Structural Classification and Similarity Measurement of Malware

This paper proposes a new lightweight method that utilizes the growing hierarchical self-organizing map (GHSOM) for malware detection and structural classification. It also shows a new method for measuring the structural similarity between classes. A dynamic link library (DLL) file is an executable file used in the Windows operating system that allows applications to share codes and other resources to perform particular tasks. In this paper, we classify different malware by the data mining of the DLL files used by the malware. Since the malware families are evolving quickly, they present many new problems, such as how to link them to other existing malware families. The experiment shows that our GHSOM-based structural classification can solve these issues and generate a malware classification tree according to the similarity of malware families. (c) 2014 Institute of Electrical Engineers of Japan. Published by John Wiley & Sons, Inc.