Analysis of Malware Behaviour: Using Data Mining Clustering Techniques to Support Forensics Investigation

The proliferation of malware in recent times have accounted for the increase in computer crimes and prompted for a more aggressive research into improved investigative strategies, to keep up with the menace. Recent techniques and tools that have been developed and adopted to keep up in an arms race with malware authors who have resorted to the use of evasive techniques to avoid analysis during investigation is an on-going concern. Exploring dynamic analysis is unarguably, a positive step to supporting static evidence with malware dynamic behaviour logs. In view of this, analysing this huge generated reports raises concerns about speed, accuracy and performance. This research proposes an Automated Malware Investigative Framework Model, a component based approach that is designed to support investigation by integrating both malware analysis and data mining clustering techniques as part of an effort to solve the problem of overly generated reports. Thus, grouping analysed suspicious samples that exhibit similar behavioural features to make investigation easy and more intuitive. The focus of this paper however, is on implementing sub-components of the framework that directly deals with the problem at hand.