DLLMiner: Structural mining for malware detection

Security and Communication Networks

Volumn 8, Issue 18, 2015, Pages 3311-3322

  Narouei, Masoud ^a   Ahmadi, Mansour ^b   Giacinto, Giorgio ^b   Takabi, Hassan ^a   Sami, Ashkan ^c  

^a UNIVERSITY OF NORTH TEXAS   (United States)

^b UNIVERSITY OF CAGLIARI   (Italy)

^c SHIRAZ UNIVERSITY   (Iran)

Author keywords

Closed frequent tree; Dependency tree; Evasion; Malware analysis

Indexed keywords

COMPUTER CRIME; FORESTRY; HEURISTIC METHODS; STATIC ANALYSIS;

BEHAVIORAL CHARACTERISTICS; CLOSED FREQUENT TREE; DEPENDENCY TREES; DETECTION TECHNIQUES; DYNAMIC LINK LIBRARY; EVASION; HEURISTIC TECHNIQUES; MALWARE ANALYSIS;

MALWARE;

EID: 84928243451     PISSN: 19390114     EISSN: 19390122     Source Type: Journal    
DOI: 10.1002/sec.1255     Document Type: Article

References (48)

1. F-secure. F-secure reports amount of malware grew by 100% during 2007. 2007. Available from: http://www.businesswire.com/news/home/20071204005453/en/F-Secure-Report s-Amount-Malware-Grew-100-2007#.VEDYtYuUfA4 [Accessed on 2012].
2. Kaspersky, Q1/2011 malware report. 2011. Available from: http://www.kaspersky.com/downloads/pdf/kaspersky_lab_q1_malware_2011_report.pdf [Accessed on 2012].
3. Symantec. Internet security threat report. 2011. Available from: https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdf [Accessed on 2012].
4. Idika N, Mathur AP. A survey of malware detection techniques. Department of Computer Science, Purdue University, 2007. Available from: http://cyberunited.com/wp-content/uploads/2013/03/A-Survey-of-Malware-Detection-Techniques.pdf [Accessed on 2013].
5. Egele M, Scholte T, Kirda E, Kruegel C. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys 2008; 44(2):6:1-6:42.
6. Moser A, Kruegel C, Kirda E. Limits of static analysis for malware detection. Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, Miami Beach, FL, December 2007; 421-430.
7. Sami A, Yadegari B, Rahimi H, Peiravian N, Hashemi S, Hamze A. Malware detection based on mining api calls. Proceedings of the 2010 ACM Symposium on Applied Computing, SAC '10, ACM, New York, NY, USA, 2010; 1020-1025.
8. Ye Y, Wang D, Li T, Ye D, Jiang Q. An intelligent pe-malware detection system based on association mining. Journal in Computer Virology 2008; 4(4):323-334.
9. Christodorescu M, Jha S. Static analysis of executables to detect malicious patterns. Proceedings of the 12th Conference on USENIX Security Symposium-Volume 12, SSYM'03, USENIX Association, Berkeley, CA, USA, 2003; 12-12. Available from: http://dl.acm.org/citation.cfm?id=1251353.1251365 [Accessed on 2011].
10. Rieck K, Trinius P, Willems C, Holz T. Automatic analysis of malware behavior using machine learning. Journal of Computer Security 2011; 19(4):639-668. Available from: http://dl.acm.org/citation.cfm?id=2011216. 2011217 [Accessed on 2014].
11. Ahmadi M, Sami A, Rahimi H, Yadegari B. Malware detection by behavioural sequential patterns. Computer Fraud & Security 2013; 2013(8):11-19. Available from: http://www.sciencedirect.com/science/article/pii/S1361372313700721 [Accessed on 2014].
12. Ye Y, Li T, Chen Y, Jiang Q. Automatic malware categorization using cluster ensemble. Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '10, ACM, New York, NY, USA, 2010; 95-104.
13. Chen H, Wagner D. Mops: an infrastructure for examining security properties of software. Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS '02, ACM, New York, NY, USA, 2002; 235-244.
14. Chen H, Dean D, Wagner D. Model checking one million lines of c code. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), San Diego, California, 2004; 171-185.
