Time Evolution Model for Analysing Malicious Samples

Abstract

In this paper, the results of the practical examination of the Time Evolution Model ([1] [2] [3]) used to categorize malicious samples are summarized. This method provides effective assistance in anti-malware testing procedures as well as cyberattack detection. With its help, the typical properties of malicious codes can be determined more easily and quickly with automatic tools. The Time Evolution Model can help security experts better understand the behavior of malicious attacks and malware families. The Time Evolution Model works based on variables describing changes in the detection capabilities of different protection systems related to a specific malicious file. An exponential curve fitting method is used to estimate the main characteristics of the spread of the malicious code. During the curve fitting, three parameters are determined, with the help of which the properties of the spread of a malware or a malware family can be identified more precisely. In the case of malicious program families, the aggregation of these parameters can be an effective solution for estimating cyberthreat trends. The Time Evolution Model was tested on a large number (more than 1000) of malicious samples, based on which different groups can be distinguished according to when the investigation starts after the first appearance of the malicious code.