research-article

Scalable malware clustering through coarse-grained behavior modeling

Authors:

Mahinthan Chandramohan,

Hee Beng Kuan Tan,

Lwin Khin SharAuthors Info & Claims

FSE '12: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering

Article No.: 27, Pages 1 - 4

https://doi.org/10.1145/2393596.2393627

Published: 11 November 2012 Publication History

Get Access

Abstract

Anti-malware vendors receive several thousand new malware (malicious software) variants per day. Due to large volume of malware samples, it has become extremely important to group them based on their malicious characteristics. Grouping of malware variants that exhibit similar behavior helps to generate malware signatures more efficiently. Unfortunately, exponential growth of new malware variants and huge-dimensional feature space, as used in existing approaches, make the clustering task very challenging and difficult to scale. Furthermore, malware behavior modeling techniques proposed in the literature do not scale well, where malware feature space grows in proportion with the number of samples under examination.

In this paper, we propose a scalable malware behavior modeling technique that models the interactions between malware and sensitive system resources in a coarse-grained manner. Coarse-grained behavior modeling enables us to generate malware feature space that does not grow in proportion with the number of samples under examination. A preliminary study shows that our approach generates 289 times less malware features and yet improves the average clustering accuracy by 6.20% comparing to a state-of-the-art malware clustering technique.

References

[1]

ANUBIS: http://anubis.seclab.tuwien.ac.at

Google Scholar

[2]

Threat Reportt-2010: http://www.symantec.com/threatreport/

Google Scholar

[3]

Virustotal tool: https://www.virustotal.com/

Google Scholar

[4]

A Look at One Day of Malware Samples: http://blogs.mcafee.com/mcafee-labs/a-look-at-one-day-of-malware-samples

Google Scholar

[5]

Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C and Kirda, E. Scalable, Behavior-based Malware Clustering. In Proceedings of the 16th NDSS, 2009.

Google Scholar

[6]

Rieck, K., Trinius, P., Willems, C and Holz, T. Automatic analysis of malware behavior using machine learning. TR, Berlin Institute of Technology. 2009.

Google Scholar

[7]

Bailey, M., Andersen, J., Mao, Z. M and Jahanian, F. Automated Classification and Analysis of Internet Malware. In Proceedings of RAID. 2007.

Digital Library

Google Scholar

[8]

Lee, T and Mody, J. J. Behavioral Classifcation. In Proceedings of EICAR, Hamburg, Germany. April 2006.

Google Scholar

[9]

You, I., Yim, K. Malware Obfuscation Techniques: A Brief Survey. Int. Conf. on Broadband, Wireless Computing, Communication and Applications pp. 297--300. 2010.

Digital Library

Google Scholar

[10]

Rijsbergen, V. C. J. Information Retrieval, 2nd edition. Dept. of Computer Science, University of Glasgow. 1979.

Digital Library

Google Scholar

Cited By

View all

G SFaloutsos M(2024)MalFusion: Simple String Manipulations Confuse Malware Detection2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619782(113-121)Online publication date: 3-Jun-2024
https://doi.org/10.23919/IFIPNetworking62109.2024.10619782
Wu XGuo WYan JCoskun BXing X(2023)From Grim Reality to Practical Solution: Malware Classification in Real-World Noise2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179453(2602-2619)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179453
Yan JJia XYing LYan JSu P(2022)Understanding and Mitigating Label Bias in Malware Classification: An Empirical Study2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00057(492-503)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00057
Show More Cited By

Index Terms

Scalable malware clustering through coarse-grained behavior modeling
1. General and reference
  1. Cross-computing tools and techniques
    1. Metrics

Recommendations

Scalable fine-grained behavioral clustering of HTTP-based malware

A large number of today's botnets leverage the HTTP protocol to communicate with their botmasters or perpetrate malicious activities. In this paper, we present a new scalable system for network-level behavioral clustering of HTTP-based malware that aims ...
A scalable approach for malware detection through bounded feature space behavior modeling
ASE '13: Proceedings of the 28th IEEE/ACM International Conference on Automated Software Engineering

