2019
DOI: 10.1016/j.diin.2019.01.018
|View full text |Cite
|
Sign up to set email alerts
|

Improving file-level fuzzy hashes for malware variant classification

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
10
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
6
2
2

Relationship

0
10

Authors

Journals

citations
Cited by 17 publications
(12 citation statements)
references
References 3 publications
0
10
0
Order By: Relevance
“…Typically, packed malware will contain the compressed malware and a decryption engine that will undo the compression at runtime. We experimented with packed malware but the results were omitted because recent work has shown that entropy, section hashing, and consistently executing graph mining can be used to classify packed malware [31]- [33]. Being able to be detected using entropy and hashing approaches leads us to believe packing is not well-suited for use in adversarial example generation.…”
Section: ) Obfuscation Resultsmentioning
confidence: 99%
“…Typically, packed malware will contain the compressed malware and a decryption engine that will undo the compression at runtime. We experimented with packed malware but the results were omitted because recent work has shown that entropy, section hashing, and consistently executing graph mining can be used to classify packed malware [31]- [33]. Being able to be detected using entropy and hashing approaches leads us to believe packing is not well-suited for use in adversarial example generation.…”
Section: ) Obfuscation Resultsmentioning
confidence: 99%
“…A case in point is the famous WannaCry ransomware contained code fragments that have been seen before in malware samples associated with the Lazarus threat actor group and this feature reuse was key to the attribution of the malware to North Korea. 16 This means that malware can be clustered using fuzzy hashing [41], [42], [43], [44], [45], [46], [47] when the attackers reuse features, even though the variants have different cryptographic hashes. For threat intelligence, this means that if two or more malware samples have high similarities using the concept of CTPH, we can hypothesize that the samples are from the same threat group, the result of collaboration between threat groups or built from the same malware builder program, which enables threat attribution at tactical/technical level which involves attributing APTs with connections to nation-state actors.…”
Section: Background a Fuzzy Hashesmentioning
confidence: 99%
“…For example, Ian Shiel et al in their work [4] proposed a method of improving the fuzzy hashing algorithm by applying it to each section of a binary PE file. With their research, the authors solve the problem of detecting malicious software for the Windows OS, in which, by design, there are sections common to all files, developers can change the order of program sections or insert additional sections to complicate its identification.…”
Section: Literature Analysismentioning
confidence: 99%