Title :
Exploiting diverse observation perspectives to get insights on the malware landscape
Author :
Leita, Corrado ; Bayer, Ulrich ; Kirda, Engin
Author_Institution :
Symantec Res. Labs., Sophia Antipolis, France
fDate :
June 28 2010-July 1 2010
Abstract :
We are witnessing an increasing complexity in the malware analysis scenario. The usage of polymorphic techniques generates a new challenge: it is often difficult to discern the instance of a known polymorphic malware from that of a newly encountered malware family, and to evaluate the impact of patching and code sharing among malware writers in order to prioritize analysis efforts. This paper offers an empirical study on the value of exploiting the complementarity of different information sources in studying malware relationships. By leveraging real-world data generated by a distributed honeypot deployment, we combine clustering techniques based on static and behavioral characteristics of the samples, and we show how this combination helps in detecting clustering anomalies. We also show how the different characteristics of the approaches can help, once combined, to underline relationships among different code variants. Finally, we highlight the importance of contextual information on malware propagation for getting a deeper understanding of the evolution and the “economy” of the different threats.
Keywords :
invasive software; pattern clustering; clustering anomaly detection; clustering techniques; code sharing impact; distributed honeypot deployment; malware analysis scenario; malware landscape; malware propagation; malware relationships; patching impact; polymorphic techniques; Character generation; Computer crime; Computer worms; Control systems; Engines; Explosions; Internet; Marine vehicles; Protocols; Security;
Conference_Titel :
Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on
Conference_Location :
Chicago, IL
Print_ISBN :
978-1-4244-7500-1
Electronic_ISBN :
978-1-4244-7499-8
DOI :
10.1109/DSN.2010.5544291
