AAAI Publications, The Twenty-Sixth International FLAIRS Conference

Font Size: 
Inferring Accurate Histories of Malware Evolution from Structural Evidence
Craig Darmetko, Steven Jilcott, John Everett

Last modified: 2013-05-19


An important problem in malware forensics is generating a partial ordering of a collection of variants of a malware program, reflecting a history of the malware’s evolution as it is adapted by the original or new authors. Frequently the only temporal clue to which variants were developed earlier is the date on which they were first observed in the wild. In the absence of reliable temporal clues, our approach leverages heuristic evidence based on common trends in the evolution of software structure over time. We extract structural features from each variant binary executable and generate from them three different forms of evidence that one variant is a likely ancestor of another. We then combine this evidence using a truth maintenance system to create a family tree of malware variants.

Full Text: PDF