Citation Context

...ftware). Maximal margin is defined by the largest distance between the examples of the two classes computed from the distance between the closest instances of both classes (called supporting vectors) =-=[80]-=-. Figure 3: Example of a SVM classifier in a bi-dimensional space. Formally, the optimal hyperplane is represented by a vector w and a scalar m in a way that the inner products of w with vectors ϕ(Xi)...

Citation Context

...andom Forest, which is an ensemble (i.e., combination of weak classifiers) of different randomly-built decision trees [7]. Further, we also use J48, the Weka [25] implementation of the C4.5 algorithm =-=[61]-=-. 10 4.2. Support Vector Machines (SVM) SVM classifiers consist of a hyperplane dividing a n-dimensional-spacebased representation of the data into two regions (shown in Figure 3). This hyperplane is ...

Citation Context

...on). { K-Nearest Neighbour (KNN): We performed experiments over the range k = 1 to k = 10 to train KNN. { Bayesian networks (BN): We used several structural learning algorithms; K2 [18], Hill Climber =-=[64]-=- and Tree Augmented Nave (TAN) [26]. We also performed experiments with a Nave Bayes classifier [41]. { Support Vector Machines (SVM): We used a Sequential Minimal Optimization (SMO) algorithm [57...

Citation Context

...ues. Besides, long opcode sequences will introduce a high performance overhead. Afterwards, we compute the frequency of occurrence of each opcode sequence within the file by using Term Frequency (TF) =-=[48]-=- (shown in equation 2) that is a weight widely used in information retrieval [83]: tfi,j = ni,j∑ k nk,j (2) where ni,j is the number of times the sequence si,j (in our case opcode sequence) appears in...

Citation Context

...ly information about benign software to measure the deviations from the benign behaviour profile. Specifically, they applied a Gaussian Likelihood Model fitted with Principal Component Analysis (PCA) =-=[31]-=-. Unfortunately, these methods usually have a high false positive ratio that renders them difficult for commercial antivirus vendors to adopt. Data-mining-based approaches rely on datasets that includ...

Citation Context

... such as push, mov or add, tended to be weighted low in the results. These weights may be considered a replacement for the Inverse Document Frequency (IDF) measure [62] used in the Vector Space Model =-=[65]-=- for information retrieval. The IDF weighting terms occur in documents based on the frequency with which they appear in the whole document. Our method performs a similar task by using mutual informati...

Citation Context

...efined with the parameter k. The results of each round are averaged to estimate the global measures of the tested model. Thereby, for each classifier we tested, we performed a k-fold cross validation =-=[35]-=- with k = 10. In this way, our dataset was split 10 times into 10 different sets of learning (90% of the total dataset) and testing (10% of the total data). Learning the model: For each validation s...

Citation Context

...9, 81, 70]. Machine learning is a discipline within Articial Intelligence (AI) concerned with the design and development of algorithms that allow computers to reason and make decisions based on data =-=[5]-=-. Generally, machine-learning algorithms can be classified into three different types: supervised learning, unsupervised learning and semi-supervised learning algorithms. First, supervised machine-lea...

Citation Context

...fterwards, we compute the frequency of occurrence of each opcode sequence within the file by using Term Frequency (TF) [48] (shown in equation 2) that is a weight widely used in information retrieval =-=[83]-=-: tfi,j = ni,j∑ k nk,j (2) where ni,j is the number of times the sequence si,j (in our case opcode sequence) appears in an executable e, and ∑ k nk,j is the total number of terms in the executable e (...

Citation Context

...performed experiments over the range k = 1 to k = 10 to train KNN. { Bayesian networks (BN): We used several structural learning algorithms; K2 [18], Hill Climber [64] and Tree Augmented Nave (TAN) =-=[26]-=-. We also performed experiments with a Nave Bayes classifier [41]. { Support Vector Machines (SVM): We used a Sequential Minimal Optimization (SMO) algorithm [57] and performed experiments with a po...

