Using an Information Retrieval Technique to Discover Malicious Software

摘要

This paper describes a research effort to detect unknown, known or variances of known malicious software using an information retrieval technique known as cosine similarity. Document similarity techniques, such as cosine similarity, have been used with great success in several document retrieval applications. By following the standard information retrieval methodology, software, in machine readable format, is regarded as documents in the corpus. These "documents" may or may not have a known malicious intent. The query is a piece of software, again in machine readable format, which contains a certain type of malicious software. This methodology provides an ability to search the corpus with a query and retrieve/identify potentially malicious software as well as other instances of the same type of vulnerability. This retrieval is based on the similarity of the query to a given document in the corpus. The subsequent use of an information visualization technique will allow for quickly and clearly finding the malicious software and will provide the ability for finding similar, potentially new types or variances of malicious behavior.