Malware families typically evolve over a period of time. Differences between malware samples within a single family can originate from various code modifications designed to evade detection, or changes that are made to alter the functionality of the malware itself. Thus, malware samples from the same family from different time periods can exhibit significantly different behavior. In this research, we apply feature ranking—based on linear support vector machine (SVM) weights—to identify changes within malware families. We analyze numerous malware families over extended periods of time. Our goal is to demonstrate that we can detect evolutionary changes within malware families using an automated and quantifiable machine learning based technique.

Introduction

Malware can be defined as malicious software that is designed to cause disruption, deny activity, gather private data without user consent, allow unapproved access to system resources, and similar improper behavior (Aycock, 2006). Malware detection and prevention is a high priority for governments and businesses. Building effective countermeasures to malware threats is difficult due to the complexity of modern software and networked systems. Creators of malware can take advantage of weaknesses in security mechanisms of networks and end systems. Hackers and organized criminals frequently introduce new features to enable their malware to evade detection. In addition, it is highly likely that much—if not most—new malware is written based of existing code, rather than starting from scratch (Walenstein, Venable, Hayes, Thompson, & Lakhotia, 2007). Typically, in the software development process, new software is written on top of the existing software, and in this sense, malware is no different. Thus, malware writers are inclined to reuse existing malware code and release new variants of the same malware (Aycock, 2006). For these reasons, malware can be viewed as evolving over time.