Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey

Information Security Technical Report

Volumn 14, Issue 1, 2009, Pages 16-29

  Shabtai, Asaf ^a   Moskovitch, Robert ^a   Elovici, Yuval ^a   Glezer, Chanan ^a  

^a BEN GURION UNIVERSITY OF THE NEGEV   (Israel)

Author keywords

[No Author keywords available]

Indexed keywords

ACTIVE LEARNING; CLASSIFICATION ALGORITHM; CLASSIFICATION RESULTS; DETECTION ACCURACY; DETECTION METHODS; EXECUTABLE FILES; EXECUTABLES; FALSE POSITIVE; FEATURE SELECTION METHODS; IMBALANCE PROBLEM; INDIVIDUAL CLASSIFIERS; MACHINE-LEARNING; MALICIOUS CODES; MULTIPLE CLASSIFIERS; N-GRAMS; PORTABLE EXECUTABLE; RESEARCH ISSUES; STATIC FEATURES;

CLASSIFIERS; EDUCATION; RESEARCH; ROBOT LEARNING; SURVEYS; TAXONOMIES;

LEARNING ALGORITHMS;

EID: 65749099969     PISSN: 13634127     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.istr.2009.03.003     Document Type: Article

References (56)

1. Abou-Assaleh T, Cercone N, Keselj V, Sweidan R. N-gram based detection of new malicious code. In: Proceedings of the 28th annual international computer software and applications conference; 2004.
2. Bilar D. Opcodes as predictor for malware. International Journal of Electronic Security and Digital Forensic 1 (2007) 2
3. Bishop C. Neural networks for pattern recognition (1995), Clarendon Press, Oxford
4. Buntine W. A theory of learning classification rules. Doctoral dissertation, Sydney: School of Computing Science, University of Technology; 1990.
5. Chawla N.V., Bowyer K.W., Hall L.O., and Kegelmeyer W.P. SMOTE: synthetic minority over-sampling technique. Journal of Artificial Intelligence Research (JAIR) 16 (2002) 321-357
6. Chawla N.V., Japkowicz N., and Kotcz A. Editorial: special issue on learning from imbalanced data sets. SIGKDD Explorations Newsletter 6 1 (2004) 1-6
7. Christodorescu M., and Jha S. Testing malware detectors. ACM SIGSOFT Software Engineering Notes 29 4 (2004) 34-44
8. Clark P, Boswell R. Rule induction with CN2: some recent improvements. In: Proc. of the European working session on learning; 1991. p. 151-63.
9. Dempster A. Upper and lower probabilities induced by multi-valued mapping. Annals of Mathematical Statistics 2 (1967) 325-339
10. Dolev S, Tzachar N. Malware signature builder and detection for executable code. Patent application; 2008.
11. Domingos P., and Pazzani M. On the optimality of simple Bayesian classifier under zero-one loss. Machine Learning 29 (1997) 103-130
12. Dzeroski S., and Zenko B. Is combining classifiers with stacking better than selecting the best one?. Machine Learning 54 3 (2004) 255-273
13. Elovici Y, Shabtai A, Moskovitch R, Tahan G, Glezer C. Applying machine learning techniques for detection of malicious code in network traffic, KI; 2007. p. 44-50.
14. Fawcett T.E., and Provost F. Adaptive fraud detection. Data Mining and Knowledge Discovery 1 3 (1997) 291-316
15. Freund Y, Schapire RE. A brief introduction to boosting. In: International joint conference on artificial intelligence; 1999.
16. Golub T.R., Slonim D.K., Tamayo P., Huard C., Gaasenbeek M., Mesirov J.P., et al. Molecular classification of cancer: class discovery and class prediction by gene expression monitoring. Science 286 (1999) 531-537
17. Gryaznov D. Scanners of the year 2000: heuristics. In: Proceedings of the 5th international virus bulletin; 1999.
18. Guvenir GD. Classification by voting feature intervals. In: 9th European conference on machine learning; 1997. p. 85-92.
19. Heidari M. Malicious codes in depth. Available from: (2004). http://www.securitydocs.com/pdf/2742.pdf
20. Henchiri O, Japkowicz N. A feature selection and evaluation scheme for computer virus detection. In: Proceedings of ICDM-2006, Hong Kong; 2006. p. 891-95.
21. Holte R. Very simple classification rules perform well on most commonly used datasets. Machine Learning 11 (1993) 63-91
22. Japkowicz N., and Stephen S. The class imbalance problem: a systematic study. Intelligent Data Analysis Journal 6 (2002)
23. Joachims T. Making large-scale support vector machine learning practical. In: Schölkopf B., Burges C., and A.S. (Eds). Advances in kernel methods: support vector machines (1998), MIT Press, Cambridge, MA
24. Jacob G., Debar H., and Filiol E. Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology 4 (2008) 251-266
25. John GH, Langley P. Estimating continuous distributions in Bayesian classifiers. In: Proc. of the conference on uncertainty in artificial intelligence; 1995. p. 338-45.
