A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering

Tianxiang He; Chansu Han; Ryoichi Isawa; Takeshi Takahashi; Shuji Kijima; Jun’ichi Takeuchi; Koji Nakao

doi:10.1007/978-3-030-36708-4_63

A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering

Tianxiang He, Chansu Han, Ryoichi Isawa, Takeshi Takahashi, Shuji Kijima, Jun’ichi Takeuchi, Koji Nakao

Mathematical Informatics

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Citations (Scopus)

Abstract

For efficiently handling thousands of malware specimens, we aim to quickly and automatically categorize those into malware families. A solution for this could be the neighbor-joining method using NCD (Normalized Compression Distance) as similarity of malware. It creates a phylogenetic tree of malware based on the NCDs between malware binaries for clustering. However, it is frustratingly slow because it requires (N²+N)/2 compression attempts for the NCDs, where N is the number of given specimens. For fast clustering, this paper presents an algorithm for efficiently constructing a phylogenetic tree by greatly reducing compression attempts. The key idea to do so is not to construct a tree of N specimens all at once. Instead, it divides N specimens into temporal clusters in advance, constructs a small tree for each temporal cluster, and joins the trees as a united tree. Intuitively, separately constructing small trees requires a much smaller number of compression attempts than (N²+N)/2. With experiments using 4,109 in-the-wild malware specimens, we confirm that our algorithm achieved clustering 22 times faster than the neighbor-joining method with a good accuracy of 97%.

Original language	English
Title of host publication	Neural Information Processing - 26th International Conference, ICONIP 2019, Proceedings
Editors	Tom Gedeon, Kok Wai Wong, Minho Lee
Publisher	Springer
Pages	766-778
Number of pages	13
ISBN (Print)	9783030367077
DOIs	https://doi.org/10.1007/978-3-030-36708-4_63
Publication status	Published - 2019
Event	26th International Conference on Neural Information Processing, ICONIP 2019 - Sydney, Australia Duration: Dec 12 2019 → Dec 15 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11953 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	26th International Conference on Neural Information Processing, ICONIP 2019
Country/Territory	Australia
City	Sydney
Period	12/12/19 → 12/15/19

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-030-36708-4_63

Cite this

He, T., Han, C., Isawa, R., Takahashi, T., Kijima, S., Takeuchi, J., & Nakao, K. (2019). A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering. In T. Gedeon, K. W. Wong, & M. Lee (Eds.), Neural Information Processing - 26th International Conference, ICONIP 2019, Proceedings (pp. 766-778). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11953 LNCS). Springer. https://doi.org/10.1007/978-3-030-36708-4_63

A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering. / He, Tianxiang; Han, Chansu; Isawa, Ryoichi et al.

Neural Information Processing - 26th International Conference, ICONIP 2019, Proceedings. ed. / Tom Gedeon; Kok Wai Wong; Minho Lee. Springer, 2019. p. 766-778 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11953 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

He, T, Han, C, Isawa, R, Takahashi, T, Kijima, S, Takeuchi, J & Nakao, K 2019, A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering. in T Gedeon, KW Wong & M Lee (eds), Neural Information Processing - 26th International Conference, ICONIP 2019, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11953 LNCS, Springer, pp. 766-778, 26th International Conference on Neural Information Processing, ICONIP 2019, Sydney, Australia, 12/12/19. https://doi.org/10.1007/978-3-030-36708-4_63

He T, Han C, Isawa R, Takahashi T, Kijima S, Takeuchi J et al. A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering. In Gedeon T, Wong KW, Lee M, editors, Neural Information Processing - 26th International Conference, ICONIP 2019, Proceedings. Springer. 2019. p. 766-778. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-36708-4_63

He, Tianxiang ; Han, Chansu ; Isawa, Ryoichi et al. / A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering. Neural Information Processing - 26th International Conference, ICONIP 2019, Proceedings. editor / Tom Gedeon ; Kok Wai Wong ; Minho Lee. Springer, 2019. pp. 766-778 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{b8ada7d4710741c7ae94eb8a4a664e36,

