peHash: a novel approach to fast malware clustering
作者: Georg Wicherski
DOI:
关键词:
摘要: Data collection is not a big issue anymore with available honeypot software and setups. However malware collections gathered from these systems often suffer massive sample counts, data analysis like sandboxes cannot cope with. Sophisticated self-modifying able to generate new polymorphic instances of itself different message digest sums for each infection attempt, thus resulting in many samples stored the same specimen. Scaling that are fed by databases rely on uniqueness based digests only feasible certain extent. In this paper we introduce non cryptographic, fast calculate hash function binaries Portable Executable format transforms structural information about into value. Grouping values calculated allows detection multiple specimen as well broken e.g. due transfer errors. Practical evaluation sets shows significant reduction counts.
参考文章(4)
Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, Felix Freiling, The Nepenthes Platform: An Efficient Approach to Collect Malware Lecture Notes in Computer Science. pp. 165- 184 ,(2006) , 10.1007/11856214_9
Carsten Willems, Thorsten Holz, Felix Freiling, Toward Automated Dynamic Malware Analysis Using CWSandbox ieee symposium on security and privacy. ,vol. 5, pp. 32- 39 ,(2007) , 10.1109/MSP.2007.45
Vassil Roussev, Golden G. Richard, Lodovico Marziale, Multi-resolution similarity hashing Digital Investigation. ,vol. 4, pp. 105- 113 ,(2007) , 10.1016/J.DIIN.2007.06.011
T. Abou-Assaleh, N. Cercone, V. Keselj, R. Sweidan, N-gram-based detection of new malicious code computer software and applications conference. ,vol. 2, pp. 41- 42 ,(2004) , 10.1109/CMPSAC.2004.1342667