SARVAM is a demonstration of the research project on fast large scale search, retrieval and classification of malware/goodware using techniques from signal processing and machine learning. Submit a Windows executable and retrieve the top similar matches. You may also search for existing or analysed malware using an executable's MD5 hash.
SARVAM uses a simple yet effective method for visualizing and classifying malware using image processing techniques. Malware binaries are visualized as gray-scale images, with the observation that for many malware families, the images belonging to the same family appear very similar in layout and texture.
Most of the new malware are modifications of existing malware. Thus the variants have almost the same content. For goodware, the newer versions usually have small additions/modifications to the previous versions. We maintain a database of more than 4 Million binaries comprising a blacklist of malware and a whitelist of goodware.
Users can upload new binaries and obtain the top matches using signal processing algorithms.
The two images below represent gray-scale image maps of different Fakeran malware variants.
Computing Image based Similarity Feature: 50 ms
Finding Nearest Neighbor Matches with a 4 Million Malware Database on a single machine: 2 s (even faster matching time possible)
Images of a spider and a girl visualised using the gray-scale images of some binaries
"SigMal: A Static Signal Processing Based Malware Triage". Dhilung Kirat, Lakshmanan Nataraj, Giovanni Vigna and B.S Manjunath - ACSAC 2013
"A Comparative Assessment of Malware Classification using Binary Texture Analysis and Dynamic Analysis". Lakshmanan Nataraj, Vinod Yegneswaran, Phil Porras, Jian Zhang - AISec 2011
"Malware Images : Visualization and Automatic Classification". Lakshmanan Nataraj, S. Karthikeyan, Gregoire Jacob, B.S Manjunath - VizSec 2011