关键词: 恶意代码, 单类支持向量机, 静态分析, 聚类

Abstract: With the emergence of metamorphic and polymorphic technology, the account of malicious code is in explosive growth, most of which is the variant of previously encountered samples. In order to conquer this problem and focus on new types of virus, this paper presents an approach to determine the family of malicious code. It extracts the static feature of malware samples by using disassembly tools, and filters out characteristic functions through one-class support vector machine. A family feature database is generated from those functions by adopting clustering idea. Unknown samples, after extracting characteristic functions, are compared to the content of database to determine their family. Experimental results show that it can effectively investigate the malicious code and classify variations into different malware family.

Key words: malicious code, one-class Support Vector Machine（SVM）, static analysis, clustering