Malicious Code Characteristics Visualization using API
AUTHORS
JiHun Kim,Student, Department of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
SungWon Lee,Student, Department of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
JongHee Youn*,Professor, Department of Computer Engineering, Yeungnam University, 280 Daehak-Ro, Gyeongsan, Gyeongbuk, Republic of Korea
ABSTRACT
The massification of malware through the generation of malware variants poses security threats to overall social and industrial societies. Since the quantity of malware is too big to simply analyze and defend against malware per se, it is inevitable to maximize the efficiency based on efficient analysis methods. In this study, the API is divided into 25 categories, and the interaction and frequency of the API are made into 25 * 25pixel images based on the matrix using RGB values. The Euclidean distance algorithm is applied to measure color similarity, and the similarity of mutual malicious behavior is calculated based on the final value of the Euclidean distance. As a result of comparing the similarity calculated by this method with the similarity calculated using the existing similarity calculation method, the similarity was calculated to be 5% to 10% higher on average.
KEYWORDS
Malware, Binary analysis, Visualization, Similarity
REFERENCES
[1] C.I. Fan, H.W. Hsiao, C.H. Chou, and Y.F. Tseng, “Malware detection systems based on API log data mining,” 2015 IEEE 39th annual computer software and applications conference, vol.3, (2015)
[2] I. Firdausi, A. Erwin, and A. S. Nugroho, “Analysis of machine learning techniques used in behavior-based malware detection,” 2010 second international conference on advances in computing, control, and telecommunication technologies. IEEE, (2010)
[3] J. J. Blount, D. R. Tauritz, and S. A. Mulder, “Adaptive rule-based malware detection employing learning classifier systems: a proof of concept,” 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops, IEEE, (2011)
[4] M. Wagner, F. Fischer, R. Luh, A. Haberson, A. Rind, D.A. Keim, and W. Aigner, “A survey of visualization systems for malware analysis,” Eurographics Conference on Visualization (EuroVis), (2015)
[5] L. Nataraj, S. Karthikeyan, G. Jacob, and B. S. Manjunath, "Malware Images: Visualization and automatic classification," Proceedings of the 8th international symposium on visualization for cybersecurity, (2011)
[6] P. Trinius, T. Holz, J. Göbel, and F.C. Freiling, “Visual analysis of malware behavior using treemaps and thread graphs,” 2009 6th International Workshop on Visualization for Cyber Security, IEEE, (2009)
[7] R. Lyda and J. Hamrock, “Using entropy analysis to find encrypted and packed malware,” IEEE Security and Privacy 5.2, pp.40-45, (2007)
[8] P. Vinod, R. Jaipur, V. Laxmi, and M. Gaur, “Survey on malware detection methods,” Proceedings of the 3rd Hackers’ Workshop on computer and internet security (IITKHACK’09), (2009)
[9] A. Karnik, S. Goswami, and R. Guha, “Detecting obfuscated viruses using cosine similarity analysis,” First Asia International Conference on Modelling and Simulation (AMS'07), IEEE, (2007)
[10] J. Jang, D. Brumley, and S. Venkataraman, “Bitshred: Feature hashing malware for scalable triage and semantic analysis,” Proceedings of the 18th ACM conference on Computer and communications security, (2011)