Citation Context

...ng the class of the unknown sample; the most commonly used technique is to classify the unknown instance as the most common class among its K-Nearest Neighbours. 4.4. Bayesian Networks Bayes' Theorem =-=[2]-=- is the basis of the so-called Bayesian inference, a statistical reasoning method that determines, based on a number of observations, the probability that a hypothesis may be true. Bayes’ theorem adju...

Citation Context

... dataset and the malicious software dataset. 3. Computation of opcode relevance: We computed the relevance of each opcode based on the frequency it appears in each dataset. We used Mutual Information =-=[53]-=- (shown in equation 1) to measure the statistical dependence of the two variables: I(X;Y ) = ∑ yϵY ∑ xϵX p(x, y) log ( p(x, y) p(x) p(y) ) (1) where X is the opcode frequency and Y is the class of t...

Citation Context

...{ Bayesian networks (BN): We used several structural learning algorithms; K2 [18], Hill Climber [64] and Tree Augmented Nave (TAN) [26]. We also performed experiments with a Nave Bayes classifier =-=[41]-=-. { Support Vector Machines (SVM): We used a Sequential Minimal Optimization (SMO) algorithm [57] and performed experiments with a polynomial kernel [1], a normalised polynomial kernel [1], Pearson VI...

Citation Context

...be labelled [38]. Finally, semi-supervised machine-learning algorithms use a mixture of both labelled and unlabelled data in order to build models, thus improving the accuracy of unsupervised methods =-=[12]-=-. Since in our case malware can be properly labelled, we use supervised machine-learning. In future work, however, we would also like to test the ability of unsupervised methods to detect malware. In ...

Citation Context

...64] and Tree Augmented Nave (TAN) [26]. We also performed experiments with a Nave Bayes classifier [41]. { Support Vector Machines (SVM): We used a Sequential Minimal Optimization (SMO) algorithm =-=[57]-=- and performed experiments with a polynomial kernel [1], a normalised polynomial kernel [1], Pearson VII function-based universal kernel [79], and a Radial Basis Runction (RBF) based kernel [1]. Tes...

Citation Context

...ct and classify malware. We provide empirical validation of our method with an extensive study 3Boosting is a machine learning technique that builds a strong classifier composed by weak classifiers =-=[68]-=-. 4 of data-mining models for detecting and classifying unknown malicious software. We show that the proposed methods achieve high detection rates, even for completely new and previously unseen thre...

Citation Context

...el functions are applied. These kernel functions lead to nonlinear classification surfaces, such as polynomial, radial or sigmoid surfaces [1]. 4.3. K-Nearest Neighbours The K-Nearest Neighbour (KNN) =-=[24]-=- algorithm is one of the simplest supervised machine-learning algorithms for classifying instances. This method classifies an unknown instance based on the class (in our case, malware or benign softwa...

Citation Context

...listing). On the other hand, cost-sensitive learning is a machinelearning technique where one can specify the cost of each error and the classifiers are trained taking into account that consideration =-=[22]-=-. Furthermore, we measured accuracy, i.e., the total number of the classifier’s hits divided by the number of instances in the whole dataset (shown in equation 11): Accuracy(%) = TP + TN TP + FP + TP ...

Citation Context

...orage and time costs, it is necessary to reduce the original training set [19]. In order to solve this issue, data reduction is normally considered an appropriate preprocessing optimisation technique =-=[59, 78]-=-. Such techniques have many potential advantages such as reducing measurement, storage and Figure 14: Comparison of the results in terms of FPR for the combination of features of opcode-sequence lengt...

Citation Context

...ad, allowing further static or dynamic analysis of the executable. Another solution is to use concrete unpacking routines to recover the actual payload that requires one routine per packing algorithm =-=[75]-=-. Obviously, this approach is limited to a fixed 28 Figure 12: Comparison of the results in terms of FPR of the classifiers for an opcodesequence length of 2. set of known packers. Likewise, commercia...

