As part of his presentation at the e-COPP conference, P. Kijewski (NASK) will introduce the WOMBAT project.
WP6-Dissemination: November 2008 Archives
The following paper has been accepted at the Network and Distributed Systems Security (NDSS) 2009 conference:
Title: Scalable, Behavior-Based Malware Clustering
Authors:
Anti-malware companies receive thousands of malware samples every day. To process this large quantity, a number of automated analysis tools were developed. These tools execute a malicious program in a controlled environment and produce reports that summarize the program's actions. Of course, the problem of analyzing the reports still remains. Recently, researchers have started to explore automated clustering techniques that help to identify samples that exhibit similar behavior. This allows an analyst to discard reports of samples that have been seen before, while focusing on novel, interesting threats. Unfortunately, previous techniques do not scale well and frequently fail to generalize the observed activity well enough to recognize related malware.
In this paper, we propose a scalable clustering approach to identify and group malware samples that exhibit similar behavior. For this, we first perform dynamic analysis to obtain the execution traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as input to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To underline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours.
Title: Scalable, Behavior-Based Malware Clustering
Authors:
- Ulrich Bayer, TUV
- Paolo Milani Comparetti, TUV
- Clemens Hlauschek, TUV
- Christopher Kruegel, UCSB
- Engin Kirda, Eurecom
Anti-malware companies receive thousands of malware samples every day. To process this large quantity, a number of automated analysis tools were developed. These tools execute a malicious program in a controlled environment and produce reports that summarize the program's actions. Of course, the problem of analyzing the reports still remains. Recently, researchers have started to explore automated clustering techniques that help to identify samples that exhibit similar behavior. This allows an analyst to discard reports of samples that have been seen before, while focusing on novel, interesting threats. Unfortunately, previous techniques do not scale well and frequently fail to generalize the observed activity well enough to recognize related malware.
In this paper, we propose a scalable clustering approach to identify and group malware samples that exhibit similar behavior. For this, we first perform dynamic analysis to obtain the execution traces of malware programs. These execution traces are then generalized into behavioral profiles, which characterize the activity of a program in more abstract terms. The profiles serve as input to an efficient clustering algorithm that allows us to handle sample sets that are an order of magnitude larger than previous approaches. We have applied our system to real-world malware collections. The results demonstrate that our technique is able to recognize and group malware programs that behave similarly, achieving a better precision than previous approaches. To underline the scalability of the system, we clustered a set of more than 75 thousand samples in less than three hours.
The WOMBAT proect will be represented at the Future Internet Assembly conference in Madrid, December 2008, by the following people:
- Vincent Boutroux, France Télécom R&D/Orange Labs
- Sotiris Ioannidis, FORTH (also representing FORWARD)
- Philip Homburg, VU (Also representing FORWARD)
- Paolo Milani Comparetti, TUV
The WOMBAT project will be represented by the following people at the ICT 2008 Conference:
- Vincent Boutroux, France Télécom R&D/Orange Labs
- Marc Dacier, Symantec
Hervé Debar participates in working group 1 of the Think-Trust project.
The WOMBAT project was represented by Hervé Debar at the SEC 2008 Conference in Paris, September 2008.
The WOMBAT project has received numerous requests for interaction, either to provide data to the project for analysis or to use the information collected by the project.
Our current answer to these requests is to suggest that, if you are interested in participating, you join one of the project partners' initiatives. The current suggestion is to install an SGNet honeypot through the leurre.com project, https://www.leurrecom.org/. This will enable you to collect data and provide it to the project. It will also enable you to access some of the data collected by others throgh well specified interfaces, and carry out your own data analysis research.
If you are a large data collector, we also have an interface for data exchange, run by FORTH in Greece. Please contact us if you feel that you fall into this category
Our current answer to these requests is to suggest that, if you are interested in participating, you join one of the project partners' initiatives. The current suggestion is to install an SGNet honeypot through the leurre.com project, https://www.leurrecom.org/. This will enable you to collect data and provide it to the project. It will also enable you to access some of the data collected by others throgh well specified interfaces, and carry out your own data analysis research.
If you are a large data collector, we also have an interface for data exchange, run by FORTH in Greece. Please contact us if you feel that you fall into this category
