The Effects of Different Representations on Malware Motif Identification

Sequence alignment is widely used in bioinformatics for revealing the genetic diversity of organisms and annotating gene functions by finding regions of similarity across biosequences. Such alignment requires sequences to be represented in the DNA or protein alphabet for tools such as Clustal to work. Previous work has demonstrated the feasibility of applying biosequence multiple alignment techniques to computer viral and worm signatures to find regions of similarity that can serve as malware `motifs´, or meta-signatures. However, it was not known how different ways of representing signatures in an appropriate biosequence alphabet would affect the alignment results. This paper investigates the effects of adopting three different ways of representing malware signatures on sequence alignment and motif identification. The results of the alignment were checked with perceptrons, decision tree and logistic regression. The best performing representation was used to derive rules in PRISM that give rise to `motifs´ that can perform the role of `metasignatures´. All analysis was undertaken on the publicly available data mining tool, Weka (Waikato Environment for Knowledge Analysis: http://www.cs.waikato.ac.nz/ml/weka/).