Malware analysis using visualized images and entropy graphs | International Journal of Information Security Skip to main content
Springer Nature Link
Log in

Malware analysis using visualized images and entropy graphs

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Today, along with the development of the Internet, the number of malicious software, or malware, distributed especially for monetary profits, is exponentially increasing, and malware authors are developing malware variants using various automated tools and methods. Automated tools and methods may reuse some modules to develop malware variants, so these reused modules can be used to classify malware or to identify malware families. Therefore, similarities may exist among malware variants can be analyzed and used for malware variant detections and the family classification. This paper proposes a new malware family classification method by converting binary files into images and entropy graphs. The experimental results show that the proposed method can effectively distinguish malware families.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19

Similar content being viewed by others

References

  1. Christodorescu, M., Jha, S.: Testing malware detectors. ACM SIGSOFT Softw. Eng. Notes 29(4), 34–44 (2004)

    Article  Google Scholar 

  2. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual 2007, pp. 421–430. IEEE

  3. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)

    Article  Google Scholar 

  4. Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM Conference on Computer and Communications Security 2011, pp. 309–320. ACM

  5. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security 2008, pp. 51–62. ACM

  6. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Security and Privacy, 2005 IEEE Symposium on 2005, pp. 32–46. IEEE

  7. Cesare, S., Xiang, Y.: A fast flowgraph based classification system for packed and polymorphic malware on the endhost. In: Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on 2010, pp. 721–728. IEEE

  8. Chowdhury, G.: Introduction to Modern Information Retrieval. Facet publishing (2010)

  9. Shang, S., Zheng, N., Xu, J., Xu, M., Zhang, H.: Detecting malware variants via function-call graph similarity. In: Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on 2010, pp. 113–120. IEEE

  10. Abou-Assaleh, T., Cercone, N., Keselj, V., Sweidan, R.: Detection of new malicious code using n-grams signatures. In: Proceedings of Second Annual Conference on Privacy, Security and Trust 2004, pp. 193–196

  11. Santos, I., Brezo, F., Nieves, J., Penya, Y.K., Sanz, B., Laorden, C., Bringas, P.G.: Idea: Opcode-sequence-based malware detection. In: Engineering Secure Software and Systems. pp. 35–43. Springer, Berlin (2010)

  12. Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (2007)

    Article  Google Scholar 

  13. Han, K.S., Kim, S.-R., Im, E.G.: Instruction frequency-based malware classification method. INFORMATION Int. Interdiscip. J. 15(7), 2973–2984 (2012)

    Google Scholar 

  14. Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Usenix Annual Technical Conference 2007

  15. Nair, V.P., Jain, H., Golecha, Y.K., Gaur, M.S., Laxmi, V.: MEDUSA: MEtamorphic malware dynamic analysis using signature from API. In: Proceedings of the 3rd International Conference on Security of Information and Networks 2010, pp. 263–269. ACM

  16. Miao, Q.-G., Wang, Y., Cao, Y., Zhang, X.-G., Liu, Z.-L.: APICapture-a tool for monitoring the behavior of malware. In: Advanced Computer Theory and Engineering (ICACTE), 2010 3rd International Conference on 2010, pp. V4–390-V394-394. IEEE

  17. Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., Yan, X.: Synthesizing near-optimal malware specifications from suspicious behaviors. In: Security and Privacy (SP), 2010 IEEE Symposium on 2010, pp. 45–60. IEEE

  18. Trinius, P., Holz, T., Gobel, J., Freiling, F.C.: Visual analysis of malware behavior using treemaps and thread graphs. In: Visualization for Cyber Security, 2009. VizSec 2009. 6th International Workshop on 2009, pp. 33–38. IEEE

  19. Saxe, J., Mentis, D., Greamo, C.: Visualization of shared system call sequence relationships in large malware corpora. In: Proceedings of the Ninth International Symposium on Visualization for Cyber, Security 2012, pp. 33–40. ACM

  20. Conti, G., Dean, E., Sinda, M., Sangster, B.: Visual Reverse engineering of binary and data files. In: Visualization for Computer Security, pp. 1–17. Springer, Berlin (2008)

  21. Anderson, B., Storlie, C., Lane, T.: Improving malware classification: bridging the static/dynamic gap. In: Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence 2012, pp. 3–14. ACM

  22. Nataraj, L., Karthikeyan, S., Jacob, G., Manjunath, B.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber, Security 2011, p. 4. ACM

  23. Torralba, A., Murphy, K.P., Freeman, W.T., Rubin, M.A.: Context-based vision system for place and object recognition. In: Computer Vision, 2003. Proceedings. Ninth IEEE International Conference on 2003, pp. 273–280. IEEE

  24. Oliva, A., Torralba, A.: Modeling the shape of the scene: a holistic representation of the spatial envelope. Int. J. Comput. Vis. 42(3), 145–175 (2001)

    Article  MATH  Google Scholar 

  25. Siagian, C., Itti, L.: Rapid biologically-inspired scene classification using features shared with visual attention. IEEE Trans. Pattern Anal. Mach. Intell. 29(2), 300–312 (2007)

    Article  Google Scholar 

  26. Nataraj, L., Yegneswaran, V., Porras, P., Zhang, J.: A comparative assessment of malware classification using binary texture analysis and dynamic analysis. In: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence 2011, pp. 21–30. ACM

  27. Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hack. Tech. 9, 179–192 (2013)

  28. Conti, G., Bratus, S., Shubina, A., Lichtenberg, A., Ragsdale, R., Perez-Alemany, R., Sangster, B., Supan, M.: A Visual Study of Primitive Binary Fragment Types. White Paper, Black Hat USA (2010)

  29. Kapur, J., Sahoo, P.K., Wong, A.: A new method for gray-level picture thresholding using the entropy of the histogram. Comput. Vis. Gr. Image Process. 29(3), 273–285 (1985)

    Article  Google Scholar 

  30. Strelkov, V.: A new similarity measure for histogram comparison and its application in time series analysis. Pattern Recognit. Lett. 29(13), 1768–1774 (2008)

    Article  Google Scholar 

  31. VxHeaven. http://vx.netlux.org/index.html

  32. Kaspersky Lab. http://www.kaspersky.com

  33. Gnuplot. http://www.gnuplot.info

  34. Karampatziakis, N., Stokes, J.W., Thomas, A., Marinescu, M.: Using file relationships in malware classification. In: Detection of Intrusions and Malware, and Vulnerability Assessment. pp. 1–20. Springer, Berlin (2013)

Download references

Acknowledgments

This research was supported by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2014-H0301-14-1022) supervised by the NIPA (National IT Industry Promotion Agency).

Author information

Authors and Affiliations

  1. Department of Electronics and Computer Engineering, Hanyang University, Seoul, Korea

    Kyoung Soo Han, Jae Hyun Lim & Boojoong Kang

  2. Division of Computer Science and Engineering, Hanyang University, Seoul, Korea

    Eul Gyu Im

Authors
  1. Kyoung Soo Han
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jae Hyun Lim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Boojoong Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eul Gyu Im
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eul Gyu Im.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Han, K.S., Lim, J.H., Kang, B. et al. Malware analysis using visualized images and entropy graphs. Int. J. Inf. Secur. 14, 1–14 (2015). https://doi.org/10.1007/s10207-014-0242-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-014-0242-0

Keywords

Search

Navigation