Title :
A Malware Classification Method Based on Similarity of Function Structure
Author :
Zhong, Yang ; Yamaki, Hirofumi ; Takakura, Hiroki
Author_Institution :
Grad. Sch. of Inf. Sci., Nagoya Univ., Nagoya, Japan
Abstract :
Malicious software (Malware) in form of Internet worms, computer viruses, and trojan horses poses a major threat to the security of network systems. Identification of malware variants provides great benefit in early detection. Taking into account that variants of malware families share similar functions reflecting its origin and purpose, we propose a method focusing on the features of functions that a malware program consists of. In our method, the feature database is created based on the analysis of known malware programs, and functions in unknown programs are compared to the content of the database to determine the program belong to what family. To decrease the cost of the calculation of similarity, we use a filtering algorithm based on one-class SVM to filter out functions which have small influence in determining the family. We evaluated the approach using 32 categorized malware samples and 113 malware samples to be classified. In the experiment, it is shown that our approach effectively reduce the time for calculation while the accuracy is not deteriorated too much.
Keywords :
invasive software; pattern classification; support vector machines; Internet worms; computer viruses; feature database; filtering algorithm; function structure similarity; malicious software; malware classification method; malware families; malware program; malware variants; one-class SVM; trojan horses; Accuracy; Databases; Educational institutions; Feature extraction; Malware; Support vector machines; Vectors; disassembly; malware classification; static analysis;
Conference_Titel :
Applications and the Internet (SAINT), 2012 IEEE/IPSJ 12th International Symposium on
Conference_Location :
Izmir
Print_ISBN :
978-1-4673-2001-6
Electronic_ISBN :
978-0-7695-4737-4
DOI :
10.1109/SAINT.2012.48