Citation Context

...) = P (BjA) P (A) P (B) (7) Bayesian networks [52] are probabilistic models for multivariate analysis. Formally, they are directed acyclic graphs associated with a probability distribution function =-=[11]-=-. Nodes in the graph represent variables (which can be either a premise or a conclusion) while the arcs represent conditional dependencies between such variables. The probability function illustrates ...

Citation Context

...st of these methods are limited as they count certain bytes in the malware body; because most of the common transformations operate at the source level, these detection methods can be easily thwarted =-=[14]-=-. These approaches were also used by Perdisci et al. [54] to detect packed executables. Perdisci et al. [54] proposed their first approach based on (i) the extraction of some features from the Portabl...

Citation Context

...arning algorithms. First, supervised machine-learning algorithms, or classifying algorithms, require the training dataset to be properly labelled (in our case, knowing whether an instance is malware) =-=[37]-=-. Second, unsupervised machine-learning algorithms, or clustering algorithms, try to assess how data are organised into different groups called clusters. In this type of machine-learning, data do not ...

Citation Context

...ned if we know the probability that A occurs, P (A), the probability that B occurs, P (B), and the conditional probability of B given A, P (BjA). P (AjB) = P (BjA) P (A) P (B) (7) Bayesian networks =-=[52]-=- are probabilistic models for multivariate analysis. Formally, they are directed acyclic graphs associated with a probability distribution function [11]. Nodes in the graph represent variables (which ...

Citation Context

...served that the most common opcodes, such as push, mov or add, tended to be weighted low in the results. These weights may be considered a replacement for the Inverse Document Frequency (IDF) measure =-=[62]-=- used in the Vector Space Model [65] for information retrieval. The IDF weighting terms occur in documents based on the frequency with which they appear in the whole document. Our method performs a si...

Citation Context

... training and testing times; confronting the curse of dimensionality to improve prediction performance in terms of speed, accuracy and simplicity and facilitating data visualization and understanding =-=[76, 20]-=-. Data reduction can be implemented in two ways. On the one hand, Instance Selection (IS) seeks to reduce the evidences (i.e., number of rows) in the training set by selecting the most relevant instan...

Citation Context

...veral characteristic features for of both malicious samples and benign software to build classification tools that detect malware in the wild (i.e., undocumented malware). To this end, Schultz et al. =-=[69]-=- were the first to introduce the idea of applying data-mining models to the detection of different malicious programs based on their respective binary codes. Specifically, they applied several classif...

Citation Context

...presentation of the execution of binary executables and improved the slicing of a program into idioms (i.e., sequences of instructions). It is also worth to mention the work of Christodorescu and Jha =-=[16]-=-, who proposed a method based on CFG analysis to handle obfuscations in malicious software. Later, Christodorescu et al. [17] improved on this work by including semantic-templates of malicious specifi...

Citation Context

...uences. Because both IS and FS are very effective at reducing the size of the training set and helping to filtrate and clean noisy data, thereby improving the accuracy of machine-learning classifiers =-=[6, 21]-=-, we strongly encourage the use of these methods. 7. Conclusions Malware detection has become a major topic of research and concern owing to the increasing growth of malicious code in recent years. Th...

Citation Context

...enerally, instead of using inner products, the so-called kernel functions are applied. These kernel functions lead to nonlinear classification surfaces, such as polynomial, radial or sigmoid surfaces =-=[1]-=-. 4.3. K-Nearest Neighbours The K-Nearest Neighbour (KNN) [24] algorithm is one of the simplest supervised machine-learning algorithms for classifying instances. This method classifies an unknown inst...

