Malware Analysis and Classification Using Sequence Alignments

Abstract

With the increased uses of the Internet, the number of newly found malware keeps increasing every year. In addition, malware becomes more and more complex with various technologies, such as packing, anti-debugging, and so on. To defend against a large number of malware every day, the improvement of the analysis process is quite important. One way of expediting malware analysis processing is to classify unknown or new malware into known malware families. A malware family is a group of malware that share common modules and have similar malicious behaviors. This paper proposes a malware family classification framework using a sequence alignment method, which is widely used in the bioinformatics field. Our proposed framework can find common parts from invoked API sequences of malware, and these common API sequences can be used to find similar behaviors of malware variants. Since the sequence alignment methods usually have high performance overheads, our proposed framework used a couple of techniques to reduce the overheads. The proposed framework was tested with some malware families, and experimental results show that our mechanism can be used to classify malware families, because there are clear similarity differences between malware in the same family and malware in different families.