Corpus
Istex
Racine
Corpus
Checkpoint
Istex
Racine
Istex
Exploration
Accueil
Racine
Racine

Serveur d'exploration sur la recherche en informatique en Lorraine

Attention, ce site est en cours de développement !
Attention, site généré par des moyens informatiques à partir de corpus bruts.
Les informations ne sont donc pas validées.

Malware behaviour analysis

Identifieur interne : 003262 ( Istex/Corpus ); précédent : 003261; suivant : 003263

Malware behaviour analysis

Auteurs : Gérard Wagener ; Radu State ; Alexandre Dulaunoy

Source :

RBID : ISTEX:D478A0F873D565DA931BEA45AC50395FB3674583

Abstract

Abstract: Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.

Url:
DOI: 10.1007/s11416-007-0074-9

Links to Exploration step

ISTEX:D478A0F873D565DA931BEA45AC50395FB3674583

Le document en format XML

<record>
<TEI wicri:istexFullTextTei="biblStruct">
<teiHeader>
<fileDesc>
<titleStmt>
<title xml:lang="en">Malware behaviour analysis</title>
<author>
<name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
<affiliation>
<mods:affiliation>LORIA-INRIA, Vandoeuvre, France</mods:affiliation>
</affiliation>
<affiliation>
<mods:affiliation>E-mail: gerard.wagener@gmail.com</mods:affiliation>
</affiliation>
</author>
<author>
<name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
<affiliation>
<mods:affiliation>INRIA, Le Chesnay Cedex, France</mods:affiliation>
</affiliation>
<affiliation>
<mods:affiliation>E-mail: state@loria.fr</mods:affiliation>
</affiliation>
</author>
<author>
<name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
<affiliation>
<mods:affiliation>CSRRT-LU, Luxembourg, Luxembourg</mods:affiliation>
</affiliation>
<affiliation>
<mods:affiliation>E-mail: a@foo.be</mods:affiliation>
</affiliation>
</author>
</titleStmt>
<publicationStmt>
<idno type="wicri:source">ISTEX</idno>
<idno type="RBID">ISTEX:D478A0F873D565DA931BEA45AC50395FB3674583</idno>
<date when="2007" year="2007">2007</date>
<idno type="doi">10.1007/s11416-007-0074-9</idno>
<idno type="url">https://api.istex.fr/ark:/67375/VQC-RCSJCS7V-3/fulltext.pdf</idno>
<idno type="wicri:Area/Istex/Corpus">003262</idno>
<idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Corpus" wicri:corpus="ISTEX">003262</idno>
</publicationStmt>
<sourceDesc>
<biblStruct>
<analytic>
<title level="a" type="main" xml:lang="en">Malware behaviour analysis</title>
<author>
<name sortKey="Wagener, Gerard" sort="Wagener, Gerard" uniqKey="Wagener G" first="Gérard" last="Wagener">Gérard Wagener</name>
<affiliation>
<mods:affiliation>LORIA-INRIA, Vandoeuvre, France</mods:affiliation>
</affiliation>
<affiliation>
<mods:affiliation>E-mail: gerard.wagener@gmail.com</mods:affiliation>
</affiliation>
</author>
<author>
<name sortKey="State, Radu" sort="State, Radu" uniqKey="State R" first="Radu" last="State">Radu State</name>
<affiliation>
<mods:affiliation>INRIA, Le Chesnay Cedex, France</mods:affiliation>
</affiliation>
<affiliation>
<mods:affiliation>E-mail: state@loria.fr</mods:affiliation>
</affiliation>
</author>
<author>
<name sortKey="Dulaunoy, Alexandre" sort="Dulaunoy, Alexandre" uniqKey="Dulaunoy A" first="Alexandre" last="Dulaunoy">Alexandre Dulaunoy</name>
<affiliation>
<mods:affiliation>CSRRT-LU, Luxembourg, Luxembourg</mods:affiliation>
</affiliation>
<affiliation>
<mods:affiliation>E-mail: a@foo.be</mods:affiliation>
