On the Application of Malware Clustering for Threat Intelligence Synthesis
Description
Malware forensics is a time-consuming process that involves a significant amount of data collection. To ease the load on security analysts, many attempts have been made to automate the intelligence gathering process and provide a centralized search interface. Certain of these solutions map existing relations between threats and can discover new intelligence by identifying correlations in the data. However, such systems generally treat each unique malware sample as its own distinct threat. This fails to model the real malware landscape, in which so many ``new" samples are actually variants of samples that have already been discovered. Were there some way to reliably determine whether two malware samples belong to the same family, intelligence for one sample could be applied to any sample in the family, greatly reducing the complexity of intelligence synthesis. Clustering is a common big data approach for grouping data samples which have common features, and has been applied in several recent papers for identifying related malware. It therefore has the potential to be used as described to simplify the intelligence synthesis process. However, existing threat intelligence systems do not use malware clustering. In this paper, we attempt to design a highly accurate malware clustering system, with the ultimate goal of integrating it into a threat intelligence platform. Toward this end, we explore the many considerations of designing such a system: how to extract features to compare malware, and how to use these features for accurate clustering. We then create an experimental clustering system, and evaluate its effectiveness using two different clustering algorithms.
Date Created
The date the item was original created (prior to any relationship with the ASU Digital Repositories.)
2017-05
Agent
- Author (aut): Smith, Joshua Michael
- Thesis director: Ahn, Gail-Joon
- Committee member: Zhao, Ziming
- Contributor (ctb): School of Mathematical and Statistical Sciences
- Contributor (ctb): Computer Science and Engineering Program
- Contributor (ctb): Computer Science and Engineering Program
- Contributor (ctb): Barrett, The Honors College