Citation Context

...5 [61] implementation). { K-Nearest Neighbour (KNN): We performed experiments over the range k = 1 to k = 10 to train KNN. { Bayesian networks (BN): We used several structural learning algorithms; K2 =-=[18]-=-, Hill Climber [64] and Tree Augmented Nave (TAN) [26]. We also performed experiments with a Nave Bayes classifier [41]. { Support Vector Machines (SVM): We used a Sequential Minimal Optimization ...

Citation Context

... training and testing times; confronting the curse of dimensionality to improve prediction performance in terms of speed, accuracy and simplicity and facilitating data visualization and understanding =-=[76, 20]-=-. Data reduction can be implemented in two ways. On the one hand, Instance Selection (IS) seeks to reduce the evidences (i.e., number of rows) in the training set by selecting the most relevant instan...

Citation Context

...seems a more promising solution to this problem [32]. One solution to solve this obvious limitation of our malware detection method is the use of a generic dynamic unpacking schema such as PolyUnpack =-=[63]-=-, Renovo [32], OmniUnpack [47] and Eureka [72]. These methods execute the sample in a contained environment and extract the actual payload, allowing further static or dynamic analysis of the executabl...

Citation Context

...a labelled dataset. In this work, we use Random Forest, which is an ensemble (i.e., combination of weak classifiers) of different randomly-built decision trees [7]. Further, we also use J48, the Weka =-=[25]-=- implementation of the C4.5 algorithm [61]. 10 4.2. Support Vector Machines (SVM) SVM classifiers consist of a hyperplane dividing a n-dimensional-spacebased representation of the data into two region...

Citation Context

...ph structure of these trees by means of a labelled dataset. In this work, we use Random Forest, which is an ensemble (i.e., combination of weak classifiers) of different randomly-built decision trees =-=[7]-=-. Further, we also use J48, the Weka [25] implementation of the C4.5 algorithm [61]. 10 4.2. Support Vector Machines (SVM) SVM classifiers consist of a hyperplane dividing a n-dimensional-spacebased r...

Citation Context

... the behaviour of the program (e.g., nop instructions1); code reordering, which changes the order of program instructions and variable renaming ; which replaces a variable identifier with another one =-=[15]-=-. Several approaches have been proposed by the research community to counter these obfuscation techniques. For instance, Sung, Xu and Chavez [74, 82] introduced a method for computing the similarity b...

Citation Context

...ective binary codes. Specifically, they applied several classifiers to three different feature extraction approaches: program headers, string features and byte sequence features. Later, Kolter et al. =-=[36]-=- improved the results obtained by Schulz et al. by using n-grams (i.e., over3 lapping byte sequences) instead of non-overlapping sequences. This method used several algorithms and the best results wer...

Citation Context

...d into memory. Indeed, static detection methods can deal with packed malware only by using the signatures of the packers. Accordingly, dynamic analysis seems a more promising solution to this problem =-=[32]-=-. One solution to solve this obvious limitation of our malware detection method is the use of a generic dynamic unpacking schema such as PolyUnpack [63], Renovo [32], OmniUnpack [47] and Eureka [72]. ...

Citation Context

...set by selecting the most relevant instances or re-sampling new ones [43]. On the other hand, Feature Selection (FS) decreases the number of attributes or features (i.e., columns) in the training set =-=[44]-=-. We applied FS in our experiments when selecting the 1000 top-ranked opcode sequences. Because both IS and FS are very effective at reducing the size of the training set and helping to filtrate and c...

Citation Context

...77, 27] Anomaly detectors use information retrieved from benign software to obtain a benign behaviour prole. Then, every significant deviation from this profile is qualified as suspicious. Li et al. =-=[42]-=- proposed thesleprint (or n-gram) analysis in which a model or set of models attempt to characterise several file types on a system based on their structural (byte) composition. The main assumption be...

Citation Context

...n to this problem [32]. One solution to solve this obvious limitation of our malware detection method is the use of a generic dynamic unpacking schema such as PolyUnpack [63], Renovo [32], OmniUnpack =-=[47]-=- and Eureka [72]. These methods execute the sample in a contained environment and extract the actual payload, allowing further static or dynamic analysis of the executable. Another solution is to use ...