</affiliation>
</author>
</analytic>
<monogr></monogr>
<series>
<title level="j">Journal in Computer Virology</title>
<title level="j" type="abbrev">J Comput Virol</title>
<idno type="ISSN">1772-9890</idno>
<idno type="eISSN">1772-9904</idno>
<imprint>
<publisher>Springer-Verlag</publisher>
<pubPlace>Paris</pubPlace>
<date type="published" when="2008-11-01">2008-11-01</date>
<biblScope unit="volume">4</biblScope>
<biblScope unit="issue">4</biblScope>
<biblScope unit="page" from="279">279</biblScope>
<biblScope unit="page" to="287">287</biblScope>
</imprint>
<idno type="ISSN">1772-9890</idno>
</series>
</biblStruct>
</sourceDesc>
<seriesStmt>
<idno type="ISSN">1772-9890</idno>
</seriesStmt>
</fileDesc>
<profileDesc>
<textClass></textClass>
<langUsage>
<language ident="en">en</language>
</langUsage>
</profileDesc>
</teiHeader>
<front>
<div type="abstract" xml:lang="en">Abstract: Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</div>
</front>
</TEI>
<istex>
<corpusName>springer-journals</corpusName>
<author>
<json:item>
<name>Gérard Wagener</name>
<affiliations>
<json:string>LORIA-INRIA, Vandoeuvre, France</json:string>
<json:string>E-mail: gerard.wagener@gmail.com</json:string>
</affiliations>
</json:item>
<json:item>
<name>Radu State</name>
<affiliations>
<json:string>INRIA, Le Chesnay Cedex, France</json:string>
<json:string>E-mail: state@loria.fr</json:string>
</affiliations>
</json:item>
<json:item>
<name>Alexandre Dulaunoy</name>
<affiliations>
<json:string>CSRRT-LU, Luxembourg, Luxembourg</json:string>
<json:string>E-mail: a@foo.be</json:string>
</affiliations>
</json:item>
</author>
<articleId>
<json:string>74</json:string>
<json:string>s11416-007-0074-9</json:string>
</articleId>
<arkIstex>ark:/67375/VQC-RCSJCS7V-3</arkIstex>
<language>
<json:string>eng</json:string>
</language>
<originalGenre>
<json:string>OriginalPaper</json:string>
</originalGenre>
<abstract>Abstract: Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</abstract>
<qualityIndicators>
<refBibsNative>false</refBibsNative>
<abstractWordCount>146</abstractWordCount>
<abstractCharCount>1010</abstractCharCount>
<keywordCount>0</keywordCount>
<score>8.726</score>
<pdfWordCount>4974</pdfWordCount>
<pdfCharCount>28613</pdfCharCount>
<pdfVersion>1.3</pdfVersion>
<pdfPageCount>9</pdfPageCount>
<pdfPageSize>595.276 x 790.866 pts</pdfPageSize>
</qualityIndicators>
<title>Malware behaviour analysis</title>
<genre>
<json:string>research-article</json:string>
</genre>
<host>
<title>Journal in Computer Virology</title>
<language>
<json:string>unknown</json:string>
</language>
<publicationDate>2008</publicationDate>
<copyrightDate>2008</copyrightDate>
<issn>
<json:string>1772-9890</json:string>
</issn>
<eissn>
<json:string>1772-9904</json:string>
</eissn>
<journalId>
<json:string>11416</json:string>
</journalId>
<volume>4</volume>
<issue>4</issue>
<pages>
<first>279</first>
<last>287</last>
</pages>
<genre>
<json:string>journal</json:string>
</genre>
<subject>
<json:item>
<value>Computer Science, general</value>
</json:item>
</subject>
</host>
<ark>
<json:string>ark:/67375/VQC-RCSJCS7V-3</json:string>
</ark>
<publicationDate>2008</publicationDate>
<copyrightDate>2007</copyrightDate>
<doi>
<json:string>10.1007/s11416-007-0074-9</json:string>
</doi>
<id>D478A0F873D565DA931BEA45AC50395FB3674583</id>
