Using N-Gram Variations in Static Analysis for Malware Detection

Abstract

Most of intrusion detection systems nowadays employ signature based analysis that often fails when newer or modified malware versions are brought into play. Intrusion detection systems working with cryptanalysis would offer some advantages against obfuscated code or newly derived viruses based on classic exploits. In this paper, we are applying an index of coincidence approach from cryptanalysis with a N-gram pattern-matching technique on recent binaries, to attempt classification of malicious code. Those characteristics are studied with the use of modern data mining methods, namely K-means, to discover interesting clusters for classification and properties of malicious behavior. The challenges of gathering, working with, learning from and classifying large amounts of virus datasets with different techniques are explored.