Networking. – 2008. – P. 1-5.
3. Stamp M., Wong W. Hunting for metamorphic engines // Comput Virol. – France: Springer-Verlag France, 2006. – № 2. – P. 221-229.
4. Rabek J.C., Khazan R.I., Lewandowski S.M., Cunningham R.K. Detection of injected, dynamically generated, and obfuscated malicious code // Proceedings of the 2003 ACM workshop on
Rapid malcode. – USA, Washington. – 2003.
5. Christodorescu M., Jha S., Kruegel C. Mining specifications of malicious behavior // Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering. – Croatia, Dubrovnik, 2007.
6. Vinod P., Harshit Jain, Yashwant K. Golecha. MEDUSA: MEtamorphic malware Dynamic analysis Using Signature from API // Proceedings 3rd international conference on Security of
information and networks. – New York: ACM New York, 2010.
7. Sun H., Lin Y., Wu M. Api monitoring system for defeating worms and exploits in ms-windows system // Information Security and Privacy, 11th Australasian Conference, ACISP 2006. – Vol. 4058 of Lecture Notes in Computer Science. – Australia, Melbourne. – 2006.
8. Cormen T.H., Leiserson C.E., Rivest R.L., Stein C. Introduction to Algorithms. – 2nd ed. – Boston: MIT Press, McGraw-Hill, 2001. – 1180 p.
9. Сайт проекта Cuckoo Sandbox [Электронный ресурс]. – Режим доступа: http://cuckoobox.org, свободный

Comments are closed.