<score>1</score>
<fulltext>
<json:item>
<extension>pdf</extension>
<original>true</original>
<mimetype>application/pdf</mimetype>
<uri>https://api.istex.fr/ark:/67375/VQC-RCSJCS7V-3/fulltext.pdf</uri>
</json:item>
<json:item>
<extension>zip</extension>
<original>false</original>
<mimetype>application/zip</mimetype>
<uri>https://api.istex.fr/ark:/67375/VQC-RCSJCS7V-3/bundle.zip</uri>
</json:item>
<istex:fulltextTEI uri="https://api.istex.fr/ark:/67375/VQC-RCSJCS7V-3/fulltext.tei">
<teiHeader>
<fileDesc>
<titleStmt>
<title level="a" type="main" xml:lang="en">Malware behaviour analysis</title>
</titleStmt>
<publicationStmt>
<authority>ISTEX</authority>
<publisher scheme="https://scientific-publisher.data.istex.fr">Springer-Verlag</publisher>
<pubPlace>Paris</pubPlace>
<availability>
<licence>
<p>Springer-Verlag France, 2007</p>
</licence>
<p scheme="https://loaded-corpus.data.istex.fr/ark:/67375/XBH-3XSW68JL-F">springer</p>
</availability>
<date>2007-07-01</date>
</publicationStmt>
<notesStmt>
<note type="research-article" scheme="https://content-type.data.istex.fr/ark:/67375/XTP-1JC4F85T-7">research-article</note>
<note type="journal" scheme="https://publication-type.data.istex.fr/ark:/67375/JMC-0GLKJH51-B">journal</note>
<note>Original Paper</note>
</notesStmt>
<sourceDesc>
<biblStruct type="inbook">
<analytic>
<title level="a" type="main" xml:lang="en">Malware behaviour analysis</title>
<author xml:id="author-0000">
<persName>
<forename type="first">Gérard</forename>
<surname>Wagener</surname>
</persName>
<email>gerard.wagener@gmail.com</email>
<affiliation>LORIA-INRIA, Vandoeuvre, France</affiliation>
</author>
<author xml:id="author-0001" corresp="yes">
<persName>
<forename type="first">Radu</forename>
<surname>State</surname>
</persName>
<email>state@loria.fr</email>
<affiliation>INRIA, Le Chesnay Cedex, France</affiliation>
</author>
<author xml:id="author-0002">
<persName>
<forename type="first">Alexandre</forename>
<surname>Dulaunoy</surname>
</persName>
<email>a@foo.be</email>
<affiliation>CSRRT-LU, Luxembourg, Luxembourg</affiliation>
</author>
<idno type="istex">D478A0F873D565DA931BEA45AC50395FB3674583</idno>
<idno type="ark">ark:/67375/VQC-RCSJCS7V-3</idno>
<idno type="DOI">10.1007/s11416-007-0074-9</idno>
<idno type="article-id">74</idno>
<idno type="article-id">s11416-007-0074-9</idno>
</analytic>
<monogr>
<title level="j">Journal in Computer Virology</title>
<title level="j" type="abbrev">J Comput Virol</title>
<idno type="pISSN">1772-9890</idno>
<idno type="eISSN">1772-9904</idno>
<idno type="journal-ID">true</idno>
<idno type="issue-article-count">7</idno>
<idno type="volume-issue-count">4</idno>
<imprint>
<publisher>Springer-Verlag</publisher>
<pubPlace>Paris</pubPlace>
<date type="published" when="2008-11-01"></date>
<biblScope unit="volume">4</biblScope>
<biblScope unit="issue">4</biblScope>
<biblScope unit="page" from="279">279</biblScope>
<biblScope unit="page" to="287">287</biblScope>
</imprint>
</monogr>
</biblStruct>
</sourceDesc>
</fileDesc>
<profileDesc>
<creation>
<date>2007-07-01</date>
</creation>
<langUsage>
<language ident="en">en</language>
</langUsage>
<abstract xml:lang="en">
<p>Abstract: Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</p>
</abstract>
<textClass>
<keywords scheme="Journal Subject">
<list>
<head>Computer Science</head>
