sponsors
help promote
usenix conference policies
Experimental Study of Fuzzy Hashing in Malware Clustering Analysis
Yuping Li, Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Xinming Ou, and Doina Caragea, Kansas State University; Xin Hu and Jiyong Jang, IBM Research
Malware triaging is the process of analyzing malicious software applications’ behavior to develop detection signatures. This task is challenging, especially due to the enormous number of samples received by the vendors with limited amount of analyst time. Triaging usually starts with an analyst classifying samples into known and unknown malware. Recently, there have been various attempts to automate the process of grouping similar malware using a technique called fuzzy hashing – a type of compression functions for computing the similarity between individual digital files. Unfortunately, there has been no rigorous experimentation or evaluation of fuzzy hashing algorithms for malware similarity analysis in the research literature. In this paper, we perform extensive study of existing fuzzy hashing algorithms with the goal of understanding their applicability in clustering similar malware. Our experiments indicate that current popular fuzzy hashing algorithms suffer from serious limitations that preclude them from being used in similarity analysis. We identified novel ways to construct fuzzy hashing algorithms and experiments show that our algorithms have better performance than existing algorithms.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Yuping Li and Sathya Chandran Sundaramurthy and Alexandru G. Bardas and Xinming Ou and Doina Caragea and Xin Hu and Jiyong Jang},
title = {Experimental Study of Fuzzy Hashing in Malware Clustering Analysis},
booktitle = {8th Workshop on Cyber Security Experimentation and Test (CSET 15)},
year = {2015},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/cset15/workshop-program/presentation/li},
publisher = {USENIX Association},
month = aug
}
connect with us