Malware Variant Detection Using Similarity Search over Content Fingerprint
Detection of polymorphic malware variants plays an important role to improve information system security. Traditional static/dynamic analysis technologies have shown to be an effective characteristic that represents polymorphic malware instances. While these approaches demonstrate promise, they are themselves subject to a growing array of countermeasures that increase the cost of capturing these malware code features. Further, feature extraction requires a time investment per malware that does not scale well to the daily volume of malwares being reported by those who diligently collect malware. In this paper, we propose a similarity search of malware using novel distance (similarity) metrics of malware content fingerprint based on the locality-sensitive hashing (LSH) schemes. We describe a malware by the binary content of the malware contains; the next step is to compute an feature fingerprint for the malware binary image sample by using the SURF algorithm, and then do fast fingerprint matching with the LSH from malware code corpus to return the top most visually (structurally) similar variants. The LSH algorithm that captures malware similarity is based on image similarity. We implement B2M (Binary mapping to image) algorithm, the SURF algorithm and the LSH algorithm in a complete malware variant detection system. The evaluation shows that our approach is highly effective in terms of response time and malware variant detection.
Malware Variant Detection Content Fingerprint Locality-sensitive Hashing Similarity Search
Ban Xiaofang Chen Li Hu Weihua Wu Qu
China Information Technology Security Evaluation Center, Beijing 100085 Tsinghua University, Beijing 100084, China;Core Research Institute, Beijing Venustech Cybervision Co
国际会议
长沙
英文
5334-5339
2014-05-31(万方平台首次上网日期,不代表论文的发表时间)