Malware Classification using Dynamic Analysis with Mnemonic Frequencies and Major Blocks

Abstract

The battle between malware developers and security analysts continues, and different types of malware newly appeared and various analysis evasion techniques are developed every year. To catch up with the advance of malware development technologies, malware analysis methods also need to be advanced to help security analysts. Malware analysis can be divided into two categories: static analysis and dynamic analysis. A malware can be analyzed during its execution or using its execution trace in dynamic analysis while the binary file of malware is analyzed without running the malware in static analysis. In this dissertation, two malware classification methods are proposed to classify malware using mnemonic frequencies and major blocks. The first classification method is a malware type classification method that categorizes malware into a number of types such as Backdoor, Trojan and Worm based on mnemonic frequency analysis. A mnemonic frequency is the number of presence of a mnemonic and it can be used in malware type classification because mnemonic frequencies are similar between malware in the same malware type. An analysis technique, called repetition analysis, is also proposed to identify repetitions of assembly instructions that can be found by the presence of loops and repeated calls of certain functions. Experimental results showed that proposed malware type classification method exceeded 90% accuracy using only 8% of the original data, which is extracted from proposed repetition analysis. The second classification method is a malware family classification method that classifies malware families based on major block analysis. Malware families can be classified by comparing basic blocks because some basic blocks are shared between malware in the same malware family. Since time overheads of this method are highly related to the number of basic blocks, proposed major block analysis focused on a sub-set of basic blocks, called major blocks. Major blocks are basic blocks including a specific mnemonic such as CALL, CMP, PUSH and so on, and the number of major blocks is lower than the entire number of basic blocks. An analysis technique, called sub-family analysis, is also proposed to improve the accuracy of malware family classification. Sub-families for each malware family can be analyzed and the information of sub-family can be used in malware family classification. In the experiments, proposed malware family classification method exceeded 80% accuracy. CALL was a good mnemonic to extract major blocks and showed high accuracies and low time overheads. With proposed sub-family analysis, the accuracy of malware family classification was improved up to 25%.