A Malware Classification Method Based on Similarity of Function Structure

Malicious software (Malware) in form of Internet worms, computer viruses, and trojan horses poses a major threat to the security of network systems. Identification of malware variants provides great benefit in early detection. Taking into account that variants of malware families share similar functions reflecting its origin and purpose, we propose a method focusing on the features of functions that a malware program consists of. In our method, the feature database is created based on the analysis of known malware programs, and functions in unknown programs are compared to the content of the database to determine the program belong to what family. To decrease the cost of the calculation of similarity, we use a filtering algorithm based on one-class SVM to filter out functions which have small influence in determining the family. We evaluated the approach using 32 categorized malware samples and 113 malware samples to be classified. In the experiment, it is shown that our approach effectively reduce the time for calculation while the accuracy is not deteriorated too much.