Citation Context

...able: it cannot cope with code obfuscations and cannot detect previously unseen malware. Malware writers use code obfuscation techniques [40] to hide the actual behaviour of their malicious creations =-=[8, 84, 13, 33]-=-. Examples of these obfuscation algorithms include garbage insertion, which consists on adding sequences which do not modify the behaviour of the program (e.g., nop instructions1); code reordering, wh...

Citation Context

...ed machine-learning algorithms, or clustering algorithms, try to assess how data are organised into different groups called clusters. In this type of machine-learning, data do not need to be labelled =-=[38]-=-. Finally, semi-supervised machine-learning algorithms use a mixture of both labelled and unlabelled data in order to build models, thus improving the accuracy of unsupervised methods [12]. Since in o...

Citation Context

...able: it cannot cope with code obfuscations and cannot detect previously unseen malware. Malware writers use code obfuscation techniques [40] to hide the actual behaviour of their malicious creations =-=[8, 84, 13, 33]-=-. Examples of these obfuscation algorithms include garbage insertion, which consists on adding sequences which do not modify the behaviour of the program (e.g., nop instructions1); code reordering, wh...

Citation Context

... tell-tale signs (e.g., operations that change the state of a program such as network access events and file operations) in order to determine whether an executable may be malicious. Bergerson et al. =-=[3]-=- presented several methods for disassembling of binary executables, helping to build a representation of the execution of binary executables and improved the slicing of a program into idioms (i.e., se...

Citation Context

...any action. 2A syscall or system call is the procedure through which an executable requests a service from the kernel of the operating system. 2 (CFG) analysis. An example was introduced by Lo et al. =-=[45]-=- as part of the Malicious Code Filter (MCF) project. Their method slices a program into blocks while looking for tell-tale signs (e.g., operations that change the state of a program such as network ac...

Citation Context

...ection due to the increasing growth of malware. Data mining approaches usually rely onmachine-learning algorithms that use both malicious executables and benign software to detect malware in the wild =-=[28, 29, 81, 70]-=-. Machine learning is a discipline within Articial Intelligence (AI) concerned with the design and development of algorithms that allow computers to reason and make decisions based on data [5]. Gener...

Citation Context

...emented in two ways. On the one hand, Instance Selection (IS) seeks to reduce the evidences (i.e., number of rows) in the training set by selecting the most relevant instances or re-sampling new ones =-=[43]-=-. On the other hand, Feature Selection (FS) decreases the number of attributes or features (i.e., columns) in the training set [44]. We applied FS in our experiments when selecting the 1000 top-ranked...

Citation Context

...al with unknown malware that classic signature method cannot handle: anomaly detectors and data-miningbased detectors. These approaches have been also used in similar domains like intrusion detection =-=[39, 23, 77, 27]-=- Anomaly detectors use information retrieved from benign software to obtain a benign behaviour prole. Then, every significant deviation from this profile is qualified as suspicious. Li et al. [42] pr...

Citation Context

...ational codes in machine language). Our method is based on the frequency of appearance of opcode-sequences: it trains several data-mining algorithms in order to detect unknown malware. A recent study =-=[4]-=- statistically analysed the ability of single opcodes to serve as the basis for malware detection and confirmed their high reliability for determining the maliciousness of executables. In a previous w...

Citation Context

...tandard sections, the number of executable sections, the entropy of the PE header; and (ii) the classification through machine-learning models, e.g., Näıve Bayes, J48 and MLP. Later, Perdisci et al. =-=[55]-=- evolved their method and developed a fast statistical malware detection tool. They added new ngram-based classifiers to combine their results with the previous MLP-based classifier. Given the state o...

