Mining malware to detect variants

Ahmad Azab; Robert Layton; Mamoun Alazab; Jonathan Oliver

doi:10.1109/CTC.2014.11

Mining malware to detect variants

Ahmad Azab, Robert Layton, Mamoun Alazab, Jonathan Oliver

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

53 Citations (Scopus)

Abstract

Cybercrime continues to be a growing challenge and malware is one of the most serious security threats on the Internet today which have been in existence from the very early days. Cyber criminals continue to develop and advance their malicious attacks. Unfortunately, existing techniques for detecting malware and analysing code samples are insufficient and have significant limitations. For example, most of malware detection studies focused only on detection and neglected the variants of the code. Investigating malware variants allows antivirus products and governments to more easily detect these new attacks, attribution, predict such or similar attacks in the future, and further analysis. The focus of this paper is performing similarity measures between different malware binaries for the same variant utilizing data mining concepts in conjunction with hashing algorithms. In this paper, we investigate and evaluate using the Trend Locality Sensitive Hashing (TLSH) algorithm to group binaries that belong to the same variant together, utilizing the k-NN algorithm. Two Zeus variants were tested, TSPY-ZBOT and MAL-ZBOT to address the effectiveness of the proposed approach. We compare TLSH to related hashing methods (SSDEEP, SDHASH and NILSIMSA) that are currently used for this purpose. Experimental evaluation demonstrates that our method can effectively detect variants of malware and resilient to common obfuscations used by cyber criminals. Our results show that TLSH and SDHASH provide the highest accuracy results in scoring an F-measure of 0.989 and 0.999 respectively.

Original language	English
Title of host publication	Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	44-53
Number of pages	10
ISBN (Electronic)	9781479988259
DOIs	https://doi.org/10.1109/CTC.2014.11
Publication status	Published - 15 Apr 2015
Externally published	Yes
Event	5th Cybercrime and Trustworthy Computing Conference, CTC 2014 - Aukland, New Zealand Duration: 24 Nov 2014 → 25 Nov 2014

Publication series

Name	Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014

Conference

Conference	5th Cybercrime and Trustworthy Computing Conference, CTC 2014
Country/Territory	New Zealand
City	Aukland
Period	24/11/14 → 25/11/14

Access to Document

10.1109/CTC.2014.11

Cite this

@inproceedings{ea9d4944cf1b4cb0a804227ac985a375,

title = "Mining malware to detect variants",

abstract = "Cybercrime continues to be a growing challenge and malware is one of the most serious security threats on the Internet today which have been in existence from the very early days. Cyber criminals continue to develop and advance their malicious attacks. Unfortunately, existing techniques for detecting malware and analysing code samples are insufficient and have significant limitations. For example, most of malware detection studies focused only on detection and neglected the variants of the code. Investigating malware variants allows antivirus products and governments to more easily detect these new attacks, attribution, predict such or similar attacks in the future, and further analysis. The focus of this paper is performing similarity measures between different malware binaries for the same variant utilizing data mining concepts in conjunction with hashing algorithms. In this paper, we investigate and evaluate using the Trend Locality Sensitive Hashing (TLSH) algorithm to group binaries that belong to the same variant together, utilizing the k-NN algorithm. Two Zeus variants were tested, TSPY-ZBOT and MAL-ZBOT to address the effectiveness of the proposed approach. We compare TLSH to related hashing methods (SSDEEP, SDHASH and NILSIMSA) that are currently used for this purpose. Experimental evaluation demonstrates that our method can effectively detect variants of malware and resilient to common obfuscations used by cyber criminals. Our results show that TLSH and SDHASH provide the highest accuracy results in scoring an F-measure of 0.989 and 0.999 respectively.",

keywords = "Cyber Security, Cybercrime, Hacking, Malware, Profiling, similarity",

author = "Ahmad Azab and Robert Layton and Mamoun Alazab and Jonathan Oliver",

note = "Publisher Copyright: {\textcopyright} 2014 IEEE.; 5th Cybercrime and Trustworthy Computing Conference, CTC 2014 ; Conference date: 24-11-2014 Through 25-11-2014",

year = "2015",

month = apr,

day = "15",

doi = "10.1109/CTC.2014.11",

language = "English",

series = "Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "44--53",

booktitle = "Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014",

address = "United States",

}

Azab, A, Layton, R, Alazab, M & Oliver, J 2015, Mining malware to detect variants. in Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014., 7087327, Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014, Institute of Electrical and Electronics Engineers Inc., pp. 44-53, 5th Cybercrime and Trustworthy Computing Conference, CTC 2014, Aukland, New Zealand, 24/11/14. https://doi.org/10.1109/CTC.2014.11

