A Lightweight Design of Malware Behavior Representation

To encode the malware behavior reports to accessible forms for further automatic analysis methods like data mining and machine, we proposed a lightweight design of malware behavior representation named BBIS (Bytes-Based Instruction Set), which can utilize least single-byte characters to represent the items in dynamic behavior reports. BBIS is able to build flexible mapping table for different application scenarios. Experiments show that BBIS can significantly reduce the computation and storage cost while keeping the performance of clustering compared with existed methods. Moreover, a method called CHRL (Compression of High Repetitions in Logarithmic level) is introduced to compress frequently seen repetitions in unexpected API calls sequences. In combination with BBIS, CHRL can further reduce the size of behavior reports to significantly and consequently reduce the computation time while keeping or improving the performance of further malware analysis like clustering.