Content area
Full text
Abstract- Recent cyber attacks frequently use variants of malware programs which update existing functions drastically and implement new functions. Not only in functional viewpoint, recent malware programs improves their secrecy in variants, such as obfuscation, encryption, and changing thair behavior by inspecting their execution environment. But the number of skilled malware analysts is limited. So, a method to reduce expensive cost of manual analysis is widely explored in order to fight against huge amounts of malware programs. In this paper, we propose an integrated approach of dynamic traffic analysis and static program analysis. Similar to other conventional methods, the former part performs feature extraction, clustering, and labeling to summerize traffic data into sequence of characters. The latter part applies Fuzzy Hashing to malware programs which can effectively represent identical partial part in malware programs. We evaluated three integration patterns such as prioritize dynamic analysis result, prioritize static analysis result, and utilize mean of two analysis result. From the experimental results by using 340 malware samples and their traffic data, our method can correctly identify 61.1% of malware.
Keywords: Malware Classification, Dynamic Analysis, Static Analysis, Similarity Measure
(ProQuest: ... denotes formulae omitted.)
1. Introduction
Recent cyber attacks often use variants which modified existing malware. The infection technique has also been sophisticated by using targeted email attacks or watering holing, and efficient countermeasures are required on the assumption that malware has already intruded[1][2].
For the malware analysis among these countermeasures, it is important to estimate the behavior of malware, the purpose of attacks and the damage caused by malware activity. However, the obfuscation and encryption is commonly applied to malware programs and current malware changes its activities infected by PC(Personal Computer) environment. Therefore, it is difficult to determine the similarities and differences by comparing the malware program with existing ones. The type of malware is increasing, and the effort of individual analysis else continues to increase. On the other hand, malware analyst is insufficient overwhelmingly, and it is not able to deal with the current situation in the analysis by hand. To solve this problem, we have to prepare a system to classify a large number of malware fast and accurate. The analyst asks the system to examine malware carefully and report the malware which...