26. Kam HT. Random decision forest. In: Proc. of the 3rd int'l conf. on document analysis and recognition, Montreal, Canada, August 14-18; 1995. p. 278-82.
27. Karim E., Walenstein A., Lakhotia A., and Parida L. Malware phylogeny generation using permutations of code. Journal in Computer Virology 1 1-2 (2005) 13-23
28. Kibler D.A. Instance-based learning algorithms. Machine Learning (1991) 37-66
29. Kienzle DM, Elder MC. Internet WORMS: past, present, and future: recent worms: a survey and trends. In: ACM workshop on rapid malcode (WORM03); 2003.
30. Kittler J., Hatef M., Duin R., and Matas J. On combining classifiers. IEEE Transactions on Pattern Analysis and Machine Intelligence 20 3 (1998) 226-239
31. Kolter J.Z., and Maloof M.A. Learning to detect malicious executables in the wild. Proceedings of the tenth ACM SIGKDD international conference on knowledge discovery and data mining (2004), ACM Press, New York, NY 470-478
32. Kolter J., and Maloof M. Learning to detect and classify malicious executables in the wild. Journal of Machine Learning Research 7 (2006) 2721-2744
33. Kubat M, Matwin S. Addressing the curse of imbalanced data sets: one-sided sampling. In: Proceedings of the 14th international conference on machine learning; 1997. p. 179-86.
34. Kuncheva L.I. Diversity in multiple classifier systems (editorial). Information Fusion 6 1 (2005) 3-4
35. Ling CX, Li C. Data mining for direct marketing: problems and solutions. In: Proceedings of the 4th ACM SIGKDD international conference on knowledge discovery and data mining; 1998. p. 73-79.
36. Menahem E. Troika - an improved stacking schema for classification tasks. M.Sc. thesis, Israel: Information System Engineering Dept., Ben-Gurion University of the Negev; 2008.
37. Menahem E., Shabtai, Rokach L., and Elovici Y. Improving malware detection by applying multi-inducer ensemble. Computational Statistics and Data Analysis (2008)
38. Mitchell T. Machine learning (1997), McGraw-Hill
39. Moskovitch R, Feher, Tzachar N, Berger E, Gitelman M, Dolev S, et al. Unknown malcode detection using OPCODE representation. In: European conference on intelligence and security informatics 2008 (EuroISI08), Esbjerg, Denmark; 2008a.
40. Moskovitch R, Feher C, Elovici Y. Unknown malcode detection - a chronological evaluation. In: IEEE Intelligence And Security Informatics; 2008b.
41. Moskovitch R, Nissim N, Elovici Y. Acquisition of malicious code using active learning. In: PinKDD; 2008c.
42. Moskovitch R, Stopel D, Feher C, Nissim N, Elovici Y. Unknown malcode detection via text categorization and the imbalance problem. In: IEEE Intelligence and Security Informatics, Taiwan; 2008d.
43. Opitz D., and Shavlik J. Generating accurate and diverse members of a neural network ensemble. Advances in Neural Information Processing Systems 8 (1996) 535-541
44. Pearl J. Evidential reasoning using stochastic, simulation of causal models. Artificial Intelligence 32 2 (1987) 245-258
45. Quinlan J.R. C4.5: programs for machine learning (1993), Morgan Kaufmann Publishers, Inc., San Francisco, CA, USA
46. Roy N, McCallum A. Toward optimal active learning through sampling estimation of error reduction. In: ICML; 2001.
47. Salton G., Wong A., and Yang C.S. A vector space model for automatic indexing. Communications of the ACM 18 (1975) 613-620
48. Schultz M, Eskin E, Zadok E, Stolfo S. Data mining methods for detection of new malicious executables. In: Proc. of the IEEE symposium on security and privacy; 2001. p. 178-84.
49. Seewald AK. Towards understanding stacking - studies of a general ensemble learning scheme. PhD thesis, TU Wien; 2003.
50. Shin S, Jung J, Balakrishnan H. Malware prevalence in the KaZaA file-sharing network. In: Internet measurement conference (IMC), Brazil; 2006.
51. Siddiqui M., Wang M.C., and Lee J. Data mining methods for malware detection using instruction sequences. Artificial Intelligence and Applications (2008)
52. Tong S., and Koller D. Support vector machine active learning with applications to text classification. Journal of Machine Learning Research 2 (2000) 45-66
53. White S. Anatomy of a commercial-grade immune system (1999), IBM Research Center
54. Witten I.H., and Frank E. Data mining: practical machine learning tools and techniques. 2nd ed. (2005), Morgan Kaufmann Publishers, Inc., San Francisco, CA, USA
55. Wolpert D.H. Stacked generalization. Neural Networks 5 (1992) 241-259
56. Zhang B, Yin J, Hao J, Zhang D, Wang S. Malicious codes detection based on ensemble learning. Autonomic and trusted computing; 2007. p. 468-27.