Exploiting Visual Appearance to Cluster and Detect Rogue Software
Title | Exploiting Visual Appearance to Cluster and Detect Rogue Software |
Publication Type | Conference Paper |
Year of Publication | 2013 |
Authors | Dietrich, Christian J., Rossow, Christian, Pohlmann, Norbert |
Conference Name | Proceedings of the 28th Annual ACM Symposium on Applied Computing |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-1656-9 |
Keywords | composability, Human Behavior, Metrics, pubcrawl, ransomware, Resiliency |
Abstract | Rogue software, such as Fake A/V and ransomware, trick users into paying without giving return. We show that using a perceptual hash function and hierarchical clustering, more than 213,671 screenshots of executed malware samples can be grouped into subsets of structurally similar images, reflecting image clusters of one malware family or campaign. Based on the clustering results, we show that ransomware campaigns favor prepay payment methods such as ukash, paysafecard and moneypak, while Fake A/V campaigns use credit cards for payment. Furthermore, especially given the low A/V detection rates of current rogue software - sometimes even as low as 11% - our screenshot analysis approach could serve as a complementary last line of defense. |
URL | http://doi.acm.org/10.1145/2480362.2480697 |
DOI | 10.1145/2480362.2480697 |
Citation Key | dietrich_exploiting_2013 |