title = "A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering",

abstract = "For efficiently handling thousands of malware specimens, we aim to quickly and automatically categorize those into malware families. A solution for this could be the neighbor-joining method using NCD (Normalized Compression Distance) as similarity of malware. It creates a phylogenetic tree of malware based on the NCDs between malware binaries for clustering. However, it is frustratingly slow because it requires (N2+N)/2 compression attempts for the NCDs, where N is the number of given specimens. For fast clustering, this paper presents an algorithm for efficiently constructing a phylogenetic tree by greatly reducing compression attempts. The key idea to do so is not to construct a tree of N specimens all at once. Instead, it divides N specimens into temporal clusters in advance, constructs a small tree for each temporal cluster, and joins the trees as a united tree. Intuitively, separately constructing small trees requires a much smaller number of compression attempts than (N2+N)/2. With experiments using 4,109 in-the-wild malware specimens, we confirm that our algorithm achieved clustering 22 times faster than the neighbor-joining method with a good accuracy of 97%.",

author = "Tianxiang He and Chansu Han and Ryoichi Isawa and Takeshi Takahashi and Shuji Kijima and Jun{\textquoteright}ichi Takeuchi and Koji Nakao",

note = "Funding Information: Acknowledgment. The authors wish to thank the IoTPOT team from Yokohama National University for providing the dataset. This research was partially supported by JSPS KAKENHI Grant Number 18H03291.; 26th International Conference on Neural Information Processing, ICONIP 2019 ; Conference date: 12-12-2019 Through 15-12-2019",

year = "2019",

doi = "10.1007/978-3-030-36708-4_63",

language = "English",

isbn = "9783030367077",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "766--778",

editor = "Tom Gedeon and Wong, {Kok Wai} and Minho Lee",

booktitle = "Neural Information Processing - 26th International Conference, ICONIP 2019, Proceedings",

}

TY - GEN

T1 - A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering

AU - He, Tianxiang

AU - Han, Chansu

AU - Isawa, Ryoichi

AU - Takahashi, Takeshi

AU - Kijima, Shuji

AU - Takeuchi, Jun’ichi

AU - Nakao, Koji

N1 - Funding Information: Acknowledgment. The authors wish to thank the IoTPOT team from Yokohama National University for providing the dataset. This research was partially supported by JSPS KAKENHI Grant Number 18H03291.

PY - 2019

Y1 - 2019

N2 - For efficiently handling thousands of malware specimens, we aim to quickly and automatically categorize those into malware families. A solution for this could be the neighbor-joining method using NCD (Normalized Compression Distance) as similarity of malware. It creates a phylogenetic tree of malware based on the NCDs between malware binaries for clustering. However, it is frustratingly slow because it requires (N2+N)/2 compression attempts for the NCDs, where N is the number of given specimens. For fast clustering, this paper presents an algorithm for efficiently constructing a phylogenetic tree by greatly reducing compression attempts. The key idea to do so is not to construct a tree of N specimens all at once. Instead, it divides N specimens into temporal clusters in advance, constructs a small tree for each temporal cluster, and joins the trees as a united tree. Intuitively, separately constructing small trees requires a much smaller number of compression attempts than (N2+N)/2. With experiments using 4,109 in-the-wild malware specimens, we confirm that our algorithm achieved clustering 22 times faster than the neighbor-joining method with a good accuracy of 97%.

AB - For efficiently handling thousands of malware specimens, we aim to quickly and automatically categorize those into malware families. A solution for this could be the neighbor-joining method using NCD (Normalized Compression Distance) as similarity of malware. It creates a phylogenetic tree of malware based on the NCDs between malware binaries for clustering. However, it is frustratingly slow because it requires (N2+N)/2 compression attempts for the NCDs, where N is the number of given specimens. For fast clustering, this paper presents an algorithm for efficiently constructing a phylogenetic tree by greatly reducing compression attempts. The key idea to do so is not to construct a tree of N specimens all at once. Instead, it divides N specimens into temporal clusters in advance, constructs a small tree for each temporal cluster, and joins the trees as a united tree. Intuitively, separately constructing small trees requires a much smaller number of compression attempts than (N2+N)/2. With experiments using 4,109 in-the-wild malware specimens, we confirm that our algorithm achieved clustering 22 times faster than the neighbor-joining method with a good accuracy of 97%.

UR - http://www.scopus.com/inward/record.url?scp=85077508217&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85077508217&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-36708-4_63

DO - 10.1007/978-3-030-36708-4_63

M3 - Conference contribution

AN - SCOPUS:85077508217

SN - 9783030367077

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 766

EP - 778

BT - Neural Information Processing - 26th International Conference, ICONIP 2019, Proceedings

A2 - Gedeon, Tom

A2 - Wong, Kok Wai

A2 - Lee, Minho

PB - Springer

T2 - 26th International Conference on Neural Information Processing, ICONIP 2019

Y2 - 12 December 2019 through 15 December 2019

ER -

A fast algorithm for constructing phylogenetic trees with application to IoT malware clustering

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this