@article{DBLP:journals/virology/KarimWLP05,
  author    = {Md. Enamul Karim and
               Andrew Walenstein and
               Arun Lakhotia and
               Laxmi Parida},
  title     = {Malware phylogeny generation using permutations of code},
  journal   = {Journal in Computer Virology},
  volume    = {1},
  number    = {1-2},
  year      = {2005},
  pages     = {13-23},
  ee        = {http://dx.doi.org/10.1007/s11416-005-0002-9},
  bibsource = {DBLP, http://dblp.uni-trier.de} }


Malware phylogeny generation using permutations of code
Md. Enamul. Karim, Andrew Walenstein, Arun Lakhotia, Laxmi Parida 
Journal Journal in Computer Virology
Publisher Springer Paris
ISSN 1772-9890 (Print) 1772-9904 (Online)
Issue Volume 1, Numbers 1-2 / November, 2005 
Category Original Paper
DOI 10.1007/s11416-005-0002-9
Pages 13-23
Subject Collection Computer Science
SpringerLink Date Tuesday, September 20, 2005

Abstract 

Malicious programs, such as viruses and worms, are frequently related
to previous programs through evolutionary relationships. Discovering
those relationships and constructing a phylogeny model is expected to
be helpful for analyzing new malware and for establishing a principled
naming scheme. Matching permutations of code may help build better
models in cases where malware evolution does not keep things in the
same order. We describe methods for constructing phylogeny models that
uses features called n-perms to match possibly permuted codes. An
experiment was performed to compare the relative effectiveness of
vector similarity measures using n-perms and n-grams when comparing
permuted variants of programs. The similarity measures using n-perms
maintained a greater separation between the similarity scores of
permuted families of specimens versus unrelated specimens. A
subsequent study using a tree generated through n-perms suggests that
phylogeny models based on n-perms may help forensic analysts
investigate new specimens, and assist in reconciling malware naming
inconsistencies.