Published on September 25th, 2015 📆 | 2021 Views ⚑
0MALHEUR – Automatic Analysis of Malware Behavior
- Extraction of prototypes: From a given set of reports, malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.
- Clustering of behavior Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.
- Classification of behavior: Based on a set of previously clustered reports, malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel and unknown variants of malware and can be used to filter program behavior prior to manual inspection.
- Incremental analysis: Malheur can be applied incrementally for analysis of large data sets. By processing reports in chunks, the run-time as well as memory requirements can be significantly reduced. This renders long-term application of malheur feasible, for example for daily analysis of incoming malware programs.
- libconfig >= 1.4, https://www.hyperrealm.com/libconfig/
- libarchive >= 2.70, https://libarchive.github.com/
[adsense size='1']
Debian & Ubuntu Linux
The following packages need to be installed for compiling Malheur on Debian and Ubuntu Linux
gcc
libconfig9-dev
libarchive-dev
For bootstrapping Malheur from the GIT repository or manipulating the automake/autoconf configuration, the following additional packages are necessary.
automake
autoconf
libtool
Mac OS X
For compiling Malheur on Mac OS X a working installation of Xcode is required including gcc
. Additionally, the following packages need to be installed via Homebrew
libconfig
libarchive (from homebrew-alt)
OpenBSD
For compiling Malheur on OpenBSD the following packages are required. Note that you need to use gmake
instead of make
for building Malheur.
gmake
libconfig
libarchive
For bootstrapping Malheur from the GIT repository, the following packages need be additionally installed
autoconf
automake
libtool
[adsense size='1']
Compilation & Installation
From GIT repository first run
$ ./bootstrap
From tarball run
$ ./configure [options]
$ make
$ make check
$ make install
Options for configure
--prefix=PATH Set directory prefix for installation
By default Malheur is installed into /usr/local. If you prefer a different location, use this option to select an installation directory.
Gloss