Volume 4 - Issue 4
Malware Similarity Analysis using API Sequence Alignments
- In Kyeom Cho
Hanyang University, Seoul, Korea
dlsrua1004@hanyang.ac.kr
- TaeGuen Kim
Hanyang University, Seoul, Korea
cloudio17@hanyang.ac.kr
- Yu Jin Shim
Hanyang University, Seoul, Korea
luvtdw@hanyang.ac.kr
- Haeryong Park
Korea Internet & Security Agency, Seoul, Korea
hrpark@kisa.or.kr
- Bomin Choi
Korea Internet & Security Agency, Seoul, Korea
bmchoi@kisa.or.kr
- Eul Gyu Im
Hanyang University, Seoul, Korea
imeg@hanyang.ac.kr
Keywords: malware analysis, dynamic analysis, API sequence, sequence alignment
Abstract
Malware variants could be defined as malware that have similar malcious behavior. In this paper, a
sequence alignment method, the method widely used in Bioinformatics, was used to detect malware
variants. This method can find the common parts of Malware’s API call sequences, and these common
API call sequences can be used to detect similar behaviors of malware variants. However, when
a sequence alignment method is applied to compare the API call sequences, the performance depends
on lengths of API call sequences and if the lengths are too long, the performance would be very poor.
Therefore, in this paper, we devised a malware similarity calculation system to detect malware variants
and suggested an improved process which can reduce sequence alignment overheads. Finally,
our proposed system was tested with two given malware families and it can be used to verify whether
the given malware variants have similar behaviors. Experimental results show that our method can
be leveraged in the malware detection system.