Citation Context

... which replaces a variable identifier with another one [15]. Several approaches have been proposed by the research community to counter these obfuscation techniques. For instance, Sung, Xu and Chavez =-=[74, 82]-=- introduced a method for computing the similarity between two executables by focusing on the degree of similarity within syscall2 sequences. This approach offered only a limited performance because of...

Citation Context

...es in the malware body; because most of the common transformations operate at the source level, these detection methods can be easily thwarted [14]. These approaches were also used by Perdisci et al. =-=[54]-=- to detect packed executables. Perdisci et al. [54] proposed their first approach based on (i) the extraction of some features from the Portable Executable (PE), e.g., the number of standard and non-s...

Citation Context

... We used a Sequential Minimal Optimization (SMO) algorithm [57] and performed experiments with a polynomial kernel [1], a normalised polynomial kernel [1], Pearson VII function-based universal kernel =-=[79]-=-, and a Radial Basis Runction (RBF) based kernel [1]. Testing the model: In order to measure the processing overhead of the proposed model, we measure the required representation time, number of fea...

Citation Context

...sed several algorithms and the best results were achieved with a Boosted3 Decision Tree. In a similar vein, substantial research has focussed on n-gram distributions of byte sequences and data mining =-=[50, 71, 85, 67]-=-. Still, most of these methods are limited as they count certain bytes in the malware body; because most of the common transformations operate at the source level, these detection methods can be easil...

Citation Context

... databases. As the dataset size grows, so does the issue of scalability. This problem produces excessive storage requirements, increases time complexity and impairs the general accuracy of the models =-=[10]-=-. To reduce disproportionate storage and time costs, it is necessary to reduce the original training set [19]. In order to solve this issue, data reduction is normally considered an appropriate prepro...

Citation Context

...an snippet of the 9 actual decision tree generated). The internal nodes represent conditions of the problem variables, and their final nodes (or leaves) constitute the final decision of the algorithm =-=[60]-=-. In our case, the final nodes would represent whether an executable is malware or not. Figure 2: Extract of the Decision Tree. Formally, a decision tree graph G = (V,E) consists on a not empty set of...

Citation Context

...able: it cannot cope with code obfuscations and cannot detect previously unseen malware. Malware writers use code obfuscation techniques [40] to hide the actual behaviour of their malicious creations =-=[8, 84, 13, 33]-=-. Examples of these obfuscation algorithms include garbage insertion, which consists on adding sequences which do not modify the behaviour of the program (e.g., nop instructions1); code reordering, wh...

Citation Context

...sorted and generated an opcode relevance file. The opcode frequency file was saved so that we may calculate the relevance of the opcodes in future research using other measures such as the gain ratio =-=[46]-=- or chi-square [30]. 6http://www.eset.com/ 7http://www.frontiernet.net/ fys/newbasic.htm 6 This list of opcode relevances helped with more accurate malware detection because we were able to weight the...

Citation Context

... which replaces a variable identifier with another one [15]. Several approaches have been proposed by the research community to counter these obfuscation techniques. For instance, Sung, Xu and Chavez =-=[74, 82]-=- introduced a method for computing the similarity between two executables by focusing on the degree of similarity within syscall2 sequences. This approach offered only a limited performance because of...

Citation Context

...d an opcode relevance file. The opcode frequency file was saved so that we may calculate the relevance of the opcodes in future research using other measures such as the gain ratio [46] or chi-square =-=[30]-=-. 6http://www.eset.com/ 7http://www.frontiernet.net/ fys/newbasic.htm 6 This list of opcode relevances helped with more accurate malware detection because we were able to weight the final representati...

Citation Context

...m [32]. One solution to solve this obvious limitation of our malware detection method is the use of a generic dynamic unpacking schema such as PolyUnpack [63], Renovo [32], OmniUnpack [47] and Eureka =-=[72]-=-. These methods execute the sample in a contained environment and extract the actual payload, allowing further static or dynamic analysis of the executable. Another solution is to use concrete unpacki...