Mining malware to detect variants. / Azab, Ahmad; Layton, Robert; Alazab, Mamoun et al.
Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014. Institute of Electrical and Electronics Engineers Inc., 2015. p. 44-53 7087327 (Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Mining malware to detect variants

AU - Azab, Ahmad

AU - Layton, Robert

AU - Alazab, Mamoun

AU - Oliver, Jonathan

PY - 2015/4/15

Y1 - 2015/4/15

N2 - Cybercrime continues to be a growing challenge and malware is one of the most serious security threats on the Internet today which have been in existence from the very early days. Cyber criminals continue to develop and advance their malicious attacks. Unfortunately, existing techniques for detecting malware and analysing code samples are insufficient and have significant limitations. For example, most of malware detection studies focused only on detection and neglected the variants of the code. Investigating malware variants allows antivirus products and governments to more easily detect these new attacks, attribution, predict such or similar attacks in the future, and further analysis. The focus of this paper is performing similarity measures between different malware binaries for the same variant utilizing data mining concepts in conjunction with hashing algorithms. In this paper, we investigate and evaluate using the Trend Locality Sensitive Hashing (TLSH) algorithm to group binaries that belong to the same variant together, utilizing the k-NN algorithm. Two Zeus variants were tested, TSPY-ZBOT and MAL-ZBOT to address the effectiveness of the proposed approach. We compare TLSH to related hashing methods (SSDEEP, SDHASH and NILSIMSA) that are currently used for this purpose. Experimental evaluation demonstrates that our method can effectively detect variants of malware and resilient to common obfuscations used by cyber criminals. Our results show that TLSH and SDHASH provide the highest accuracy results in scoring an F-measure of 0.989 and 0.999 respectively.

AB - Cybercrime continues to be a growing challenge and malware is one of the most serious security threats on the Internet today which have been in existence from the very early days. Cyber criminals continue to develop and advance their malicious attacks. Unfortunately, existing techniques for detecting malware and analysing code samples are insufficient and have significant limitations. For example, most of malware detection studies focused only on detection and neglected the variants of the code. Investigating malware variants allows antivirus products and governments to more easily detect these new attacks, attribution, predict such or similar attacks in the future, and further analysis. The focus of this paper is performing similarity measures between different malware binaries for the same variant utilizing data mining concepts in conjunction with hashing algorithms. In this paper, we investigate and evaluate using the Trend Locality Sensitive Hashing (TLSH) algorithm to group binaries that belong to the same variant together, utilizing the k-NN algorithm. Two Zeus variants were tested, TSPY-ZBOT and MAL-ZBOT to address the effectiveness of the proposed approach. We compare TLSH to related hashing methods (SSDEEP, SDHASH and NILSIMSA) that are currently used for this purpose. Experimental evaluation demonstrates that our method can effectively detect variants of malware and resilient to common obfuscations used by cyber criminals. Our results show that TLSH and SDHASH provide the highest accuracy results in scoring an F-measure of 0.989 and 0.999 respectively.

KW - Cyber Security

KW - Cybercrime

KW - Hacking

KW - Malware

KW - Profiling

KW - similarity

UR - http://www.scopus.com/inward/record.url?scp=84929223739&partnerID=8YFLogxK

U2 - 10.1109/CTC.2014.11

DO - 10.1109/CTC.2014.11

M3 - Conference contribution

T3 - Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014

SP - 44

EP - 53

BT - Proceedings - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 5th Cybercrime and Trustworthy Computing Conference, CTC 2014

Y2 - 24 November 2014 through 25 November 2014

ER -

Mining malware to detect variants

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this