Identification of Subspecific Malware by Utilizing Kullback-Leibler Divergences

We report the result of experiments in which we detected subspecific malware of a fiducial one included in FFRI Dataset 2013. Specifically, we found Kullback-Leibler divergences between two Dirichlet distributions of the base malware and every other malware in the dataset by calculating posterior probability distributions. Kullback-Leibler divergence represents a non-symmetric distance between two probability distributions P and Q. To find the posterior probability distribution, It is necessary to plug the multinomial distribution as patterns of Windows API calls and the conjugate prior distribution of the multinomial distribution into Bayes’ theorem and to calculate this theorem.