An efficient common substrings algorithm for on-the-fly behavior-based malware detection and analysis

It is well known that malware (worms, botnets, etc...) thrive on communication systems. The process of detecting and analyzing malware is very latent and not well-suited for real-time application, which is critical especially for propagating malware. For this reason, recent methods identify similarities among malware dynamic trace logs to extract malicious behavior snippets. These snippets can then be tagged by a human analyst and be used to identify malware on-the-fly. A major problem with these methods is that they require extensive processing resources. This is especially due to the large amount of malware released each year (upwards of 17 million new instances in 2011). In this paper, we present an efficient algorithm for identifying common substrings in dynamic trace events of malware collections. The algorithm finds common substrings between malware pairs in theoretical linear time by using parallel processing. The algorithm is implemented in the CUDA and results show a performance increase of up to 8 times compared to previous implementations.