15. Feng H, Giffin J, Huang Y, Jha S, Lee W, Miller B. Formalizing sensitivity in static analysis for intrusion detection. Proceedings. 2004 IEEE Symposium on Security and Privacy, 2004, Oakland, California, May 2004; 194-208.
16. Griffin K, Schneider S, Hu X, Chiueh TC. Automatic generation of string signatures for malware detection. Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID '09, Springer-Verlag, Berlin, Heidelberg, 2009; 101-120.
17. Ida : Disassembler and debugger. 2013. Available from: https://www.hex-rays.com/products/ida/ [Accessed on 2014].
18. Santos I, Brezo F, Ugarte-Pedrero X, Bringas PG. Opcode sequences as representation of executables for data-mining-based unknown malware detection. Information Sciences 2013; 231(0):64-82.Available from: http://www.sciencedirect.com/science/article/pii/S0020025511004336 [Accessed on 2014], Data Mining for Information Security.
19. Tabish SM, Shafiq MZ, Farooq M. Malware detection using statistical analysis of byte-level file content. Proceedings of the ACM SIGKDD Workshop on Cybersecurity and Intelligence Informatics, CSI-KDD '09, ACM, New York, NY, USA, 2009; 23-31.
20. Novel active learning methods for enhanced (PC) malware detection in windows (OS). Expert Systems with Applications 2014; 41(13):5843-5857. Available from: http://www.sciencedirect.com/science/article/pii/S095741741400133X [Accessed on 2014].
21. Sung AH, Xu J, Chavez P, Mukkamala S. Static analyzer of vicious executables (save). Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC '04, IEEE Computer Society, Washington, DC, USA, 2004; 326-334.
22. Kumar S, Spafford E. A generic virus scanner for c++. Computer Security Applications Conference, 1992. Proceedings., Eighth Annual, San Antonio, TX, November 1992; 210-219.
23. Shafiq M, Tabish S, Mirza F, Farooq M. Pe-miner: mining structural information to detect malicious executables in realtime. In Recent Advances in Intrusion Detection, vol.5758, Kirda E, Jha S, Balzarotti D (eds), Lecture Notes in Computer Science, Springer: Berlin Heidelberg, 2009; 121-141.
24. Wang TY, Wu CH, Hsieh CC. A virus prevention model based on static analysis and data mining methods. IEEE 8th International Conference on Computer and Information Technology Workshops, 2008. CIT Workshops 2008, Sydney, QLD, July 2008; 288-293.
25. Willems C, Holz T, Freiling F. Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy 2007; 5(2):32-39.
26. Rieck K, Holz T, Willems C, Dussel P, Laskov P. Learning and classification of malware behavior. Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, Springer-Verlag, Berlin, Heidelberg, 2008; 108-125.
27. Dai J, Guha R, Lee J. Efficient virus detection using dynamic instruction sequences. Journal of Computers 2009; 4(5). Available from: http://ojs.academypublisher.com/index.php/jcp/article/view/0405405414 [Accessed on 2011].
28. Kolbitsch C, Comparetti PM, Kruegel C, Kirda E, Zhou X, Wang X. Effective and efficient malware detection at the end host. Proceedings of the 18th Conference on USENIX Security Symposium, SSYM'09, USENIX Association, Berkeley, CA, USA. Available from: http://dl.acm.org/citation.cfm?id=1855768.1855790 [Accessed on 2012], 2009; 351-366.
29. Kim K, Moon BR. Malware detection based on dependency graph using hybrid genetic algorithm. Proceedings of the 12th Annual Conference on Genetic and Evolutionary Computation, GECCO '10, ACM, New York, NY, USA, 2010; 1211-1218.
30. Lanzi A, Balzarotti D, Kruegel C, Christodorescu M, Kirda E. Accessminer: using system-centric models for malware protection. Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, ACM, New York, NY, USA, 2010; 399-412.
31. Nappa A, Rafique M, Caballero J. Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In Detection of Intrusions and Malware, and Vulnerability Assessment, vol.7967, Rieck K, Stewin P, Seifert JP (eds), Lecture Notes in Computer Science, Springer: Berlin Heidelberg, 1-20, 2013).
