Malware Similarity Analysis using API Sequence Alignments

In Kyeom Cho1, TaeGuen Kim1, Yu Jin Shim1, Haeryong Park2, Bomin Choi2, and Eul Gyu Im1+
 

1Hanyang University, Seoul, Korea

{dlsrua1004, cloudio17, luvtdw, imeg}@hanyang.ac.kr

2Korea Internet & Security Agency, Seoul, Korea

{hrpark, bmchoi}@kisa.or.kr 



Abstract

Malware variants could be defined as malware that have similar malcious behavior. In this paper, a sequence alignment method, the method widely used in Bioinformatics, was used to detect malware variants. This method can find the common parts of Malware’s API call sequences, and these common API call sequences can be used to detect similar behaviors of malware variants. However, when a sequence alignment method is applied to compare the API call sequences, the performance depends on lengths of API call sequences and if the lengths are too long, the performance would be very poor. Therefore, in this paper, we devised a malware similarity calculation system to detect malware variants and suggested an improved process which can reduce sequence alignment overheads. Finally, our proposed system was tested with two given malware families and it can be used to verify whether the given malware variants have similar behaviors. Experimental results show that our method can be leveraged in the malware detection system.

Keywords: malware analysis, dynamic analysis, API sequence, sequence alignment

 

+: Corresponding author: Eul Gyu Im
Department of of Computer Engineering, Hanyang University, 720, IT/BT Building, Hanyang

Univ., Haengdang 1-dong, Seongdong-gu, Seoul, Korea, Tel: +82-(0)2-2221-2381,
Web: http://usecurity.hanyang.ac.kr

 

Journal of Internet Services and Information Security (JISIS), 4(4): 103-114, November 2014 [pdf]