Identifying Shared Software Components to Support Malware Forensics

  • Brian Ruttenberg
  • Craig Miles
  • Lee Kellogg
  • Vivek Notani
  • Michael Howard
  • Charles LeDoux
  • Arun Lakhotia
  • Avi Pfeffer
Conference paper

DOI: 10.1007/978-3-319-08509-8_2

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8550)
Cite this paper as:
Ruttenberg B. et al. (2014) Identifying Shared Software Components to Support Malware Forensics. In: Dietrich S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham

Abstract

Recent reports from the anti-malware industry indicate similarity between malware code resulting from code reuse can aid in developing a profile of the attackers. We describe a method for identifying shared components in a large corpus of malware, where a component is a collection of code, such as a set of procedures, that implement a unit of functionality. We develop a general architecture for identifying shared components in a corpus using a two-stage clustering technique. While our method is parametrized on any features extracted from a binary, our implementation uses features abstracting the semantics of blocks of instructions. Our system has been found to identify shared components with extremely high accuracy in a rigorous, controlled experiment conducted independently by MITLL. Our technique provides an automated method to find between malware code functional relationships that may be used to establish evolutionary relationships and aid in forensics.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Brian Ruttenberg
    • 1
  • Craig Miles
    • 2
  • Lee Kellogg
    • 1
  • Vivek Notani
    • 2
  • Michael Howard
    • 1
  • Charles LeDoux
    • 2
  • Arun Lakhotia
    • 2
  • Avi Pfeffer
    • 1
  1. 1.Charles River AnalyticsCambridgeUSA
  2. 2.Software Research LabUniversity of Louisiana at LafayetteLafayetteUSA

Personalised recommendations