32. Han J, Cheng H, Xin D, Yan X. Frequent pattern mining: current status and future directions. Data Mining and Knowledge Discovery 2007; 15(1):55-86.
33. DiCerbo F, Girardello A, Michahelles F, Voronkova S. Detection of malicious applications on android os. Proceedings of the 4th International Conference on Computational Forensics, IWCF'10, Springer-Verlag, Berlin, Heidelberg, 2011; 138-149. Available from: http://dl.acm.org/citation.cfm?id=1991416.1991433 [Accessed on 2014].
34. Yang C, Xu Z, Gu G, Yegneswaran V, Porras P. Droidminer: automated mining and characterization of fine-grained malicious behaviors in android applications. 19th European Symposium on Research in Computer Security, Wroclaw, Poland, 7-11 September 2014; 163-182.
35. Fredrikson M, Jha S, Christodorescu M, Sailer R, Yan X. Synthesizing near-optimal malware specifications from suspicious behaviors. Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10m, IEEE Computer Society, Washington, DC, USA, 2010; 45-60.
36. Karbalaie F, Sami A, Ahmadi M. Semantic malware detection by deploying graph mining. International Journal of Computer Science Issues 2012; 9(1).
37. Perdisci R, Ariu D, Giacinto G. Scalable fine-grained behavioral clustering of http-based malware. Computer Networks 2013; 57(2):487-500.Available from: http://www.sciencedirect.com/science/article/pii/S1389128612002678 [Accessed on 2014], Botnet Activity: Analysis, Detection and Shutdown.
38. Palahan S, Babić D, Chaudhuri S, Kifer D. Extraction of statistically significant malware behaviors. Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC '13, ACM, New York, NY, USA, 2013; 69-78.
39. Shahzad F, Farooq M. Elf-miner: using structural knowledge and data mining methods to detect new (Linux) malicious executables. Knowledge and Information Systems March 2012; 30(3):589-612.
40. Dependency walker : disassembler and debugger, 2013. Available from: http://www.dependencywalker.com/ [Accessed on 2013].
41. Chi Y, Yang Y, Xia Y, Muntz R, Cmtreeminer: mining both closed and maximal frequent subtrees. In Advances in Knowledge Discovery and data Mining, vol.3056, Dai H, Srikant R, Zhang C (eds), Lecture Notes in Computer Science, Springer: Berlin Heidelberg, 2004; 63-73.
42. Zaki MJ. Efficiently mining frequent trees in a forest: algorithms and applications. IEEE Transactions on Knowledge and Data Engineering 2005; 17(8):1021-1035. special issue on Mining Biological Data.
43. Asai T, Abe K, Kawasoe S, Sakamoto H, Arikawa S. Efficient substructure discovery from large semi-structured data. 2002; 158-174.
44. Weka : data mining software in java, 2013. Available from: http://www.cs.waikato.ac.nz/ml/weka/ [Accessed on 2013].
45. Lucia L, Lo D, Jiang L, Budi A. Comprehensive evaluation of association measures for fault localization. Proceedings of the 2010 IEEE International Conference on Software Maintenance, ICSM '10, IEEE Computer Society, Washington, DC, USA, 2010; 1-10.
46. Walenstein A, Venable M, Hayes M, Thompson C, Lakhotia A. A.:Exploiting similarity between variants to defeat malware: vilo? method for comparingand searching binary programs. In: Proceedings of BlackHat DC 2007, Las Vegas, 2007. Available from: https://blackhat.com/presentations/bh-dc-07/Walenstein/paper/bh-dc-07-walenstein-WP.pdf [Accessed on 2014].
47. Cesare S, Xiang Y. Malware variant detection using similarity search over sets of control flow graphs. 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TRUSTCOM), Changsha, China, November 2011; 181-189.
48. Wikipedia. Longest common subsequence problem, 2013. Available from: http://en.wikipedia.org/wiki/Longest_common_subsequence:problem [Accessed on 2013].