An Automated Virus Classification System

Brief Description

A White Paper from the Microsoft Antimalware Team
In this paper, we introduce an innovative classification system that uses an average desktop machine. The classification system compares new and unknown samples with all existing malware, and within a few minutes, returns matches for that sample based on evolutionary behaviour of existing malware.

Overview

In recent years, significant interest has developed around automated malware classification methods and an industry-wide naming convention. However, in the anti-virus industry, virus naming is not a uniformly standardized process and only worsens with each new malware sample. Virus naming cannot be reliable unless the virus analyst can tell if a new sample is part of an existing family in a reasonable amount of time. Previous research in automatic classification has produced several interesting classification methods; however, to our knowledge, none of the methods can deal with
an entire virus collection or produce meaningful results in a reasonable amount of time.

In this paper, we introduce an innovative classification system that uses an average desktop machine. The classification system compares new and unknown samples with all existing malware, and within a few minutes, returns matches for that sample based on evolutionary behaviour of existing malware. Compared to previous methods, our method is independent of the malware class and language. We describe three approximate matching algorithms and evaluate their run time and storage space requirements. We also discuss how these methods are applied in several malware-handling tasks including sample clustering, outbreak detection, automatic virus naming, and phylogeny tree.

This paper is featured in the proceedings of the 2005 Virus Bulletin conference.

Top of page