Scalable, Behavior-Based Malware Clustering

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009

Volumn , Issue , 2009, Pages

  Bayer, Ulrich ^a   Comparetti, Paolo Milani ^a   Hlauschek, Clemens ^a   Kruegel, Christopher ^b   Kirda, Engin ^c  

^a VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^b UNIVERSITY OF CALIFORNIA   (United States)

^c EURECOM   (France)

Author keywords

[No Author keywords available]

Indexed keywords

CLUSTERING ALGORITHMS; NETWORK SECURITY;

ANALYSIS TOOLS; ANTI-MALWARE; AUTOMATED ANALYSIS; AUTOMATED CLUSTERING; BEHAVIOR-BASED; CLUSTERING TECHNIQUES; CLUSTERINGS; CONTROLLED ENVIRONMENT; EXECUTION TRACE; MALWARES;

MALWARE;

EID: 85043201839     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (46)

1. ANUBIS. http://anubis.seclab.tuwien.ac. at, 2008.
2. AVG Virus Database - Mabezat. http://www.avg.com/virbase?nam=win32/mabezat, 2008.
3. CWSandbox. http://www.cwsandbox.org/, 2008.
4. F-Secure Malware Information Pages - Allaple.A. http://www.f-secure.com/v-descs/ allaple a.shtml, 2008.
5. MWCollect. http://www.mwcollect.org/, 2008.
6. Norman Sandbox. http://www.norman.com/microsites/nsic/, 2008.
7. Shadowserver. http://shadowserver.org/wiki/, 2008.
8. ThreatExpert. http://www.threatexpert.com/, 2008.
9. Virus Total. http://www.virustotal.com/, 2008.
10. D. Arthur and S. Vassilvitskii. How slow is the k-means method? In SCG’06: Proceedings of the twenty-second annual symposium on Computational geometry, pages 144–153, New York, NY, USA, 2006. ACM.
11. P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. C. Freiling. The nepenthes platform: An efficient approach to collect malware. In D. Zamboni and C. Kruegel, editors, RAID, volume 4219 of Lecture Notes in Computer Science, pages 165–184. Springer, 2006.
12. ∼mibailey/malware/, 2008.
13. M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated classification and analysis of internet malware. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID’07), September 2007.
14. U. Bayer, C. Kruegel, and E. Kirda. TTAnalyze: A Tool for Analyzing Malware. In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, April 2006.
15. F. Bellard. Qemu, a Fast and Portable Dynamic Translator. In Usenix Annual Technical Conference, 2005.
16. A. Z. Broder, S. C. Glassman, M. S. Manasse, and G. Zweig. Syntactic clustering of the web. Comput. Netw. ISDN Syst., 29(8-13):1157–1166, 1997.
17. D. Brumley, C. Hartwig, Z. Liang, J. Newsome, P. Poosankam, D. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In Book chapter in”Botnet Analysis and Defense”, Editors Wenke Lee et. al., 2007.
18. J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In Proceedings of ACM Conference on Computer and Communication Security, Oct. 2007.
19. L. Cavallaro, P. Saxena, and R. Sekar. On the Limits of Information Flow Techniques for Malware Analysis and Containment. In GI SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2008.
20. M. S. Charikar. Similarity estimation techniques from rounding algorithms. In Proceedings of the thiry-fourth annual ACM symposium on Theory of computing. ACM, 2002.
21. M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In ESEC-FSE’07: Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, pages 5–14, New York, NY, USA, 2007. ACM.
22. R. Cilibrasi and P. Vitányi. Complearn version 1.15. http://www.complearn.org/, 2008.
23. J. Crandall and F. Chong. Minos: Architectural support for software security through control data integrity. In International Symposium on Microarchitecture, 2004.
24. T. Dullien and R. Rolles. Graph-based comparison of Executable Objects. In In Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC), June 2005.
25. M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic spyware analysis. In Proceedings of USENIX Annual Technical Conference, June 2007.
26. M. Gheorghescu. An Automated Virus Classification System. In Virus Bulletin conference, 2005.
27. T. H. Haveliwala, A. Gionis, and P. Indyk. Scalable techniques for clustering the web. In WebDB (Informal Proceedings), pages 129–134, 2000.
28. T. Holz, C. Willems, K. Rieck, P. Duessel, and P. Laskov. Learning and Classification of Malware Behavior. In Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 08), June 2008.
29. P. Indyk and R. Motwani. Approximate nearest neighbors: towards removing the curse of dimensionality. In Proc. of 30th STOC, pages 604–613, 1998.
30. J. Z. Kolter and M. A. Maloof. Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res., 7:2721–2744, 2006.
31. T. Lee and J. J. Mody. Behavioral Classification. In EICAR Conference, 2006.
32. C. Leita and M. Dacier. SGNET: a worldwide deployable framework to support the analysis of malware threat models. In EDCC 2008, 7th European Dependable Computing Conference, May 7-9, 2008, Kaunas, Lituania, 2008.
33. M. Li and P. Vitányi. An Introduction to Kolmogorov Complexity and Its Applications. Springer-Verlag, New York, second edition, 1997.
34. C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS’03: Proceedings of the 10th ACM conference on Computer and communications security, pages 290–299, New York, NY, USA, 2003. ACM.
35. L.Kaufman and P. Rousseeuw. Finding groups in data: An introduction to cluster analysis. New York: John Wiley & Sons, 1990.
36. J. B. Macqueen. Some methods of classification and analysis of multivariate observations. In Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability, pages 281–297, 1967.
37. A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP’07. IEEE Symposium on, pages 231–245, 2007.
38. A. Moser, C. Kruegel, and E. Kirda. Limits of Static Analysis for Malware Detection. In ACSAC, pages 421–430. IEEE Computer Society, 2007.
39. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.
40. V. Paxson. Bro: a system for detecting network intruders in real-time. Comput. Networks, 31(23-24):2435–2463, 1999.
41. G. Portokalidis, A. Slowinska, and H. Bos. Argos: an Emulator for Fingerprinting Zero-Day Attacks. In Proc. ACM SIGOPS EUROSYS’2006, Leuven, Belgium, April 2006.
42. L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2002.
43. G. Wondracek, P. Milani Comparetti, C. Kruegel, and E. Kirda. Automatic Network Protocol Analysis. In 15th Symposium on Network and Distributed System Security (NDSS), 2008.
44. T. Yetiser. Polymorphic Viruses - Implementation, Detection, and Protection. http://vx.netlux.org/lib/ayt01.html, 1993.
45. H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and understanding malware hooking behaviors. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), February 2008.
46. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In CCS’07: Proceedings of the 14th ACM conference on Computer and communications security, pages 116–127, New York, NY, USA, 2007. ACM.