<item>
<term>Computer Science, general</term>
</item>
</list>
</keywords>
</textClass>
</profileDesc>
<revisionDesc>
<change when="2007-07-01">Created</change>
<change when="2008-11-01">Published</change>
</revisionDesc>
</teiHeader>
</istex:fulltextTEI>
<json:item>
<extension>txt</extension>
<original>false</original>
<mimetype>text/plain</mimetype>
<uri>https://api.istex.fr/ark:/67375/VQC-RCSJCS7V-3/fulltext.txt</uri>
</json:item>
</fulltext>
<metadata>
<istex:metadataXml wicri:clean="corpus springer-journals not found" wicri:toSee="no header">
<istex:xmlDeclaration>version="1.0" encoding="UTF-8"</istex:xmlDeclaration>
<istex:docType PUBLIC="-//Springer-Verlag//DTD A++ V2.4//EN" URI="http://devel.springer.de/A++/V2.4/DTD/A++V2.4.dtd" name="istex:docType"></istex:docType>
<istex:document>
<Publisher>
<PublisherInfo>
<PublisherName>Springer-Verlag</PublisherName>
<PublisherLocation>Paris</PublisherLocation>
</PublisherInfo>
<Journal OutputMedium="All">
<JournalInfo JournalProductType="ArchiveJournal" NumberingStyle="ContentOnly">
<JournalID>11416</JournalID>
<JournalPrintISSN>1772-9890</JournalPrintISSN>
<JournalElectronicISSN>1772-9904</JournalElectronicISSN>
<JournalTitle>Journal in Computer Virology</JournalTitle>
<JournalAbbreviatedTitle>J Comput Virol</JournalAbbreviatedTitle>
<JournalSubjectGroup>
<JournalSubject Type="Primary">Computer Science</JournalSubject>
<JournalSubject Type="Secondary">Computer Science, general </JournalSubject>
</JournalSubjectGroup>
</JournalInfo>
<Volume OutputMedium="All">
<VolumeInfo TocLevels="0" VolumeType="Regular">
<VolumeIDStart>4</VolumeIDStart>
<VolumeIDEnd>4</VolumeIDEnd>
<VolumeIssueCount>4</VolumeIssueCount>
</VolumeInfo>
<Issue IssueType="Regular" OutputMedium="All">
<IssueInfo IssueType="Regular" TocLevels="0">
<IssueIDStart>4</IssueIDStart>
<IssueIDEnd>4</IssueIDEnd>
<IssueArticleCount>7</IssueArticleCount>
<IssueHistory>
<OnlineDate>
<Year>2008</Year>
<Month>10</Month>
<Day>21</Day>
</OnlineDate>
<PrintDate>
<Year>2008</Year>
<Month>10</Month>
<Day>20</Day>
</PrintDate>
<CoverDate>
<Year>2008</Year>
<Month>11</Month>
</CoverDate>
<PricelistYear>2008</PricelistYear>
</IssueHistory>
<IssueCopyright>
<CopyrightHolderName>Springer-Verlag France</CopyrightHolderName>
<CopyrightYear>2008</CopyrightYear>
</IssueCopyright>
</IssueInfo>
<Article ID="s11416-007-0074-9" OutputMedium="All">
<ArticleInfo ArticleType="OriginalPaper" ContainsESM="No" Language="En" NumberingStyle="ContentOnly" TocLevels="0">
<ArticleID>74</ArticleID>
<ArticleDOI>10.1007/s11416-007-0074-9</ArticleDOI>
<ArticleSequenceNumber>2</ArticleSequenceNumber>
<ArticleTitle Language="En" OutputMedium="All">Malware behaviour analysis</ArticleTitle>
<ArticleCategory>Original Paper</ArticleCategory>
<ArticleFirstPage>279</ArticleFirstPage>
<ArticleLastPage>287</ArticleLastPage>
<ArticleHistory>
<RegistrationDate>
<Year>2007</Year>
<Month>11</Month>
<Day>22</Day>
</RegistrationDate>
<Received>
<Year>2007</Year>
<Month>7</Month>
<Day>1</Day>
</Received>
<Revised>
<Year>2007</Year>
<Month>11</Month>
<Day>11</Day>
</Revised>
<Accepted>
<Year>2007</Year>
<Month>11</Month>
<Day>21</Day>
</Accepted>
<OnlineDate>
<Year>2007</Year>
<Month>12</Month>
<Day>8</Day>
</OnlineDate>
</ArticleHistory>
<ArticleCopyright>
<CopyrightHolderName>Springer-Verlag France</CopyrightHolderName>