Citation Context

...sed several algorithms and the best results were achieved with a Boosted3 Decision Tree. In a similar vein, substantial research has focussed on n-gram distributions of byte sequences and data mining =-=[50, 71, 85, 67]-=-. Still, most of these methods are limited as they count certain bytes in the malware body; because most of the common transformations operate at the source level, these detection methods can be easil...

Citation Context

...tistically analysed the ability of single opcodes to serve as the basis for malware detection and confirmed their high reliability for determining the maliciousness of executables. In a previous work =-=[66]-=-, we presented an approach focused on detecting obfuscated malware variants using the frequency of appearance of opcode-sequences to build an information retrieval representation of executables. We no...

Citation Context

...sed several algorithms and the best results were achieved with a Boosted3 Decision Tree. In a similar vein, substantial research has focussed on n-gram distributions of byte sequences and data mining =-=[50, 71, 85, 67]-=-. Still, most of these methods are limited as they count certain bytes in the malware body; because most of the common transformations operate at the source level, these detection methods can be easil...

Citation Context

...orage and time costs, it is necessary to reduce the original training set [19]. In order to solve this issue, data reduction is normally considered an appropriate preprocessing optimisation technique =-=[59, 78]-=-. Such techniques have many potential advantages such as reducing measurement, storage and Figure 14: Comparison of the results in terms of FPR for the combination of features of opcode-sequence lengt...

Citation Context

...able: it cannot cope with code obfuscations and cannot detect previously unseen malware. Malware writers use code obfuscation techniques [40] to hide the actual behaviour of their malicious creations =-=[8, 84, 13, 33]-=-. Examples of these obfuscation algorithms include garbage insertion, which consists on adding sequences which do not modify the behaviour of the program (e.g., nop instructions1); code reordering, wh...

Citation Context

...sed several algorithms and the best results were achieved with a Boosted3 Decision Tree. In a similar vein, substantial research has focussed on n-gram distributions of byte sequences and data mining =-=[50, 71, 85, 67]-=-. Still, most of these methods are limited as they count certain bytes in the malware body; because most of the common transformations operate at the source level, these detection methods can be easil...

Citation Context

...ection due to the increasing growth of malware. Data mining approaches usually rely onmachine-learning algorithms that use both malicious executables and benign software to detect malware in the wild =-=[28, 29, 81, 70]-=-. Machine learning is a discipline within Articial Intelligence (AI) concerned with the design and development of algorithms that allow computers to reason and make decisions based on data [5]. Gener...

Citation Context

...al with unknown malware that classic signature method cannot handle: anomaly detectors and data-miningbased detectors. These approaches have been also used in similar domains like intrusion detection =-=[39, 23, 77, 27]-=- Anomaly detectors use information retrieved from benign software to obtain a benign behaviour prole. Then, every significant deviation from this profile is qualified as suspicious. Li et al. [42] pr...

Citation Context

...8]. In the past, malware creators were motivated mainly by fame or glory. Most current malware, however, is economically motivated [51]. Commercial anti-malware solutions rely on a signature database =-=[49]-=- (i.e., list of signatures) for detection. An example of a signature is a sequence of bytes that is always present within a malicious executable and within the files already infected by that malware. ...

Citation Context

...re that has been explicitly designed to harm computers or networks [58]. In the past, malware creators were motivated mainly by fame or glory. Most current malware, however, is economically motivated =-=[51]-=-. Commercial anti-malware solutions rely on a signature database [49] (i.e., list of signatures) for detection. An example of a signature is a sequence of bytes that is always present within a malicio...

Citation Context

...al with unknown malware that classic signature method cannot handle: anomaly detectors and data-miningbased detectors. These approaches have been also used in similar domains like intrusion detection =-=[39, 23, 77, 27]-=- Anomaly detectors use information retrieved from benign software to obtain a benign behaviour prole. Then, every significant deviation from this profile is qualified as suspicious. Li et al. [42] pr...

