Disassembly of Executable Code Revisited
WCRE '02 Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE'02)
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Renovo: a hidden code extractor for packed executables
Proceedings of the 2007 ACM workshop on Recurring malcode
Mining specifications of malicious behavior
ISEC '08 Proceedings of the 1st India software engineering conference
Automated classification and analysis of internet malware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.00 |
In this paper, we propose a highly accurate, automatic malware-classification method, which extracts features by conducting static analysis of malware samples and the structure of malware source code. In the proposed extraction method, the presence and absence of particular pairs of consecutive Application Program Interface function calls (APIs) in the API-sequence graph are compared with those in the executable code for a sample within which malware features have been identified. To determine the degree of similarity between samples, Dice's coefficient is applied. To visualize the grouping of samples with similar features, we use hierarchical cluster analysis based on the extracted features. The results of the analysis are presented as a dendrogram with colored nodes for each family name. To evaluate the proposed method, we set up a malware-analysis system comprising a combination of disassembler, control-flow analyzer, API-sequence extractor, similarity calculator and hierarchical cluster analyzer. We acquired 4,684 malware samples, from 1,821 of which we successfully extracted API sequences to which we applied our proposed classification method. We found that the automatic hierarchical cluster analysis was processed rapidly, with significant clusters of variant groups obtained.