Novel feature extraction, selection and fusion for effective malware family classification

CODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy

Volumn , Issue , 2016, Pages 183-194

  Ahmadi, Mansour ^a   Ulyanov, Dmitry ^b   Semenov, Stanislav ^c   Trofimov, Mikhail ^d   Giacinto, Giorgio ^a  

^a UNIVERSITY OF CAGLIARI   (Italy)

^b SKOLKOVO INSTITUTE OF SCIENCE AND TECHNOLOGY   (Russian Federation)

^c NATIONAL RESEARCH UNIVERSITY HIGHER SCHOOL OF ECONOMICS   (Russian Federation)

^d MOSCOW INSTITUTE OF PHYSICS AND TECHNOLOGY   (Russian Federation)

Author keywords

Classification; Computer security; Machine learning; Malware family; Microsoft malware classification challenge; Windows malware

Indexed keywords

ARTIFICIAL INTELLIGENCE; CLASSIFICATION (OF INFORMATION); COMPUTER CRIME; DATA PRIVACY; EXTRACTION; FEATURE EXTRACTION; LEARNING SYSTEMS; SECURITY OF DATA; SECURITY SYSTEMS;

HIGH-ACCURACY; MALWARE BEHAVIORS; MALWARE CLASSIFICATIONS; MALWARE FAMILIES; MICROSOFT; SECURITY COMMUNITY; SIGNATURE EXTRACTION;

MALWARE;

EID: 84964884361     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2857705.2857713     Document Type: Conference Paper

References (48)

1. Ida: Disassembler and debugger. https://www.hex-rays.com/products/ida/,2013.
2. Novel active learning methods for enhanced {PC} malware detection in windows {OS}. Expert Systems with Applications, 41(13):5843-5857, 2014.
3. Duqu is back. http://www.kaspersky.com/about/news/virus/2015/Duqu-is-back, 2015.
4. Mahotas features. http://mahotas.readthedocs.org/en/latest/features.html, 2015.
5. Mcafee labs threats report, february. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2014.pdf, 2015.
6. Symantec intelligent report, may. https://www.symantec.com/content/en/us/enterprise/other-resources/intelligence-report-05-2015.en-us.pdf, 2015.
7. Top maliciously used apis. https://www.bnxnet.com/top-maliciously-used-apis/, 2015.
8. Xgboost. https://github.com/dmlc/xgboost, 2015.
9. M. Ahmadi, A. Sami, H. Rahimi, and B. Yadegari. Malware detection by behavioural sequential patterns. Computer Fraud & Security, 2013(8):11-19, 2013.
10. D. Baysa, R. Low, and M. Stamp. Structural entropy and metamorphic malware. Journal of Computer Virology and Hacking Techniques, 9(4):179-192, 2013.
11. B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. ÅǍrndiaǧ, P. Laskov, G. Giacinto, and F. Roli. Evasion attacks against machine learning at test time. In H. Blockeel, K. Kersting, S. Nijssen, and F. ÅeleznÃ, editors, Machine Learning and Knowledge Discovery in Databases, Volume 8190 of Lecture Notes in Computer Science, pages 387-402. Springer Berlin Heidelberg, 2013.
12. B. Biggio, B. Nelson, and P. Laskov. Poisoning attacks against support vector machines. In 29th Int'l Conf. on Machine Learning (ICML). Omnipress, Omnipress, 2012.
13. B. Biggio, K. Rieck, D. Ariu, C. Wressnegger, I. Corona, G. Giacinto, and F. Roli. Poisoning behavioral malware clustering. In Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop, AISec '14, pages 27-36, New York, NY, USA, 2014. ACM.
14. D. Bilar. Statistical structures: Fingerprinting malware for classification and analysis. In Blackhat, 2006.
15. L. Breiman. Bagging predictors. Mach. Learn., 24(2):123-140, Aug. 1996.
16. L. Breiman, J. Friedman, R. Olshen, and C. Stone. Classification and Regression Trees. Wadsworth and Brooks, Monterey, CA, 1984. new edition [?]?
17. M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM'03, pages 12-12, Berkeley, CA, USA, 2003. USENIX Association.
18. M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant. Semantics-aware malware detection. In Security and Privacy, 2005 IEEE Symposium on, pages 32-46, May 2005.
19. M. Fernández-Delgado, E. Cernadas, S. Barro, and D. Amorim. Do we need hundreds of classifiers to solve real world classification problems? J. Mach. Learn. Res., 15(1):3133-3181, Jan. 2014.
20. M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 45-60, Washington, DC, USA, 2010. IEEE Computer Society.
21. M. Ghiasi, A. Sami, and Z. Salehi. Dynamic vsa: a framework for malware detection based on register contents. Engineering Applications of Artificial Intelligence, 44:111-122, 2015.
22. K. Griffin, S. Schneider, X. Hu, and T.-C. Chiueh. Automatic generation of string signatures for malware detection. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, RAID '09, pages 101-120, Berlin, Heidelberg, 2009. Springer-Verlag.
23. X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS '09, pages 611-620, New York, NY, USA, 2009. ACM.
24. G. Jacob, P. M. Comparetti, M. Neugschwandtner, C. Kruegel, and G. Vigna. A static, packer-agnostic filter to detect similar malware samples. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA'12, pages 102-122, Berlin, Heidelberg, 2013. Springer-Verlag.
25. G. James, D. Witten, T. Hastie, and R. Tibshirani. An Introduction to Statistical Learning: With Application. In R. Springer Publishing Company, Incorporated, 2014.
26. F. Karbalaie, A. Sami, and M. Ahmadi. Semantic malware detection by deploying graph mining. International Journal of Computer Science Issues, 9(1), 2012.
27. C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proceedings of the 18th Conference on USENIX Security Symposium, SSYM'09, pages 351-366, Berkeley, CA, USA, 2009. USENIX Association.
28. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM'05, pages 11-11, