A Novel Malware Clustering Method Using Frequency of Function Call Traces in Parallel Threads

この論文にアクセスする

この論文をさがす

著者

    • NAKAZATO Junji
    • National Institute of Information and Communications Technology
    • SONG Jungsuk
    • National Institute of Information and Communications Technology
    • ETO Masashi
    • National Institute of Information and Communications Technology
    • INOUE Daisuke
    • National Institute of Information and Communications Technology
    • NAKAO Koji
    • National Institute of Information and Communications Technology

抄録

With the rapid development and proliferation of the Internet, cyber attacks are increasingly and continually emerging and evolving nowadays. Malware - a generic term for computer viruses, worms, trojan horses, spywares, adwares, and bots - is a particularly lethal security threat. To cope with this security threat appropriately, we need to identify the malwares' tendency/characteristic and analyze the malwares' behaviors including their classification. In the previous works of classification technologies, the malwares have been classified by using data from dynamic analysis or code analysis. However, the works have not been succeeded to obtain efficient classification with high accuracy. In this paper, we propose a new classification method to cluster malware more effectively and more accurately. We firstly perform dynamic analysis to automatically obtain the execution traces of malwares. Then, we classify malwares into some clusters using their characteristics of the behavior that are derived from Windows API calls in parallel threads. We evaluated our classification method using 2,312 malware samples with different hash values. The samples classified into 1,221 groups by the result of three types of antivirus softwares were classified into 93 clusters. 90% of the samples used in the experiment were classified into 20 clusters at most. Moreover, it ensured that 39 malware samples had characteristics different from other samples, suggesting that these may be new types of malware. The kinds of Windows API calls confirmed the samples classified into the same cluster had the same characteristics. We made clear that antivirus softwares named different name to malwares that have same behavior.

収録刊行物

  • IEICE transactions on information and systems

    IEICE transactions on information and systems 94(11), 2150-2158, 2011-11-01

    The Institute of Electronics, Information and Communication Engineers

参考文献:  32件中 1-32件 を表示

各種コード

  • NII論文ID(NAID)
    10030193849
  • NII書誌ID(NCID)
    AA10826272
  • 本文言語コード
    ENG
  • 資料種別
    ART
  • ISSN
    09168532
  • データ提供元
    CJP書誌  J-STAGE 
ページトップへ