Citation Context

...0:11 0:03 0:93 0:02 BN: K2 87:29 2:59 0:83 0:04 0:08 0:03 0:94 0:02 BN: Hill Climber 87:29 2:59 0:83 0:04 0:08 0:03 0:94 0:02 BN: TAN 93:40 1:80 0:91 0:03 0:04 0:02 0:98 0:01 encryption =-=[56]-=-. Still, these techniques cannot cope with the increasing use of packing techniques, and, we suggest the use of dynamic unpacking schemas to confront the problem. Fourth, it may seem that our method d...

Citation Context

...n in equation 11): Accuracy(%) = TP + TN TP + FP + TP + TN 100 (11) Besides, we measured the Area Under the ROC Curve (AUC) that establishes the relation between false negatives and false positives =-=[73]-=-. The ROC (Receiver Operator Characteristics) curve is obtained by plotting the TPR against the FPR. 18 Figure 6: Time results for extracting the assembly code from the binary. As we can see the requi...

Citation Context

...uences. Because both IS and FS are very effective at reducing the size of the training set and helping to filtrate and clean noisy data, thereby improving the accuracy of machine-learning classifiers =-=[6, 21]-=-, we strongly encourage the use of these methods. 7. Conclusions Malware detection has become a major topic of research and concern owing to the increasing growth of malicious code in recent years. Th...

Citation Context

...al with unknown malware that classic signature method cannot handle: anomaly detectors and data-miningbased detectors. These approaches have been also used in similar domains like intrusion detection =-=[39, 23, 77, 27]-=- Anomaly detectors use information retrieved from benign software to obtain a benign behaviour prole. Then, every significant deviation from this profile is qualified as suspicious. Li et al. [42] pr...

Citation Context

...their structural (byte) composition. The main assumption behind this analysis is that benign files are composed of predictable regular byte structures for their respective types. Likewise, Cai et al. =-=[9]-=- used byte sequence frequencies detect malware. Their goal was to use only information about benign software to measure the deviations from the benign behaviour profile. Specifically, they applied a G...

Citation Context

...age requirements, increases time complexity and impairs the general accuracy of the models [10]. To reduce disproportionate storage and time costs, it is necessary to reduce the original training set =-=[19]-=-. In order to solve this issue, data reduction is normally considered an appropriate preprocessing optimisation technique [59, 78]. Such techniques have many potential advantages such as reducing meas...

Citation Context

...ection due to the increasing growth of malware. Data mining approaches usually rely onmachine-learning algorithms that use both malicious executables and benign software to detect malware in the wild =-=[28, 29, 81, 70]-=-. Machine learning is a discipline within Articial Intelligence (AI) concerned with the design and development of algorithms that allow computers to reason and make decisions based on data [5]. Gener...

Citation Context

...ne and two. The number of features obtained with an opcode-sequence length of two and above was very high (see Figure 8). To deal with this, we applied a feature selection step using Information Gain =-=[34]-=- and we selected the top 1000 features, which represent the 0.6 % of the total number of features in the case of n = 2. On we obtained the reduced datasets, we tested the suitability of our proposed a...

Citation Context

...ues render the signature-based method less than completely reliable: it cannot cope with code obfuscations and cannot detect previously unseen malware. Malware writers use code obfuscation techniques =-=[40]-=- to hide the actual behaviour of their malicious creations [8, 84, 13, 33]. Examples of these obfuscation algorithms include garbage insertion, which consists on adding sequences which do not modify t...

Citation Context

...print submitted to Information Sciences August 22, 2011 1. Introduction Malware (or malicious software) is defined as computer software that has been explicitly designed to harm computers or networks =-=[58]-=-. In the past, malware creators were motivated mainly by fame or glory. Most current malware, however, is economically motivated [51]. Commercial anti-malware solutions rely on a signature database [4...