Graphs, entropy and grid computing: Automatic comparison of malware

Abstract

Nowadays AV laboratories are saturated with huge collections of malware which are received daily. It’s a fact that the industry needs better methods to automatically identify, analyse and classify these volumes of samples. AV laboratories cannot continue working as they did years ago (or even months ago). In this paper we will describe an automated classifi cation system to identify fi les with similar internal structures. We will use graph theory as a way to identify similar functions among malware samples. This system helps to minimize human error and false positive detection. Previous research with graph theory has proven to be useful in fi nding similarities between malware variants [1], however these systems don’t have good performance. To solve the performance problem we will discuss some methods that can be used for this purpose: an algorithm (based on entropy and a custom checksum in order to group similar fi les) and a grid computing system [2].