TY - JOUR
T1 - Fuzzy-import hashing
T2 - A static analysis technique for malware detection
AU - Naik, Nitin
AU - Jenkins, Paul
AU - Savage, Nick
AU - Yang, Longzhi
AU - Boongoen, Tossapon
AU - Iam-On, Natthakan
N1 - Publisher Copyright:
© 2021 Elsevier Ltd
PY - 2021/4/1
Y1 - 2021/4/1
N2 - The advent of new malware types and their attack vectors poses serious challenges for security experts in discovering effective malware detection and analysis techniques. The preliminary step in malware analysis is filtering out samples of counterfeit malware from the suspicious samples by classifying them into most likely and unlikely malware categories. This will enable effective utilisation of resources and expertise for the most likely category of samples in subsequent stages and avoid nugatory effort. This process requires a very fast and resource-optimised method as it is applied on a large sample size. Fuzzy hashing and import hashing methods satisfy these requirements of malware analysis, though, with some limitations. Therefore, the proper integration of these methods, may overcome some of the limitations and improve the detection accuracy without affecting the overall performance of analysis. Hence, this paper proposes a fuzzy-import hashing technique, which is the integration of two methods, namely, fuzzy hashing and import hashing. This integration can offer several benefits such as an improved detection rate by complementing each other when one method cannot detect malware, then the other method can; and the generation of fuzzfied results for subsequent clustering or classification, as the import hashing result can be easily merged with the fuzzy hashing result. The success of this proposed fuzzy-import hashing method is demonstrated through several experiments namely: on the collected malware and goodware corpus; a comparative evaluation against the established YARA rules and application in fuzzy c-means clustering.
AB - The advent of new malware types and their attack vectors poses serious challenges for security experts in discovering effective malware detection and analysis techniques. The preliminary step in malware analysis is filtering out samples of counterfeit malware from the suspicious samples by classifying them into most likely and unlikely malware categories. This will enable effective utilisation of resources and expertise for the most likely category of samples in subsequent stages and avoid nugatory effort. This process requires a very fast and resource-optimised method as it is applied on a large sample size. Fuzzy hashing and import hashing methods satisfy these requirements of malware analysis, though, with some limitations. Therefore, the proper integration of these methods, may overcome some of the limitations and improve the detection accuracy without affecting the overall performance of analysis. Hence, this paper proposes a fuzzy-import hashing technique, which is the integration of two methods, namely, fuzzy hashing and import hashing. This integration can offer several benefits such as an improved detection rate by complementing each other when one method cannot detect malware, then the other method can; and the generation of fuzzfied results for subsequent clustering or classification, as the import hashing result can be easily merged with the fuzzy hashing result. The success of this proposed fuzzy-import hashing method is demonstrated through several experiments namely: on the collected malware and goodware corpus; a comparative evaluation against the established YARA rules and application in fuzzy c-means clustering.
KW - Fuzzy C-Means clustering
KW - Fuzzy hashing
KW - Fuzzy-import hashing
KW - Import hashing
KW - Malware analysis
KW - Ransomware
KW - YARA Rules
UR - http://www.scopus.com/inward/record.url?scp=85103665375&partnerID=8YFLogxK
U2 - 10.1016/j.fsidi.2021.301139
DO - 10.1016/j.fsidi.2021.301139
M3 - Article
AN - SCOPUS:85103665375
SN - 2666-2825
VL - 37
JO - Forensic Science International: Digital Investigation
JF - Forensic Science International: Digital Investigation
M1 - 301139
ER -