University of Louisiana
Many malicious programs are just previously seen programs that have had some minor changes made to them. A slightly different variant hardly qualifies as a stealth attack: being 99% the same as a known piece of malware should be a dead give-away. This paper describes a method for searching database of programs for a match. The methods are adapted from ordinary text search and analysis; the key to making them work is in selecting the right aspects of the programs to compare. The aspects compared are features called \"N-perms\" which are constructed from abstracted, disassembled code.