基於漸增式分群法之惡意程式自動分類研究

Automatic malware classification based on incremental clustering algorithm

近年來網路犯罪份子為了有效地躲避安全機制的檢驗，而不斷地開發惡意程式或是進行變種。現今分析方式大多數都只分析單一二進位檔案型態之惡意程式，無法適合誘捕系統所捕獲到之原始碼與二進位檔混和型態的惡意程式。目前仍然缺少一個有效且快速分析的工具針對誘捕系統所捕獲的惡意程式做分析。本研究提出一個惡意程式分類系統，此系統擷取惡意程式原始碼、以及檔案結構作為特徵值並且使用漸進式分群法分群。本研究利用漸增式的分群法改善階層式分群演算法效率並且藉由惡意程式分群可以知道新捕獲的惡意程式是否屬於已知的分類或是屬於新的類型。本研究與網路上知名病毒偵測與分類平台Virustotal比較以驗證分類準確度，實驗證明本研究所提出的分類優於Virustotal。

In recent years, cybercriminals have developed new malware or variants in order to effectively evade inspection from security mechanisms. Most prior works focused on analyzing malware which contain only single binary file. However, most honeypot captured malware contain several binary and source files. Therefore, existing malware analysis approaches do not suitable for honeypot captured malware. In this research, a novel malware classification approach which analyzes features extracted from malware’s file structure, source code and binary files and file name is proposed. An incremental clustering algorithm is developed to replace traditional hierarchical clustering algorithm for improving efficiency. By means of proposed system, when a honeypot captures a new malware, IT security staff could know whether the new malware belongs to any existing clusters or not. To evaluate the performance of proposed system, the proposed approach is compared with Virustotal- a popular platform for malware detection and classification. The experiment result shows that the proposed approach outperforms Virustotal.