A Fuzzy Clustering-based Approach to study Malware Phylogeny

Mobile devices are always more diffused in the last years, allowing the users to perform several tasks: communication, web surfing, requiring web services. Given the high amount of sensitive data and operations related to these tasks, securing the mobile devices is becoming a very critical issue. As matter of the fact, malware attacks are on the rise and new mobile malware are continually generated with the aim of stealing private data and performing illegal activities. Since this new malware is mainly obtained by reusing existing malicious code, malware detection is supported by the study and the tracking of the mobile malware phylogeny. This paper proposes a malware phylogeny model obtained by a declarative Process Mining (PM) approach from the analysis of some running malware applications. The main idea is that the set of relations and recurring execution patterns among the syscalls of a running malware application can be modeled to obtain a malware fingerprint. The malware fingerprints are compared and classified by using a fuzzy clustering algorithm to recover the malware phylogeny map of all the considered malware families. The evaluation of the proposed approach is performed on a dataset of more than 4,000 infected applications across 39 malware families obtaining very encouraging results.