Measuring similarity of malware behavior

Proceedings - Conference on Local Computer Networks, LCN

Volumn , Issue , 2009, Pages 891-898

  Apel, Martin ^a   Bockermann, Christian ^a   Meier, Michael ^a  

^a TU DORTMUND UNIVERSITY   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

ANTI-MALWARE; APPROPRIATE DISTANCES; BEHAVIORAL FEATURES; DISTANCE MEASURE; MALICIOUS SOFTWARE; MALWARES; MORPHING; SIMILARITY MEASURE; SYNTACTIC REPRESENTATION;

INTERNET;

COMPUTER CRIME;

EID: 77951289154     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/LCN.2009.5355037     Document Type: Conference Paper

References (41)

1. "Admmutate." [Online]. Available: http://www.securitylab.ru/- tools/ADMmutate-0.8.4.tar.gz
2. D. Gryaznov and J. Telafici, "What a waste - the anti-virus industrie dos-ing itself," in Proc. of Virus Bulletin Conf. 2007, 2007, pp. 130-135.
3. H. Flake, "Structural comparison of executable objects," in Proc. of Dimva 2004, ser. LNI, vol. 46. GI, 2004, pp. 161-173.
4. T. Dullien and R. Rolles, "Graph-based comparison of executable objects," in Proc. of SSTIC2005, Rennes, France, June 2005.
5. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, "Polymorphic worm detection using structural information of executables," in Proc. of RAID2005, ser. LNCS, vol. 3858, 2005, pp. 207-226.
6. D. Bruschi, L. Martignoni, and M. Monga, "Detecting self-mutating malware using control-flow graph matching," in Proc. of Dimva 2006, ser. LNCS, vol. 4064. Springer, 2006, pp. 129-143.
7. P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling, "The Nepenthes platform: An efficient approach to collect malware," in RAID, ser. LNCS, no. 4219. Springer, 2006, pp. 165-184.
8. "Amun: Python honeypot." [Online]. Available: http://amunhoney.sourceforge.net/
9. "Capture-hpc client honeypot / honeyclient." [Online]. Available: https://projects.honeynet.org/capture-hpc
10. C. Willems, T. Holz, and F. Freiling, "Toward automated dynamic malware analysis using CWSandbox," IEEE Security & Privacy, vol. 5, no. 2, pp. 32-39, 2007.
11. International Secure Systems Lab, "Anubis: Analyzing unknown binaries," http://anubis.iseclab.org/.
12. M. Karim, A. Walenstein, A. Lakhotia, and L. Parida, "Malware phylogeny generation using permutations of code," Journal in Computer Virology, vol.1, no.1-2, pp. 13-23, 2005. (Pubitemid 44195063)
13. S. Wehner, "Analyzing worms and network traffic using compression," CoRR, vol. abs/cs/0504045, 2005.
14. D. Bruschi, L. Martignoni, and M. Monga, "Code normalization for self-mutating malware," IEEE Security and Privacy, vol. 5, no. 2, 2007.
15. G. Bonfante, M. Kaczmarek, and J.-Y. Marion, "An implementation of morphological malware detection," in Proc. of EICAR 2008, France, Laval, pp. 49-62.
16. A. Moser, C. Kruegel, and E. Kirda, "Limits of static analysis for malware detection," in Proc. of ACSAC 2007. IEEE Computer Society, 2007, pp. 421-430.
17. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for unix processes," in Proc. IEEE Symp. on Security and Privacy, 1996, pp. 120-128.
18. M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao, "The daikon system for dynamic detection of likely invariants," Science of Computer Programming, vol.69, no.1-3, pp. 35-45, 2007. (Pubitemid 350087239)
19. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario, "Automated classification and analysis of internet malware," in Proc. of RAID 2007, 2007.
20. T. Lee and J. J. Mody, "Behavioral classification," in Proc. of EICAR 2006), 2006.
21. K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov, "Learning and classification of malware behavior," in Proc. of DIMVA 2008, 2008, pp. 108-125.
22. A. J. Oliner, A. Kulkarni, and A. Aiken, "Community epidemic detection with syzygy."
23. "Amsel project." [Online]. Available: http://ls6-www.cs. tudortmund.de/meier/AMSEL/
24. D. S. Hirschberg, "A linear space algorithm for computing maximal common subsequences," Communications of the ACM, vol. 18, no. 6, pp. 341-343, 1975.
25. -, "Algorithms for the longest common subsequence problem," Journal of the ACM, vol. 24, no. 4, pp. 664-675, 1977.
26. J. D. Kornblum, "Identifying almost identical files using context triggered piecewise hashing," Digital Investigation, vol. 3, no. Supplement-1, pp. 91-97, 2006.
27. "Fuzzy hashing and ssdeep." [Online]. Available: http://ssdeep.sourceforge.net/
28. M. Li and P. Vitanyi, An Introduction to Kolmogorov Complexity and Its Applications. Springer, 1997.
29. M. Li, X. Chen, X. Li, B. Ma, and P. Vitanyi, "The similarity metric," in Proc. of the 14th Annual ACM-SIAM Symp. on Discrete Algorithms, 2003, pp. 863-872.
30. R. Cilibrasi and P. Vitanyi, "Clustering by compression," 2004.
31. E. Keogh, S. Lonardi, and C. A. Ratanamahatana, "Towards parameter-free data mining," in Proc. 10th ACM SIGKDD. ACM Press, 2004, pp. 206-215.
32. A. Bratko, G. V. Cormack, B. Filipič, T. R. Lynam, and B. Zupan, "Spam filtering using statistical data compression models," Journal of Machine Learning Research, vol.7, pp. 2673-2698, 2006. (Pubitemid 46011492)
33. S. J. Delany and D. Bridge, "Feature-based and feature-free textual cbr: A comparison in spam filtering," in Proc. of AICS'06, 2006, pp. 244-253.
34. M. Li and R. Sleep, "R.: Genre classification via an lz78-based string kernel," in Proc. of ISMIR 2005, 2005, pp. 252-259.
35. M. Nykter, O. Yli-harja, and I. Shmulevich, "Normalized compression distance for gene expression analysis," in Proc. of GENSIPS, 2005.
36. X. C. Brent, X. Chen, B. Francia, M. Li, B. Mckinnon, and A. Seker, "Shared information and program plagiarism detection," IEEE Trans. on Information Theory, vol. 50, pp. 1545-1551, 2004.
37. M. Cebrián, M. Alfonseca, and A. Ortega, "Common pitfalls using the normalized compression distance: what to watch out for in a compressor," Communications in Information and Systems, vol. 5, no. 4, pp. 367-384, 2005.
38. K. Rieck and P. Laskov, "Linear-time computation of similarity measures for sequential data." Journal of Machine Learning Research (JMLR), vol. 9, pp. 23-48, 2008.
39. Sneath and Sokal, Numerical Taxonomy. Freeman, 1973.
40. E. Ukkonen, "On-line construction of suffix trees," Algorithmica, vol. 14, no. 3, pp. 249-260, 1995.
41. C. T. Zahn, "Graph-theoretical methods for detecting and describing gestalt clusters," Transactions on Computers, vol. C-20, no.1, pp. 68-86, 1971.