An Efficient Analysis Technique for Detecting Overlap and Disjoint Behavior Among Malware

Report No. ARL-TR-5925
Authors: Jaime C. Acosta
Date/Pages: February 2012; 20 pages
Abstract: A large amount of research is focused on identifying malware. Once identified, the behavior of the malware must be analyzed to determine its effects on a system. This can be done by tracing through a malware binary using a disassembler or logging its dynamic behavior using a sandbox (virtual machines that execute a binary and log all dynamic events such as network, registry, and file manipulations). However, even with these tools, analyzing malware behavior is very time consuming. This report introduces a novel method that identifies common dynamic behavior in several malware instances of different types (as identified by anti-virus software). Results show that the novel method can greatly reduce analysts' workload by removing overlapping behavior and leaving only the unique (disjoint) behavior.
Distribution: Approved for public release
  Download Report ( 0.196 MBytes )
If you are visually impaired or need a physical copy of this report, please visit and contact DTIC.

Last Update / Reviewed: February 1, 2012