다중 서열 정렬 기법을 이용한 변종 악성코드 분류

Abstract

Nowadays malware developers use various techniques to avoid detection of antivirus software. Using one of those techniques, attackers could make malware variants from an existing malware file. For malware variants, existing signature based detection methods could be avoidable because malware variants have some differences in static features like code or strings. Therefore, to detect and to classify malware variants, a behavior based detection is needed. This thesis proposed a technique to extract a representative API pattern from API call sequences of a malware family using the multiple sequence alignment (MSA) algorithm to measure similarities among malware variants. To extract API call sequences of malware, a sandbox tool was used. After that, the Clustal algorithm, one of the most popular MSA algorithms used in the Bioinformatics field, was applied to malware API call sequences, and a representative API pattern was extracted from the results of MSA. Experiments to test the extracted API signatures that are used to classify malware variants were carried out, and we measured classification accuracy of the representative API pattern of each family. The experimental results show that my proposed method can be effective to classify malware families. From the result of experiments, I proposed the behavioral relationship of each family also, and discussed about that.