Malware Characterization Using Behavioral Components

  • Chaitanya Yavvari
  • Arnur Tokhtabayev
  • Huzefa Rangwala
  • Angelos Stavrou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7531)


Over the past years, we have experienced an increase in the quantity and complexity of malware binaries. This change has been fueled by the introduction of malware generation tools and reuse of different malcode modules. Recent malware appears to be highly modular and less functionally typified. A side-effect of this “composition” of components across different malware types, a growing number of new malware samples cannot be explicitly assigned to traditional classes defined by Anti-Virus (AV) vendors. Indeed, by nature, clustering techniques capture dominant behavior that could be a manifestation of only one of the malware component failing to reveal malware similarities that depend on other, less dominant components and other evolutionary traits.

In this paper, we introduce a novel malware behavioral commonality analysis scheme that takes into consideration component-wise grouping, called behavioral mapping. Our effort attempts to shed light to malware behavioral relationships and go beyond simply clustering the malware into a family. To this end, we implemented a method for identifying soft clusters and reveal shared malware components and traits. Using our method, we demonstrate that a malware sample can belong to several groups (clusters), implying sharing of its respective components with other samples from the groups. We performed experiments with a large corpus of real-world malware data-sets and identified that we can successfully highlight malware component relationships across the existing AV malware families and variants.


Behavioral clustering malware component analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bailey, M., Oberheide, J., Andersen, J., Mao, M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware (2007)Google Scholar
  2. 2.
    Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: NDSS (2009)Google Scholar
  3. 3.
    Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008)CrossRefGoogle Scholar
  4. 4.
    Falliere, N., Murchu, L.O., Chien, E.: W32.stuxnet dossier, White paper (2011),
  5. 5.
    Gusfield, D.: Algorithms on Strings, Trees, and Sequences - Computer Science and Computational Biology. Cambridge University Press (1997)Google Scholar
  6. 6.
    IOActive. Reversal and Analysis of Zeus and SpyEye Banking Trojans. Technical report, IOActive (2012)Google Scholar
  7. 7.
    Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology 4, 251–266 (2008), doi:10.1007/s11416-008-0086-0CrossRefGoogle Scholar
  8. 8.
    Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 309–320. ACM (2011)Google Scholar
  9. 9.
    The flame: Questions and answers (May 2012),
  10. 10.
    New malware classification system, (accessed, June 2012)
  11. 11.
    Rules for naming detected objects, (accessed, 2012)
  12. 12.
    Kirillov, I., Beck, D., Chase, P., Martin, R.: Malware attribute enumeration and characterizationGoogle Scholar
  13. 13.
    Langfelder, P., Zhang, B., Horvath, S.: Defining clusters from a hierarchical cluster tree: the dynamic tree cut package for r. Bioinformatics 24(5), 719–720 (2008)CrossRefGoogle Scholar
  14. 14.
    Li, P., Liu, L., Gao, D., Reiter, M.K.: On Challenges in Evaluating Malware Clustering. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 238–255. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. 15.
    Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. Journal of Computer Security 19(4), 639–668 (2011)Google Scholar
  16. 16.
    RSA. The Current State of Cybercrime and What to Expect in 2012. Technical report, RSA (2012)Google Scholar
  17. 17.
    Trinius, P., Holz, T., Gobel, J., Freiling, F.C.: Visual analysis of malware behavior using treemaps and thread graphs. In: 2009 6th International Workshop on Visualization for Cyber Security, 33–38 (2009)Google Scholar
  18. 18.
    Ukkonen, E.: Constructing suffix trees on-line in linear time. In: IFIP Congress (1), pp. 484–492 (1992)Google Scholar
  19. 19.
    Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. Journal in Computer Virology 4(4), 279–287 (2007)CrossRefGoogle Scholar
  20. 20.
    Ye, Y., Li, T., Chen, Y., Jiang, Q.: Automatic malware categorization using cluster ensemble. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2010, pp. 95–104. ACM, New York (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Chaitanya Yavvari
    • 1
  • Arnur Tokhtabayev
    • 1
  • Huzefa Rangwala
    • 1
  • Angelos Stavrou
    • 1
  1. 1.Computer Science DepartmentGeorge Mason UniversityFairfaxUSA

Personalised recommendations