In recent years, malware (malicious software) has greatly evolved and has become very sophisticated. The evolution of malware makes it difficult to detect using traditional signature-based malware detectors. Thus, researchers have proposed various ...
A Spatio-Temporal malware and country clustering algorithm: 2012 IIJ MITF case study

A huge number of botnet malware variants can be downloaded by zombie personal computers as secondary injections and upgrades according to their botmasters to perform different distributed/coordinated cyber attacks such as phishing, spam e-mail, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

FSE '12: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering

November 2012

494 pages

ISBN:9781450316149

DOI:10.1145/2393596

General Chair:
Will Tracz
Lockheed Martin Fellow Emeritus
,
Program Chairs:
Martin Robillard
McGill University
,
Tevfik Bultan
University of California, Santa Barbara

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGSOFT/FSE'12

Sponsor:

SIGSOFT

SIGSOFT/FSE'12: 20th ACM SIGSOFT Symposium on the Foundations of Software Engineering

November 11 - 16, 2012

North Carolina, Cary

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
367
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

G SFaloutsos M(2024)MalFusion: Simple String Manipulations Confuse Malware Detection2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619782(113-121)Online publication date: 3-Jun-2024
https://doi.org/10.23919/IFIPNetworking62109.2024.10619782
Wu XGuo WYan JCoskun BXing X(2023)From Grim Reality to Practical Solution: Malware Classification in Real-World Noise2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179453(2602-2619)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179453
Yan JJia XYing LYan JSu P(2022)Understanding and Mitigating Label Bias in Malware Classification: An Empirical Study2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00057(492-503)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00057
Zhu SShi JYang LQin BZhang ZSong LWang GCapkun SRoesner F(2020)Measuring and modeling the label dynamics of online anti-malware enginesProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489345(2361-2378)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489345
Xiao FLin ZSun YMa Y(2019)Malware Detection Based on Deep Learning of Behavior GraphsMathematical Problems in Engineering10.1155/2019/81953952019:1Online publication date: 11-Feb-2019
https://doi.org/10.1155/2019/8195395
Shi DXu Q(2019)Malware Detection Using Logic Signature of Basic Block SequenceGreen, Pervasive, and Cloud Computing10.1007/978-3-030-15093-8_2(18-32)Online publication date: 15-Mar-2019
https://doi.org/10.1007/978-3-030-15093-8_2
Verma MKumarguru PBrata Deb SGupta A(2018)Analysing Indicator of Compromises for Ransomware: Leveraging IOCs with Machine Learning Techniques2018 IEEE International Conference on Intelligence and Security Informatics (ISI)10.1109/ISI.2018.8587409(154-159)Online publication date: Nov-2018
https://doi.org/10.1109/ISI.2018.8587409
Sisaat KKittitornkun SKikuchi HYukonhiatou CTerada MIshii H(2017)A Spatio-Temporal malware and country clustering algorithmInternational Journal of Information Security10.1007/s10207-016-0342-016:5(459-473)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1007/s10207-016-0342-0
Bounouh TBrahimi ZAl-Nemrat ABenzaid C(2017)A Scalable Malware Classification Based on Integrated Static and Dynamic FeaturesGlobal Security, Safety and Sustainability - The Security Challenges of the Connected World10.1007/978-3-319-51064-4_10(113-124)Online publication date: 4-Jan-2017
https://doi.org/10.1007/978-3-319-51064-4_10
Berlin KSlater DSaxe JRay IDimitrakakis CMitrokotsa ASinha AWang XRen K(2015)Malicious Behavior Detection using Windows Audit LogsProceedings of the 8th ACM Workshop on Artificial Intelligence and Security10.1145/2808769.2808773(35-44)Online publication date: 16-Oct-2015
https://dl.acm.org/doi/10.1145/2808769.2808773
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Scalable fine-grained behavioral clustering of HTTP-based malware

A scalable approach for malware detection through bounded feature space behavior modeling

A Spatio-Temporal malware and country clustering algorithm: 2012 IIJ MITF case study