A Novel Malware Clustering Method Using Frequency of Function Call Traces in Parallel Threads
-
- NAKAZATO Junji
- National Institute of Information and Communications Technology
-
- SONG Jungsuk
- National Institute of Information and Communications Technology
-
- ETO Masashi
- National Institute of Information and Communications Technology
-
- INOUE Daisuke
- National Institute of Information and Communications Technology
-
- NAKAO Koji
- National Institute of Information and Communications Technology
この論文にアクセスする
この論文をさがす
著者
-
- NAKAZATO Junji
- National Institute of Information and Communications Technology
-
- SONG Jungsuk
- National Institute of Information and Communications Technology
-
- ETO Masashi
- National Institute of Information and Communications Technology
-
- INOUE Daisuke
- National Institute of Information and Communications Technology
-
- NAKAO Koji
- National Institute of Information and Communications Technology
抄録
With the rapid development and proliferation of the Internet, cyber attacks are increasingly and continually emerging and evolving nowadays. Malware - a generic term for computer viruses, worms, trojan horses, spywares, adwares, and bots - is a particularly lethal security threat. To cope with this security threat appropriately, we need to identify the malwares' tendency/characteristic and analyze the malwares' behaviors including their classification. In the previous works of classification technologies, the malwares have been classified by using data from dynamic analysis or code analysis. However, the works have not been succeeded to obtain efficient classification with high accuracy. In this paper, we propose a new classification method to cluster malware more effectively and more accurately. We firstly perform dynamic analysis to automatically obtain the execution traces of malwares. Then, we classify malwares into some clusters using their characteristics of the behavior that are derived from Windows API calls in parallel threads. We evaluated our classification method using 2,312 malware samples with different hash values. The samples classified into 1,221 groups by the result of three types of antivirus softwares were classified into 93 clusters. 90% of the samples used in the experiment were classified into 20 clusters at most. Moreover, it ensured that 39 malware samples had characteristics different from other samples, suggesting that these may be new types of malware. The kinds of Windows API calls confirmed the samples classified into the same cluster had the same characteristics. We made clear that antivirus softwares named different name to malwares that have same behavior.
収録刊行物
-
- IEICE transactions on information and systems
-
IEICE transactions on information and systems 94(11), 2150-2158, 2011-11-01
The Institute of Electronics, Information and Communication Engineers
参考文献: 32件中 1-32件 を表示
-
1
- The Internet motion sensor : A distributed blackhole monitoring system
-
BAILEY M.
12th Annual Network and Distributed System Security Symposium (NDSS05), 2005
被引用文献1件
-
2
- Network telescopes : Tracking denial-of-service attacks and Internet worms around the globe
-
MOORE D.
17th Large Installation Systems Administration Conference (LISA '03), USENIX, 2003
被引用文献1件
-
3
- On the design and use of Internet sinks for network abuse monitoring
-
YEGNESWARAN V.
7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), 146-165, 2004
被引用文献1件
-
4
- <no title>
-
SANS Internet Storm Center
http://isc.sans.org/
被引用文献1件
-
5
- <no title>
-
REN-ISAC : Research and Education Networking Information Sharing and Analysis Center
http://www.ren-isac.net/
被引用文献1件
-
6
- Leurrecom.org Honeypot project
-
http://www.leurrecom.org/
被引用文献1件
-
7
- <no title>
-
National Cyber Security Center Korea
http://www.ncsc.go.kr/eng/
被引用文献1件
-
8
- <no title>
-
Telecom Information Sharing and Analysis Center Japan
https://www.telecom-isac.jp/
被引用文献1件
-
9
- Information-Technology Promotion Agency, Japan
-
IT Security Center
https://www.ipa.go.jp/security/index-e.html
被引用文献1件
-
10
- <no title>
-
Japan Computer Emergency Response Team Coordination Center
http://jpcert.jp/isdas/index-en.html
被引用文献1件
-
11
- @police
-
http://www.cyberpolice.go.jp/english/obs_e.html
被引用文献1件
-
12
- Toward automated dynamic malware analysis using CWSandbox
-
WILLEMS C.
IEEE Security & Privacy Magazine 5(2), 32-39, 2007
被引用文献1件
-
13
- Anubis : Analyzing Unknown Binaries
-
http://anubis.iseclab.org/
被引用文献1件
-
14
- TTAnalyze : A tool for analyzing malware
-
BAYER U.
15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR), 2006, 2006
被引用文献1件
-
15
- QEMU, a fast and portable dynamic translator
-
BELLARD F.
2005 USENIX Annual Technical Conference, FREENIX Track, 41-46, 2005
被引用文献1件
-
16
- <no title>
-
NORMAN Sandbox Information Center
http://www.norman.com/microsites/nsic/
被引用文献1件
-
17
- Capture-a behavioral analysis tool for applications and documents
-
SEIFERT C.
7th Annual Digital Forensic Research Workshop (DFRWS), 2007, 2007
被引用文献1件
-
18
- <no title>
-
Joebox
http://www.joebox.org/
被引用文献1件
-
19
- Nicter : An incident analysis system using correlation between network monitoring and malware analysis
-
NAKAO K.
1st Joint Workshop on Information Security (JWIS06), 363-377, 2006
被引用文献1件
-
20
- A novel concept of network incident analysis based on multi-layer observations of malware activities
-
NAKAO K.
2nd Joint Workshop on Information Security (JWIS07), 267-279, 2007
被引用文献1件
-
21
- A proposal of automated malware behavior analysis system
-
HOSHIZAWA Y.
IEICE Technical Report, ICSS2006-07, 2006
被引用文献1件
-
22
- Micro analysis system for analyzing malware code and its behavior on nicter
-
INOUE D.
The 2007 Symposium on Cryptography and Information Security (SCIS2007), 2007
被引用文献1件
-
23
- TCPDUMP public repository
-
http://www.tcpdump.org/
被引用文献1件
-
24
- A large-scale study of the evolution of web pages
-
FETTERLY D.
Proc. 12th International Conference on World Wide Web (WWW '03), 669-678, 2003
被引用文献1件
-
25
- <no title>
-
Symantec Corp
http://www.symantec.com/
被引用文献1件
-
26
- <no title>
-
Treand Micro Inc.
http://www.trendmicro.com/
被引用文献1件
-
27
- <no title>
-
McAfee Inc.
http://www.mcafee.com/
被引用文献1件
-
28
- Automated classification and analysis of Internet malware
-
BAILEY M.
10th International Symposium on Recent Advances in Intrusion Detection (RAID 2007), 178-197, 2007
被引用文献1件
-
29
- Learning and classification of malware behavior
-
RIECK K.
Detection of Intrusion and Malware, and Vulnerability Assessment (DIMVA 2008), 108-125, 2008
被引用文献1件
-
30
- Improved feature selection approach TFIDF in text mining
-
JING L.-P.
International Conference on Machine Learning and Cybernetics (ICMLC 2002), 944-946, 2001
被引用文献1件
-
31
- Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring
-
NAKAO Koji , INOUE Daisuke , ETO Masashi , YOSHIOKA Katsunari
IEICE transactions on information and systems 92(5), 787-798, 2009-05-01
J-STAGE 参考文献29件 被引用文献4件
-
32
- Automated Malware Analysis System and Its Sandbox for Revealing Malware's Internal and External Activities
-
INOUE Daisuke , YOSHIOKA Katsunari , ETO Masashi , HOSHIZAWA Yuji , NAKAO Koji
IEICE transactions on information and systems 92(5), 945-954, 2009-05-01
J-STAGE 参考文献24件 被引用文献5件