Analyzing Malware through the use of the Epsilon-Gamma-Pi model
Master thesis
Permanent lenke
http://hdl.handle.net/11250/261621Utgivelsesdato
2009Metadata
Vis full innførselSamlinger
Sammendrag
In this master thesis the Epsilon-Gamma-Pi model is presented. We analyze this model, with respect to advantages and disadvantages, it provides when applied to malware. The purpose of the model is to describe different stages of malware propagation. The analysis done is based on the notion that this propagation technique could potentially be used to uniquely categorize malware. In particular, the analysis is focused on the correlation between the model values and existing malware signatures. Particularly, we have looked at the malware sample distributions based on model values and activity, the distribution of related sequences of values, and the relationships between malware variants within and across anti-virus vendor specific group identifiers (e.g. malware family identifiers). Additionally, we have included an analysis of an extension of the model, the μ value, implemented by our main source of data, Eurecom's honeypot network, SGnet. The reason for the inclusion of the extension was due to a very high correlation between malwares using only the original values. From our work we have concluded that the Epsilon-Gamma-Pi model, in its original form, is suitable to provide metadata to existing malware signatures. However, to be able to uniquely identify malware variants, an extension of the model is required. With such an extension though, and with the proper implementation of the model, the model could replace the existing, somewhat lacking, labeling policy currently used by anti-virus vendors. The main strength of the Epsilon-Gamma-Pi model is to provide a foundation for relating and comparing malwares and their propagation techniques.