Detection of Malicious Portable Executables using Evidence Combinational Theory with Fuzzy Hashing

Fuzzy hashing is a known technique that has been adopted to speed up malware analysis processes. However, Hashing has not been fully implemented for malware detection because it can easily be evaded by applying a simple obfuscation technique such as packing. This challenge has limited the usage of hashing to triaging of the samples based on the percentage of similarity between the known and unknown. In this paper, we explore the different ways fuzzy hashing can be used to detect similarities in a file by investigating particular hashes of interest. Each hashing method produces independent but related interesting results which are presented herein. We further investigate combination techniques that can be used to improve the detection rates in hashing methods. Two such evidence combination theory based methods are applied in this work in order propose a novel way of combining the results achieved from different hashing algorithms. This study focuses on file and section Ssdeep hashing, PeHash and Imphash techniques to calculate the similarity of the Portable Executable files. Our results show that the detection rates are improved when evidence combination techniques are used.
Malware detection, Fuzzy hash, Evidence combinational theory, Common Factor Model, Fuzzy Logic, Portable executable
Namanya, A. P., Mirza, Q. K. A., Al-Mohannadi, H., Awan, I. U., & Disso, J. F. P. (2016, August). Detection of malicious portable executables using evidence combinational theory with fuzzy hashing. In 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud) (pp. 91-98). IEEE. DOI 10.1109/FiCloud.2016.21