Journal in Computer Virology

, Volume 4, Issue 4, pp 279–287

Malware behaviour analysis

Original Paper

DOI: 10.1007/s11416-007-0074-9

Cite this article as:
Wagener, G., State, R. & Dulaunoy, A. J Comput Virol (2008) 4: 279. doi:10.1007/s11416-007-0074-9

Abstract

Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.

Copyright information

© Springer-Verlag France 2007

Authors and Affiliations

  • Gérard Wagener
    • 1
  • Radu State
    • 2
  • Alexandre Dulaunoy
    • 3
  1. 1.LORIA-INRIAVandoeuvreFrance
  2. 2.INRIALe Chesnay CedexFrance
  3. 3.CSRRT-LULuxembourgLuxembourg