Scalable malware forensics using phylogenetic analysis

Malware forensics analysts confront one of our biggest homeland security challenges - a continuing flood of new malware variants released by adaptable adversaries seeking new targets in cyberspace, exploiting new technologies, and bypassing existing security mechanisms. Reverse engineering new samples, understanding their capabilities, and ascertaining provenance is time-intensive and requires considerable human expertise. We present DECODE, a prototype malware forensics analysis system developed under DARPA´s Cyber Genome program. DECODE increases the actionable forensics derivable from large repositories of collected malware by quickly identifying a new malware sample as a variant of other malware samples, without relying on pre-existing anti-virus signatures. DECODE also accelerates reverse engineering efforts by quickly identifying parts of the malware that have already been seen in other samples and characterizing the new and different capabilities. DECODE can also reconstruct the evolution of malware variants over time. DECODE applies phylogenetic analysis to provide these advantages. Phylogenetic analysis is the study of similarities and differences in program structure to find relationships within groups of software programs, providing insights about new malware variants not available from signature-based malware detection.