SARVAM is a demonstration of the research project on fast large scale search, retrieval and classification of malware/goodware using techniques from signal processing and machine learning. Submit a Windows executable and retrieve the top similar matches. You may also search for existing or analysed malware using an executable's MD5 hash.

How SARVAM Works

For sample implementation and technical details, check out our recent blog on Finding Visually Similar Malware among Millions of Malware and our recent paper SARVAM: Search And RetrieVAl of Malware

SARVAM uses a simple yet effective method for visualizing and classifying malware using image processing techniques. Malware binaries are visualized as gray-scale images, with the observation that for many malware families, the images belonging to the same family appear very similar in layout and texture.

Most of the new malware are modifications of existing malware. Thus the variants have almost the same content. For goodware, the newer versions usually have small additions/modifications to the previous versions. We maintain a database of more than 4 Million binaries comprising a blacklist of malware and a whitelist of goodware.

Users can upload new binaries and obtain the top matches using signal processing algorithms.

Example of similarity in Malware

The two images below represent gray-scale image maps of different Fakeran malware variants.

How long does it take to find a Match?

Computing Image based Similarity Feature: 50 ms

Finding Nearest Neighbor Matches with a 4 Million Malware Database on a single machine: 2 s (even faster matching time possible)

Some other peculiar Examples

Images of a spider and a girl visualised using the gray-scale images of some binaries

Related Publications

"SARVAM: Search And RetrieVAl of Malware". Lakshmanan Nataraj, Dhilung Kirat, B.S Manjunath and Giovanni Vigna - NGMAD 2013

"SigMal: A Static Signal Processing Based Malware Triage". Dhilung Kirat, Lakshmanan Nataraj, Giovanni Vigna and B.S Manjunath - ACSAC 2013

"A Comparative Assessment of Malware Classification using Binary Texture Analysis and Dynamic Analysis". Lakshmanan Nataraj, Vinod Yegneswaran, Phil Porras, Jian Zhang - AISec 2011

"Malware Images : Visualization and Automatic Classification". Lakshmanan Nataraj, S. Karthikeyan, Gregoire Jacob, B.S Manjunath - VizSec 2011

Team

Gautam Korlam / Lakshman Nataraj / B.S Manjunath