Comparative Analysis of Hash-based Malware Clustering via K-Means

TL;DR

This paper evaluates hash-based malware clustering techniques using K-means, comparing their effectiveness in grouping malware samples into meaningful clusters to improve threat detection.

Contribution

It provides a comparative analysis of SSDeep, TLSH, and IMPHash for malware clustering, highlighting their strengths and weaknesses in different classification contexts.

Findings

TLSH and IMPHash produce more semantically meaningful clusters.

SSDeep is more efficient for broad classification tasks.

The results guide development of improved threat detection methods.

Abstract

With the adoption of multiple digital devices in everyday life, the cyber-attack surface has increased. Adversaries are continuously exploring new avenues to exploit them and deploy malware. On the other hand, detection approaches typically employ hashing-based algorithms such as SSDeep, TLSH, and IMPHash to capture structural and behavioural similarities among binaries. This work focuses on the analysis and evaluation of these techniques for clustering malware samples using the K-means algorithm. More specifically, we experimented with established malware families and traits and found that TLSH and IMPHash produce more distinct, semantically meaningful clusters, whereas SSDeep is more efficient for broader classification tasks. The findings of this work can guide the development of more robust threat-detection mechanisms and adaptive security mechanisms.