<CopyrightYear>2007</CopyrightYear>
</ArticleCopyright>
<ArticleGrants Type="Regular">
<MetadataGrant Grant="OpenAccess"></MetadataGrant>
<AbstractGrant Grant="OpenAccess"></AbstractGrant>
<BodyPDFGrant Grant="Restricted"></BodyPDFGrant>
<BodyHTMLGrant Grant="Restricted"></BodyHTMLGrant>
<BibliographyGrant Grant="Restricted"></BibliographyGrant>
<ESMGrant Grant="Restricted"></ESMGrant>
</ArticleGrants>
</ArticleInfo>
<ArticleHeader>
<AuthorGroup>
<Author AffiliationIDS="Aff1">
<AuthorName DisplayOrder="Western">
<GivenName>Gérard</GivenName>
<FamilyName>Wagener</FamilyName>
</AuthorName>
<Contact>
<Email>gerard.wagener@gmail.com</Email>
</Contact>
</Author>
<Author AffiliationIDS="Aff2" CorrespondingAffiliationID="Aff2">
<AuthorName DisplayOrder="Western">
<GivenName>Radu</GivenName>
<FamilyName>State</FamilyName>
</AuthorName>
<Contact>
<Email>state@loria.fr</Email>
</Contact>
</Author>
<Author AffiliationIDS="Aff3">
<AuthorName DisplayOrder="Western">
<GivenName>Alexandre</GivenName>
<FamilyName>Dulaunoy</FamilyName>
</AuthorName>
<Contact>
<Email>a@foo.be</Email>
</Contact>
</Author>
<Affiliation ID="Aff1">
<OrgName>LORIA-INRIA</OrgName>
<OrgAddress>
<City>Vandoeuvre</City>
<Country Code="FR">France</Country>
</OrgAddress>
</Affiliation>
<Affiliation ID="Aff2">
<OrgName>INRIA</OrgName>
<OrgAddress>
<City>Le Chesnay Cedex</City>
<Country Code="FR">France</Country>
</OrgAddress>
</Affiliation>
<Affiliation ID="Aff3">
<OrgName>CSRRT-LU</OrgName>
<OrgAddress>
<City>Luxembourg</City>
<Country Code="LU">Luxembourg</Country>
</OrgAddress>
</Affiliation>
</AuthorGroup>
<Abstract ID="Abs1" Language="En" OutputMedium="All">
<Heading>Abstract</Heading>
<Para>Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</Para>
</Abstract>
</ArticleHeader>
<NoBody></NoBody>
</Article>
</Issue>
</Volume>
</Journal>
</Publisher>
</istex:document>
</istex:metadataXml>
<mods version="3.6">
<titleInfo lang="en">
<title>Malware behaviour analysis</title>
</titleInfo>
<titleInfo type="alternative" contentType="CDATA">
<title>Malware behaviour analysis</title>
</titleInfo>
<name type="personal">
<namePart type="given">Gérard</namePart>
<namePart type="family">Wagener</namePart>
<affiliation>LORIA-INRIA, Vandoeuvre, France</affiliation>
<affiliation>E-mail: gerard.wagener@gmail.com</affiliation>
<role>
<roleTerm type="text">author</roleTerm>
</role>
</name>
<name type="personal" displayLabel="corresp">
<namePart type="given">Radu</namePart>
<namePart type="family">State</namePart>
<affiliation>INRIA, Le Chesnay Cedex, France</affiliation>
<affiliation>E-mail: state@loria.fr</affiliation>
<role>
<roleTerm type="text">author</roleTerm>
</role>
</name>
<name type="personal">
<namePart type="given">Alexandre</namePart>
<namePart type="family">Dulaunoy</namePart>
<affiliation>CSRRT-LU, Luxembourg, Luxembourg</affiliation>
<affiliation>E-mail: a@foo.be</affiliation>
<role>
<roleTerm type="text">author</roleTerm>
</role>
</name>
<typeOfResource>text</typeOfResource>
<genre type="research-article" displayLabel="OriginalPaper" authority="ISTEX" authorityURI="https://content-type.data.istex.fr" valueURI="https://content-type.data.istex.fr/ark:/67375/XTP-1JC4F85T-7">research-article</genre>
<originInfo>
<publisher>Springer-Verlag</publisher>
<place>
<placeTerm type="text">Paris</placeTerm>
</place>
