FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors
In this paper the authors present FIRMA, a tool that given a large pool of network traffic obtained by executing unlabeled malware binaries, generates a clustering of the malware binaries into families and a set of network signatures for each family. Compared with prior tools, FIRMA produces network signatures for each of the network behaviors of a family, regardless of the type of traffic the malware uses (e.g., HTTP, IRC, SMTP, TCP, UDP). They have implemented FIRMA and evaluated it on two recent datasets comprising nearly 16,000 unique malware binaries. Their results show that FIRMA's clustering has very high precision (100% on a labeled dataset) and recall (97.7%).