![]() Ligh et al., 2010 Ligh Michael, Adair Steven, Blake Hartstein, Richard Matthew, Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, Wiley Publishing, 2010. ![]() Kornblum, 2006 Kornblum Jesse, Identifying almost identical files using context triggered piecewise hashing, Digit.22, Carnegie Mellon University, Pittsburgh, PA, 2010, Technical Report CMU-Cylab-10. Jang et al., 2010 Jang Jiyong, Brumley David, Venkataraman Shobha, Bitshred: Fast, Scalable Malware Triage.Frank et al., 2013 Frank Breitinger, Asteb Knut Petter, Baier Harald, Busch Christoph, mvhash-b-a new approach for similarity preserving hashing, in: IT Security Incident Management and IT Forensics (IMF), 2013 Seventh International Conference on, IEEE, 2013, pp.Frank and Baier, 2012 Frank Breitinger, Baier Harald, A fuzzy hashing approach based on random sequences and hamming distance, in: Proceedings of the Conference on Digital Forensics, Security and Law, Association of Digital Forensics, Security and Law, 2012, p.Forensic malware analysis, 2016 Forensic Malware Analysis: the Value of Fuzzy Hashing Algorithms in Identifying Similarities, IEEE Trustcom/BigDataSE/ISPA, Trustcom/BigDataSE/ISPA, 2016 IEEE, TRUSTCOM-BIGDATASE-ISPA, 2016, p.Breitinger and Baier, 2012 Breitinger F., Baier H., Similarity preserving hashing: eligible properties and a new algorithm mrsh-V2, in: International Conference on Digital Forensics and Cyber Crime, 2012, pp.Baier and Breitinger, 2011 Baier H., Breitinger F., Security aspects of piecewise hashing in computer forensics, in: IT Security Incident Management and IT Forensics (IMF), 2011 Sixth International Conference on, 2011, pp. ![]() AVClass malware labeling tool, 2018 AVClass malware labeling tool.About SQLite, 2018 About SQLite, 2018. ![]() The results show that similarity digests can be used to classify malware in Windows Portable Executable (PE) files and that section-level hashing and comparison produces considerably better results than at file-level. The performance of both methods was evaluated using precision, recall and accuracy metrics. Experiments with known malware families were conducted using file and section level digests where each method was used to predict malware family membership. Section-level similarity hashing involves splitting malware executables into their binary headers and sections and applying a similarity digest on each resulting binary chunk. The aim of the study was to produce a method to overcome the limitations of file-level similarity hashing, such as poor performance against obfuscated malware. This paper presents a study on the feasibility of using section-level similarity hashing as a means of classifying malware variants. Existing tools such as VirusTotal maintain file and section level cryptographic hashes and ssdeep file digests but they do not maintain section-level similarity hashes or provide a means to submit similarity hashes and compare them to previously analyzed samples. Previous research has shown that fuzzy hashing can be used to determine whether a file is malicious and to cluster like files together, but it does not specifically address the problem of malware variant classification. Malware analysts need to be able to accurately and swiftly predict family membership as well as to determine that a suspect file contains malicious content.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |