Abstract
Malware analysts, and in particular antivirus vendors, never agreed on a single naming convention for malware specimens. This leads to confusion and difficulty—more for researchers than for practitioners—for example, when comparing coverage of different antivirus engines, when integrating and systematizing known threats, or comparing the classifications given by different detectors. Clearly, solving naming inconsistencies is a very difficult task, as it requires that vendors agree on a unified naming convention. More importantly, solving inconsistencies is impossible without knowing exactly where they are. Therefore, in this paper we take a step back and concentrate on the problem of finding inconsistencies. To this end, we first represent each vendor’s naming convention with a graph-based model. Second, we give a precise definition of inconsistency with respect to these models. Third, we define two quantitative measures to calculate the overall degree of inconsistency between vendors. In addition, we propose a fast algorithm that finds non-trivial (i.e., beyond syntactic differences) inconsistencies. Our experiments on four major antivirus vendors and 98,798 real-world malware samples confirm anecdotal observations that different vendors name viruses differently. More importantly, we were able to find inconsistencies that cannot be inferred at all by looking solely at the syntax.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Carr, J.: Inside Cyber Warfare: Mapping the Cyber Underworld. O’Reilly Media, Inc. (2009)
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: WWW, pp. 281–290. ACM, New York (2010)
Kelchner, T.: The (in)consistent naming of malcode. Comp. Fraud & Security (2), 5–7 (2010)
Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)
Harley, D.: The game of the name malware naming, shape shifters and sympathetic magic. In: CEET 3rd Intl. Conf. on Cybercrime Forensics Education & Training, San Diego, CA (2009)
Goldberg, M.K., Hayvanovych, M., Magdon-Ismail, M.: Measuring similarity between sets of overlapping clusters. In: SocialCom, Minneapolis, MN (August 2010)
Tarjan, R.: Depth-First Search and Linear Graph Algorithms. SIAM J. on Comp. 1(2) (1972)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Maggi, F., Bellini, A., Salvaneschi, G., Zanero, S. (2011). Finding Non-trivial Malware Naming Inconsistencies. In: Jajodia, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2011. Lecture Notes in Computer Science, vol 7093. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25560-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-25560-1_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25559-5
Online ISBN: 978-3-642-25560-1
eBook Packages: Computer ScienceComputer Science (R0)