Behavior-based features model for malware detection

被引：99

作者：

Galal H.S. ^{[1
]}

Mahdy Y.B. ^{[1
]}

Atiea M.A. ^{[1
]}

机构：

[1] Faculty of Computers and Information, Assiut University, Assiut

来源：

Journal of Computer Virology and Hacking Techniques | 2016年 / 12卷 / 2期

关键词：

Hide Markov Model; Virtual Machine; Heuristic Function; Control Flow Graph; Benign Sample;

D O I：

10.1007/s11416-015-0244-0

中图分类号：

学科分类号：

摘要：

The sharing of malicious code libraries and techniques over the Internet has vastly increased the release of new malware variants in an unprecedented rate. Malware variants share similar behaviors yet they have different syntactic structure due to the incorporation of many obfuscation and code change techniques such as polymorphism and metamorphism. The different structure of malware variants poses a serious problem to signature-based detection technique, yet their similar exhibited behaviors and actions can be a remarkable feature to detect them by behavior-based techniques. Malware instances also largely depend on API calls provided by the operating system to achieve their malicious tasks. Therefore, behavior-based detection techniques that utilize API calls are promising for the detection of malware variants. In this paper, we propose a behavior-based features model that describes malicious action exhibited by malware instance. To extract the proposed model, we first perform dynamic analysis on a relatively recent malware dataset inside a controlled virtual environment and capture traces of API calls invoked by malware instances. The traces are then generalized into high-level features we refer to as actions. We assessed the viability of actions by various classification algorithms such as decision tree, random forests, and support vector machine. The experimental results demonstrate that the classifiers attain high accuracy and satisfactory results in the detection of malware variants. © 2015, Springer-Verlag France.

引用

页码：59 / 67

页数：8

共 26 条

[1] Fossi M., Egan G., Haley K., Johnson E., Mack T., Adams T., Blackbird J., Low M.K., Mazurek D., McKinney D., Symantec internet security threat report trends for, 16, (2011)
[2] Gennari J., French D., Defining malware families based on analyst insights, Technologies for Homeland Security (HST), 2011 IEEE International Conference on IEEE, pp. 396-401, (2011)
[3] Mairh A., Barik D., Verma K., Jena D., Honeypot in network security: a survey, Proceedings of the 2011 International Conference on Communication, Computing & Security ACM, pp. 600-605, (2011)
[4] Kiemt H., Thuy N.T., Quang T.M.N., A machine learning approach to anti-virus system (artificial intelligence i), IPSJ SIG Notes. ICS, 2004, 125, pp. 61-65, (2004)
[5] Eskandari M., Khorshidpour Z., Hashemi S., Hdm-analyser: a hybrid analysis approach based on data mining techniques for malware detection, J. Comput. Virol. Hacking Tech., 9, 2, pp. 77-93, (2013)
[6] Moser A., Kruegel C., Kirda E., Limits of static analysis for malware detection, Twenty-third annual IEEE Computer security applications conference, 2007. ACSAC 2007, pp. 421-430, (2007)
[7] Wong W., Stamp M., Hunting for metamorphic engines, J. Comput. Virol., 2, 3, pp. 211-229, (2006)
[8] Egele M., Scholte T., Kirda E., Kruegel C., A survey on automated dynamic malware-analysis techniques and tools, ACM Comput. Surv. (CSUR), 44, 2, (2012)
[9] Sikorski M., Honig A., Practical malware analysis: the hands-on guide to dissecting malicious software, No Starch Press, (2012)
[10] Cesare S., Xiang Y., Zhou W., Malwise&# x2014

← 1 2 3 →