Comparative Analysis of Hash-based Malware Clustering via K-Means
By: Aink Acrie Soe Thein , Nikolaos Pitropakis , Pavlos Papadopoulos and more
With the adoption of multiple digital devices in everyday life, the cyber-attack surface has increased. Adversaries are continuously exploring new avenues to exploit them and deploy malware. On the other hand, detection approaches typically employ hashing-based algorithms such as SSDeep, TLSH, and IMPHash to capture structural and behavioural similarities among binaries. This work focuses on the analysis and evaluation of these techniques for clustering malware samples using the K-means algorithm. More specifically, we experimented with established malware families and traits and found that TLSH and IMPHash produce more distinct, semantically meaningful clusters, whereas SSDeep is more efficient for broader classification tasks. The findings of this work can guide the development of more robust threat-detection mechanisms and adaptive security mechanisms.
Similar Papers
Clustering Malware at Scale: A First Full-Benchmark Study
Cryptography and Security
Finds bad computer programs faster and better.
Clustering Malware at Scale: A First Full-Benchmark Study
Cryptography and Security
Finds bad computer programs faster, even good ones.
Improving the Identification of Real-world Malware's DNS Covert Channels Using Locality Sensitive Hashing
Cryptography and Security
Finds hidden computer viruses using website names.