With the situation of the explosive growth of malicious code in network space, and many of the malicious samples are variations of previously encountered samples. The paper presents a novel approach to investigate the homology of malicious code based on behavior characteristics. To distinguish the variations of malicious code, we extract the dynamic-behavior fingerprint of malwares, then use fingerprint matching algorithm to compute the similarity of malwares. Through our studying, finally, we select 3 different behavior characteristics as the dynamic-behavior fingerprint of malwares: (i) is the characteristic of the name of strings, (ii) is the characteristic of register changes, (iii) is the characteristic of the sequence of key API calls. Finally, we compute the similarity value of different malwares to distinguish the homology of malicious code. Experiments show that it effectively investigates the homology of malicious code.
