Date Added: Feb 2010
This paper presents a novel network-level behavioral malware clustering system. The paper focuses on the analysis of structural similarities among malicious HTTP traffic traces generated by executing HTTP-based malware. The work is motivated by the need to provide quality input to algorithms that automatically generate network signatures. Accordingly, the paper defines similarity metrics among HTTP traces and develops the system so that the resulting clusters can yield high quality malware signatures. The paper implemented a proof-of-concept version of the network-level malware clustering system and performed experiments with more than 25,000 distinct malware samples.