Abstract
Dynamic analysis of malware allows us to examine malware samples, and then group those samples into families based on observed behavior. Using Boolean variables to represent the presence or absence of a range of malware behavior, we create a bitstring that represents each malware behaviorally, and then group samples into the same class if they exhibit the same behavior. Combining class definitions with malware discovery dates, we can construct a timeline of showing the emergence date of each class, in order to examine prevalence, complexity, and longevity of each class. We find that certain behavior classes are more prevalent than others, following a frequency power law. Some classes have had lower longevity, indicating that their attack profile is no longer manifested by new variants of malware, while others of greater longevity, continue to affect new computer systems. We verify for the first time commonly held intuitions on malware evolution, showing quantitatively from the archaeological record that over 80% of the time, classes of higher malware complexity emerged later than classes of lower complexity. In addition to providing historical perspective on malware evolution, the methods described in this paper may aid malware detection through classification, leading to new proactive methods to identify malicious software.
Highlights
When performing analysis on malicious software, or malware, it is important to be able to group similar mal-How to cite this paper: Seideman, J.D., Khan, B. and Vargas, C. (2015) Quantifying Malware Evolution through Archaeology
Sometimes malware is considered to be similar to a biological organism, this is subject to debate [2] [3], so this concept can be extended in an attempt to perform the same operation on malware samples
Total Duration (Days) 6438 3496 4236 3700 3700 3853 3460 3460 3203 3460 3368 3256 3859 3361 2981 3460 3261 3175 3174 3738 vantage of this system is that, due to the limited number of possible classes, it is possible to create a look-up table of malware behavior; a new sample that is examined and exhibits behavior can immediately be grouped with samples that have similar behavior
Summary
When performing analysis on malicious software, or malware, it is important to be able to group similar mal-How to cite this paper: Seideman, J.D., Khan, B. and Vargas, C. (2015) Quantifying Malware Evolution through Archaeology. When performing analysis on malicious software, or malware, it is important to be able to group similar mal-. Sometimes malware is considered to be similar to a biological organism, this is subject to debate [2] [3], so this concept can be extended in an attempt to perform the same operation on malware samples. An example of static analysis would be a byte sequence signature-based detection method used in many anti-virus software packages [[8] Ch.11]. Dynamic analysis techniques can be more time-consuming and can be weak against techniques by which some malware samples that can detect that they are virtualized [10] but generally provide a more detailed analysis. There are several tools that could be used for dynamic analysis, such as the Norman Sandbox [11], which allows for safe execution of samples in a restricted environment. We chose Norman Sandbox due to its ability to run within Windows or GNU/Linux based systems to provide human-readable reports
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.