This study systematically evaluates the effectiveness of three hash-based similarity measures—SSDeep, TLSH, and IMPHash—in K-means clustering for malware family identification. Using real-world malware samples, it quantitatively assesses their capacity to model structural and behavioral semantics. Results reveal that TLSH and IMPHash produce semantically clearer clusters with higher intra-cluster consistency, significantly outperforming SSDeep in fine-grained family discrimination; conversely, SSDeep remains indispensable for large-scale preliminary screening due to its superior computational efficiency. The work rigorously delineates the applicability boundaries and configuration trade-offs among these hash functions—e.g., sensitivity to code obfuscation, robustness to semantic-preserving transformations, and scalability under high-dimensional feature spaces. By providing reproducible empirical benchmarks and actionable guidelines, this research establishes a principled foundation for algorithm selection in semantic-aware malware clustering.

With the adoption of multiple digital devices in everyday life, the cyber-attack surface has increased. Adversaries are continuously exploring new avenues to exploit them and deploy malware. On the other hand, detection approaches typically employ hashing-based algorithms such as SSDeep, TLSH, and IMPHash to capture structural and behavioural similarities among binaries. This work focuses on the analysis and evaluation of these techniques for clustering malware samples using the K-means algorithm. More specifically, we experimented with established malware families and traits and found that TLSH and IMPHash produce more distinct, semantically meaningful clusters, whereas SSDeep is more efficient for broader classification tasks. The findings of this work can guide the development of more robust threat-detection mechanisms and adaptive security mechanisms.