Malware Similarity Analysis using API
Sequence Alignments In Kyeom Cho1, TaeGuen Kim1, Yu Jin
Shim1, Haeryong
Park2, Bomin Choi2,
and Eul Gyu Im1+ 1Hanyang
University, Seoul, Korea {dlsrua1004,
cloudio17, luvtdw, imeg}@hanyang.ac.kr 2Korea
Internet & Security Agency, Seoul, Korea {hrpark, bmchoi}@kisa.or.kr
Abstract Malware variants could be defined as malware that
have similar malcious behavior. In this paper, a sequence
alignment method, the method widely used in Bioinformatics, was used to
detect malware variants. This method can find the common parts of Malware’s
API call sequences, and these common API call sequences can be used to detect
similar behaviors of malware variants. However, when a sequence alignment
method is applied to compare the API call sequences, the performance depends on
lengths of API call sequences and if the lengths are too long, the
performance would be very poor. Therefore, in this paper, we devised a
malware similarity calculation system to detect malware variants and
suggested an improved process which can reduce sequence alignment overheads.
Finally, our proposed system was tested with two given malware families and
it can be used to verify whether the given malware variants have similar
behaviors. Experimental results show that our method can be leveraged in the
malware detection system. Keywords: malware
analysis, dynamic analysis, API sequence, sequence alignment +: Corresponding author: Eul Gyu
Im Univ.,
Haengdang 1-dong, Seongdong-gu,
Seoul, Korea, Tel: +82-(0)2-2221-2381, Journal of Internet Services and Information Security (JISIS), 4(4): 103-114, November 2014 [pdf] |