Comparative Analysis of Hash-based Malware Clustering via K-Means
This work addresses malware detection for cybersecurity, but it is incremental as it compares existing methods without introducing new techniques.
The paper tackled the problem of clustering malware samples by analyzing and evaluating hash-based algorithms (SSDeep, TLSH, IMPHash) with K-means, finding that TLSH and IMPHash produce more distinct clusters while SSDeep is more efficient for broader classification.
With the adoption of multiple digital devices in everyday life, the cyber-attack surface has increased. Adversaries are continuously exploring new avenues to exploit them and deploy malware. On the other hand, detection approaches typically employ hashing-based algorithms such as SSDeep, TLSH, and IMPHash to capture structural and behavioural similarities among binaries. This work focuses on the analysis and evaluation of these techniques for clustering malware samples using the K-means algorithm. More specifically, we experimented with established malware families and traits and found that TLSH and IMPHash produce more distinct, semantically meaningful clusters, whereas SSDeep is more efficient for broader classification tasks. The findings of this work can guide the development of more robust threat-detection mechanisms and adaptive security mechanisms.