{"id":13791439,"url":"https://github.com/rieck/malheur","last_synced_at":"2025-05-12T14:30:40.861Z","repository":{"id":46751503,"uuid":"193824","full_name":"rieck/malheur","owner":"rieck","description":"A Tool for Automatic Analysis of Malware Behavior","archived":false,"fork":false,"pushed_at":"2019-05-08T19:49:27.000Z","size":228544,"stargazers_count":368,"open_issues_count":1,"forks_count":101,"subscribers_count":56,"default_branch":"master","last_synced_at":"2024-11-18T06:40:44.304Z","etag":null,"topics":["classification","clustering","machine-learning","malware-analysis"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rieck.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2009-05-06T10:03:07.000Z","updated_at":"2024-10-03T05:11:08.000Z","dependencies_parsed_at":"2022-09-13T02:00:41.644Z","dependency_job_id":null,"html_url":"https://github.com/rieck/malheur","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rieck%2Fmalheur","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rieck%2Fmalheur/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rieck%2Fmalheur/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rieck%2Fmalheur/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rieck","download_url":"https://codeload.github.com/rieck/malheur/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253754959,"owners_count":21958933,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["classification","clustering","machine-learning","malware-analysis"],"created_at":"2024-08-03T22:01:00.234Z","updated_at":"2025-05-12T14:30:39.556Z","avatar_url":"https://github.com/rieck.png","language":"C","readme":"\nMalheur - Automatic Analysis of Malware Behavior\n==\n\nThis software belongs to the publication\n\n\u003e Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz.\n\u003e Automatic Analysis of Malware Behavior using Machine Learning.\n\u003e Journal of Computer Security (JCS), 19 (4), 639–668, June 2011. \n\u003e [Preprint](doc/2011-jcs.pdf)\n \nIntroduction \n--\n\nMalheur is a tool for the automatic analysis of malware behavior (program\nbehavior recorded from malicious software in a sandbox environment).  It\nhas been designed to support the regular analysis of malicious software and\nthe development of detection and defense measures.  Malheur allows for\nidentifying novel classes of malware with similar behavior and assigning\nunknown malware to discovered classes.  It supports four basic actions for\nanalysis which can be applied to reports of recorded behavior:\n\n1. *Extraction of prototypes:*\n    From a given set of reports, malheur identifies a subset of\n    prototypes representative for the full data set. The prototypes\n    provide a quick overview of recorded behavior and can be used to\n    guide manual inspection.\n\n2. *Clustering of behavior* \n    Malheur automatically identifies groups (clusters) of reports\n    containing similar behavior. Clustering allows for discovering novel\n    classes of malware and provides the basis for crafting specific\n    detection and defense mechanisms, such as anti-virus signatures.\n\n3. *Classification of behavior:* \n    Based on a set of previously clustered reports, malheur is able to\n    assign unknown behavior to known groups of malware. Classification\n    enables identifying novel and unknown variants of malware and can be\n    used to filter program behavior prior to manual inspection.\n\n4. *Incremental analysis:* \n    Malheur can be applied incrementally for analysis of large data\n    sets. By processing reports in chunks, the run-time as well as\n    memory requirements can be significantly reduced. This renders\n    long-term application of malheur feasible, for example for daily\n    analysis of incoming malware programs.\n\nA detailed description of these techniques as well as technical\nbackground on analysis of malicious software is provided in the\nfollowing articles:\n\n+ \"Automatic Analysis of Malware Behavior using Machine Learning.\"\n  Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz\n  Journal of Computer Security (JCS), 19 (4) 639-668, 2011.\n\n+ \"A Malware Instruction Set for Behavior-Based Analysis.\"\n  Philipp Trinius, Carsten Willems, Thorsten Holz, and Konrad Rieck \n  Technical report TR-2009-07, University of Mannheim, 2009\n\nDependencies\n--\n\n+   libconfig \u003e= 1.4, \u003chttp://www.hyperrealm.com/libconfig/\u003e\n+   libarchive \u003e= 3.1.2,  \u003chttp://libarchive.github.com/\u003e\n\n#### Debian \u0026 Ubuntu Linux\n\nThe following packages need to be installed for compiling Malheur on Debian\nand Ubuntu Linux\n\n    gcc\n    libconfig9-dev\n    libarchive-dev\n\nFor bootstrapping Malheur from the GIT repository or manipulating the\nautomake/autoconf configuration, the following additional packages are\nnecessary.\n\n    automake\n    autoconf\n    libtool\n\n#### Mac OS X\n\nFor compiling Malheur on Mac OS X a working installation of Xcode is required\nincluding `gcc`.  Additionally, the following packages need to be installed\nvia Homebrew\n\n    libconfig\n    libarchive (from homebrew-alt)\n\n#### OpenBSD\n\nFor compiling Malheur on OpenBSD the following packages are required. Note\nthat you need to use `gmake` instead of `make` for building Malheur.\n\n    gmake\n    libconfig\n    libarchive\n\nFor bootstrapping Malheur from the GIT repository, the following packages\nneed be additionally installed\n\n    autoconf\n    automake\n    libtool\n\nCompilation \u0026 Installation\n--\n\nFrom GIT repository first run\n\n    $ ./bootstrap\n\nFrom tarball run\n\n    $ ./configure [options]\n    $ make\n    $ make check\n    $ make install\n\nOptions for configure\n\n    --prefix=PATH           Set directory prefix for installation\n\nBy default Malheur is installed into /usr/local. If you prefer\na different location, use this option to select an installation\ndirectory.\n\nLicense\n--\n\nThis program is free software; you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation; either version 3 of the License, or\n(at your option) any later version.  This program is distributed\nwithout any warranty. See the GNU General Public License for more\ndetails.\n\nCopyright\n--\n\nCopyright (c) 2009-2015 Konrad Rieck (konrad@mlsec.org)\nUniversity of Goettingen, Berlin Institute of Technology\n","funding_links":[],"categories":["Online Scanners and Sandboxes","Tools",":wrench: Tools"],"sub_categories":["Other Resources","Malware / AV","Before 2000"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frieck%2Fmalheur","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frieck%2Fmalheur","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frieck%2Fmalheur/lists"}