面對日益複雜的進階持續性滲透攻擊（Advanced Persistent Threat)，惡意軟體分類為數位鑑識中最重要的一環。正確的悪意軟體分類可以得到惡意軟體最完整的系統行為，並且簡化鑑識之分析工作。傳統的悪意軟體分類著重於執行後之動態分析或者是以逆向工程結合静態分析的方式，試圖取得悪意軟體的系統行為資訊，但惡意軟體會透過反虛擬機器監控和混淆技術來降低分類的正確率。
隨著誘捕系統愈來愈健全，誘捕系統所蒐集到的悪意軟體原始碼也日渐增加，藉由分析悪意軟體的原始碼可以得到最正確的悪意軟體分類，因此本論文提出一個自動化悪意軟體分類機制。本論文藉由誘捕系統所擷取之悪意軟體原始碼，利用惡意軟體檔案結構相似度以及原始碼檔案相似度，透過階層式分群演算法（Hierarchical Clustering Algorithmn )之方法，不但可以正確的將新捕捉到的悪意軟體分類到正確的類別也可以快速地找出新類型的悪意軟體。本論文提出的方式可以大幅度減少數位鑑識者針對同一類型的悪意軟體重複進行高成本的分析，亦可在最短時間内了解攻撃者行為以及意圖。透過實驗證明，本論文所提出的系統可以將惡意軟體原始碼做正確的分類，而本論文所提出的方法亦可應用於其他有原始碼分類需求的領域。

In the face of APT (Advanced Persistent Threat), malware classification is one of the promising solutions in the field of digital forensics. In previous literature, researchers performed dynamic analysis or static analysis after reverse engineering. In the other hand, malware developers even use anti-VM and obfuscation techniques try to evade malware classifiers.
Honeypots are increasingly deployed throughout different networks; malware source code is collected and unclassified. Source code analysis provides a better classification for forensics. In this paper, a novel classification approach is proposed, based on logic similarity and directory structure similarity. Hierarchical clustering algorithm finds the best fit classification for each testing data and creates one if none fits well. New type of malware could be identified and then analyzed further. Such classification avoids to reanalyze known malware and allocates resources for new malware. The experimental results demonstrate that the proposed system can classify the malware effectively with a small mis-classification ratio.