Automated classification and analysis of Internet malware

Michael Bailey, Jon Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian, Jose Nazario

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Numerous attacks, such as worms, phishing, and botnets, threaten the availability of the Internet, the integrity of its hosts, and the privacy of its users. A core element of defense against these attacks is anti-virus (AV) software - a service that detects, removes, and characterizes these threats. The ability of these products to successfully characterize these threats has far-reaching effects-from facilitating sharing across organizations, to detecting the emergence of new threats, and assessing risk in quarantine and cleanup. In this paper, we examine the ability of existing host-based anti-virus products to provide semantically meaningful information about the malicious software and tools (or malware) used by attackers. Using a large, recent collection of malware that spans a variety of attack vectors (e.g., spyware, worms, spam), we show that different AV products characterize malware in ways that are inconsistent across AV products, incomplete across malware, and that fail to be concise in their semantics. To address these limitations, we propose a new classification technique that describes malware behavior in terms of system state changes (e.g., files written, processes created) rather than in sequences or patterns of system calls. To address the sheer volume of malware and diversity of its behavior, we provide a method for automatically categorizing these profiles of malware into groups that reflect similar classes of behaviors and demonstrate how behavior-based clustering provides a more direct and effective way of classifying and analyzing Internet malware.

Original languageEnglish (US)
Title of host publicationRecent Advances in Intrusion Detection - 10th International Symposium, RAID 2007, Proceedings
Number of pages20
ISBN (Print)9783540743194
StatePublished - 2007
Externally publishedYes
Event10th Symposium on Recent Advances in Intrusion Detection, RAID 2007 - Gold Coast, Australia
Duration: Sep 5 2007Sep 7 2007

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4637 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other10th Symposium on Recent Advances in Intrusion Detection, RAID 2007
CityGold Coast

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Automated classification and analysis of Internet malware'. Together they form a unique fingerprint.

Cite this