<dateCreated encoding="w3cdtf">2007-07-01</dateCreated>
<dateIssued encoding="w3cdtf">2008-11-01</dateIssued>
<copyrightDate encoding="w3cdtf">2007</copyrightDate>
</originInfo>
<language>
<languageTerm type="code" authority="rfc3066">en</languageTerm>
<languageTerm type="code" authority="iso639-2b">eng</languageTerm>
</language>
<abstract lang="en">Abstract: Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.</abstract>
<note>Original Paper</note>
<relatedItem type="host">
<titleInfo>
<title>Journal in Computer Virology</title>
</titleInfo>
<titleInfo type="abbreviated">
<title>J Comput Virol</title>
</titleInfo>
<genre type="journal" authority="ISTEX" authorityURI="https://publication-type.data.istex.fr" valueURI="https://publication-type.data.istex.fr/ark:/67375/JMC-0GLKJH51-B">journal</genre>
<originInfo>
<publisher>Springer</publisher>
<dateIssued encoding="w3cdtf">2008-10-21</dateIssued>
<copyrightDate encoding="w3cdtf">2008</copyrightDate>
</originInfo>
<subject>
<genre>Computer Science</genre>
<topic>Computer Science, general</topic>
</subject>
<identifier type="ISSN">1772-9890</identifier>
<identifier type="eISSN">1772-9904</identifier>
<identifier type="JournalID">11416</identifier>
<identifier type="IssueArticleCount">7</identifier>
<identifier type="VolumeIssueCount">4</identifier>
<part>
<date>2008</date>
<detail type="volume">
<number>4</number>
<caption>vol.</caption>
</detail>
<detail type="issue">
<number>4</number>
<caption>no.</caption>
</detail>
<extent unit="pages">
<start>279</start>
<end>287</end>
</extent>
</part>
<recordInfo>
<recordOrigin>Springer-Verlag France, 2008</recordOrigin>
</recordInfo>
</relatedItem>
<identifier type="istex">D478A0F873D565DA931BEA45AC50395FB3674583</identifier>
<identifier type="ark">ark:/67375/VQC-RCSJCS7V-3</identifier>
<identifier type="DOI">10.1007/s11416-007-0074-9</identifier>
<identifier type="ArticleID">74</identifier>
<identifier type="ArticleID">s11416-007-0074-9</identifier>
<accessCondition type="use and reproduction" contentType="copyright">Springer-Verlag France, 2007</accessCondition>
<recordInfo>
<recordContentSource authority="ISTEX" authorityURI="https://loaded-corpus.data.istex.fr" valueURI="https://loaded-corpus.data.istex.fr/ark:/67375/XBH-3XSW68JL-F">springer</recordContentSource>
<recordOrigin>Springer-Verlag France, 2007</recordOrigin>
</recordInfo>
</mods>
<json:item>
<extension>json</extension>
<original>false</original>
<mimetype>application/json</mimetype>
<uri>https://api.istex.fr/ark:/67375/VQC-RCSJCS7V-3/record.json</uri>
</json:item>
</metadata>
<serie></serie>
</istex>
</record>

Pour manipuler ce document sous Unix (Dilib)

EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/Istex/Corpus

HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 003262 | SxmlIndent | more

Ou

HfdSelect -h $EXPLOR_AREA/Data/Istex/Corpus/biblio.hfd -nk 003262 | SxmlIndent | more

Pour mettre un lien sur cette page dans le réseau Wicri

{{Explor lien
   |wiki=    Wicri/Lorraine
   |area=    InforLorV4
   |flux=    Istex
   |étape=   Corpus
   |type=    RBID
   |clé=     ISTEX:D478A0F873D565DA931BEA45AC50395FB3674583
   |texte=   Malware behaviour analysis
}}
Wicri

This area was generated with Dilib version V0.6.33.
Data generation: Mon Jun 10 21:56:28 2019. Site generation: Fri Feb 25 15:29:27 2022