Results 1 - 10
of
11
Opcode sequences as representation of executables for data-mining-based unknown malware detection
- INFORMATION SCIENCES 227
, 2013
"... Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signa ..."
Abstract
-
Cited by 12 (0 self)
- Add to MetaCart
(Show Context)
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signature-based detection is the most widespread method used in commercial antivirus. In spite of the broad use of this method, it can detect malware only after the malicious executable has already caused damage and provided the malware is adequately documented. Therefore, the signature-based method consistently fails to detect new malware. In this paper, we propose a new method to detect unknown malware families. This model is based on the frequency of the appearance of opcode sequences. Furthermore, we describe a technique to mine the relevance of each opcode and assess the frequency of each opcode sequence. In addition, we provide empirical validation that this new method is capable of detecting unknown malware.
Collective classification for packed executable identification
- In ACM CEAS
, 2011
"... Malware is any software designed to harm computers. Com-mercial anti-virus are based on signature scanning, which is a technique effective only when the malicious executa-bles have been previously analysed and identified. Malware writers employ several techniques in order to hide their ac-tual behav ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Malware is any software designed to harm computers. Com-mercial anti-virus are based on signature scanning, which is a technique effective only when the malicious executa-bles have been previously analysed and identified. Malware writers employ several techniques in order to hide their ac-tual behaviour. Executable packing consists in encrypting or hiding the real payload of the executable. Generic unpack-ing techniques do not depend on the packer used, as they execute the binary within an isolated environment (namely ‘sandbox’) to gather the real code of the packed executable. However, this approach is slow and, therefore, a filter step is required to determine when an executable has been packed. To this end, supervised machine learning approaches trained with static features from the executables have been pro-posed. Notwithstanding, supervised learning methods need the identification and labelling of a high number of packed and not packed executables. In this paper, we propose a new method for packed executable detection that adopts a collec-tive learning approach to reduce the labelling requirements of completely supervised approaches. We performed an em-pirical validation demonstrating that the system maintains a high accuracy rate while the labelling efforts are lower than when using supervised learning.
NOA: AN INFORMATION RETRIEVAL BASED MALWARE DETECTION SYSTEM
"... Communicated by Deepak Gang Abstract. Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer s ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Communicated by Deepak Gang Abstract. Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer security. Signature-based detection is the most widespread method used in commercial antivirus solutions. However, signature-based detection can detect malware only once the malicious executable has caused damage and has been conveniently registered and documented. Therefore, the signature-based method fails to detect obfuscated malware variants. In this paper, a new malware detection system is proposed based on information retrieval. For the representation of executables, the frequency of the appearance of opcode sequences is used. Through this architecture a malware detection system prototype is developed and evaluated in terms of performance, malware variant recall (false negative ratio) and false positive.
Using Opcode Sequences in Single-Class Learning to Detect Unknown Malware
"... Malware is any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing at a faster rate every year and poses a serious global security threat. Although signature-based detection is the most widespread method used in commercial antivirus programs, ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Malware is any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing at a faster rate every year and poses a serious global security threat. Although signature-based detection is the most widespread method used in commercial antivirus programs, it consistently fails to detect new malware. Supervised machine-learning models have been used to address this issue. However, the use of supervised learning is limited because it needs a large amount of malicious code and benign software to first be labelled. In this paper, we propose a new method that uses single-class learning to detect unknown malware families. This method is based on examining the frequencies of the appearance of opcode sequences to build a machine-learning classifier using only one set of labelled instances within a specific class of either malware or legitimate software. We performed an empirical study that shows that this method can reduce the effort of labelling software while maintaining high accuracy.
Statistical Analysis Between Malware and Benign Based on IA-32 Instruction
"... Malicious software is one of the serious threats in the information society. A natural result of evolved ma-licious software, techniques for detecting malicious software are also in progress. Based on statistical data about existing malicious software is most important to detect new malicious softwa ..."
