A Critical Review of Spatial Analysis

Presented at ShmooCon X (2014), Jan. 18, 2014, noon (60 minutes).

Spatial Analysis is a recently proposed idea of using static analysis based byte sequences characterized by statistical features fused and graphed into 2-D grids where new exploitable information is obtained. The new information is the spatial structure similarity of byte sequences located with files believed to be similar and related. The structure is generated using simple fixed size sliding windows moving along the byte sequences of a file and calculating features (mean and standard deviation). These features are used to determine matches of highly similar but not necessarily exact byte sequences whose features map them into grid cell regions thereby indicating "nearness."

The idea of being able to discern malware family members based on the similarity of byte sequences could prove invaluable as a quick assessment tool to the analyst currently using dynamic and static techniques. We take a first look at the validity of some of the assumptions Spatial Analysis makes to see if there is any merit to the idea and present our initial findings.


Presenters:

  • David Giametta
    David is a relatively new analyst only having graduated in 2011 from Mississippi State University with his degree in Software Engineering. Since graduating he has published two android applications, is working on his third, and has joined Sentar in order to further develop his skills in researching malware analysis, cyber security and automated analysis algorithms.
  • Andrew Potter
    Andrew has 30 years of experience in information systems research and development, including automated malware analysis, cyber security, multi-agent systems, expert systems, collaborative learning environments, explanation aware computing, and computer usability studies.