Table of Contents Author Guidelines Submit a Manuscript
The Scientific World Journal
Volume 2014, Article ID 132713, 15 pages
http://dx.doi.org/10.1155/2014/132713
Research Article

Malware Analysis Using Visualized Image Matrices

1Department of Computer and Software, Hanyang University, Seoul 133-791, Republic of Korea
2Department of Electronics and Computer Engineering, Hanyang University, Seoul 133-791, Republic of Korea
3Division of Computer Science and Engineering, Hanyang University, Seoul 133-791, Republic of Korea

Received 14 March 2014; Accepted 19 May 2014; Published 16 July 2014

Academic Editor: Fei Yu

Copyright © 2014 KyoungSoo Han et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

This paper proposes a novel malware visual analysis method that contains not only a visualization method to convert binary files into images, but also a similarity calculation method between these images. The proposed method generates RGB-colored pixels on image matrices using the opcode sequences extracted from malware samples and calculates the similarities for the image matrices. Particularly, our proposed methods are available for packed malware samples by applying them to the execution traces extracted through dynamic analysis. When the images are generated, we can reduce the overheads by extracting the opcode sequences only from the blocks that include the instructions related to staple behaviors such as functions and application programming interface (API) calls. In addition, we propose a technique that generates a representative image for each malware family in order to reduce the number of comparisons for the classification of unknown samples and the colored pixel information in the image matrices is used to calculate the similarities between the images. Our experimental results show that the image matrices of malware can effectively be used to classify malware families both statically and dynamically with accuracy of 0.9896 and 0.9732, respectively.