Abstract
- Add to MetaCart
(Show Context)
Malicious software is one of the serious threats in the information society. A natural result of evolved ma-licious software, techniques for detecting malicious software are also in progress. Based on statistical data about existing malicious software is most important to detect new malicious software. Studies which statisti-cal malicious software analysis so far have mainly fo-cused only opcode which a part of whole instruction. This paper analyses the statistical data which con-siders whole instruction, not only opcode but also 5 types of operands. We find out that major of instruc-tion both benign and malicious software are related function call, and it can not be a good predictor for de-tecting malicious software. But, when the benign’s in-struction frequency gets smaller, the relation between rare instruction malicious software classes multiplies. Also, this paper discovers some instructions which are only used in malicious software.
unknown title
"... Android malware are often created by injecting malicious payloads into benign applications. They employ code and string obfuscation techniques to hide their presence from antivirus scanners. Recent studies have shown that common antivirus software and static analysis tools are not resilient to such ..."
Abstract
- Add to MetaCart
(Show Context)
Android malware are often created by injecting malicious payloads into benign applications. They employ code and string obfuscation techniques to hide their presence from antivirus scanners. Recent studies have shown that common antivirus software and static analysis tools are not resilient to such obfuscation techniques. To address this problem, we develop a robust fingerprinting approach that can deal with complex obfuscation with a high degree of accuracy. Our approach, called OpSeq, scores similarity as a func-tion of normalized opcode sequences found in sensitive func-tional modules as well as app permission requests. This com-bination of structural and behavioral features results in a distinctive fingerprint for a malware sample, thereby improv-ing our model’s overall recall rate. We tested our prototype on 1,192 known malware samples belonging to 25 different families, 359 benign apps, and 207 new obfuscated malware variants. The empirical results show that OpSeq can cor-rectly detect known malware with an F-Score of 98%. CCS Concepts •Security and privacy→Malware and its mitigation; •Software and its engineering → Automated static anal-ysis; •Information systems → Similarity measures;
Ensemble Learning for Low-level Hardware-supported Malware Detection?
"... Abstract. Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection perf ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning tech-niques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal. 1
Malware-Aware Processors: A Framework for Efficient Online Malware Detection
"... Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus mak-ing it computationally difficult to use them to protect system ..."
Abstract
- Add to MetaCart
(Show Context)
Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus mak-ing it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied se-lectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP)- processors augmented with an online hardware-based detector to serve as the first line of defense to differentiate malware from legitimate pro-grams. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against inter-mittently operating malware. Our work improves on the state of the art in the following ways: (1) We define and explore the use of sub-semantic features for online detection of mal-ware. (2) We explore hardware implementations and show that simple classifiers appropriate for such implementations can effectively classify malware. We also study different classifiers, develop implementation optimizations, and explore complexity to performance trade-offs. (3) We propose a two-level detec-tion framework where the hardware classifier prioritizes the work of a more accurate but more expensive software defense mechanism. (4) We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA. 1.
Comparative Analysis of Feature Extraction Methods of Malware Detection
"... Recent years have encountered massive growth in malwares which poses a severe threat to modern computers and internet security. Existing malware detection systems are confronting with unknown malware variants. Recently developed malware detection systems investigated that the diverse forms of malwar ..."
Abstract
- Add to MetaCart
(Show Context)
Recent years have encountered massive growth in malwares which poses a severe threat to modern computers and internet security. Existing malware detection systems are confronting with unknown malware variants. Recently developed malware detection systems investigated that the diverse forms of malware exhibit similar patterns in their structure with minor variations. Hence, it is required to discriminate the types of features extracted for detecting malwares. So that potential of malware detection system can be leveraged to combat with unfamiliar malwares. We mainly focus on the categorization of features based on malware analysis. This paper highlights general framework of malware detection system and pinpoints strengths and weaknesses of each method. Finally we presented overview of performance of present malware detection systems based on features. Keywords:
A Survey on Data Mining Methods for Malware Detection
"... Abstract—Malware is any type of malicious software that has the capability to enter into system without authorization of the users. Thus malware detection is the important issue in the computer security. Signature based detection is more popular method to detect the malware attack but main drawback ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—Malware is any type of malicious software that has the capability to enter into system without authorization of the users. Thus malware detection is the important issue in the computer security. Signature based detection is more popular method to detect the malware attack but main drawback of this method is that it is not used to detect the Zero-day attack. We need to update the database regularly and human experts are needed to create the new signature. The drawbacks of Signature based malware detection is minimized by using heuristic method. Heuristic method is used to detect zero-day attacks. There are various methods used to detect the malware like n-gram method, Finite state automaton method, Control Flow Graph method, N-gram analysis at byte level etc. These methods having their various advantages and disadvantages. This study enlightens the various methods used to detect malwares.
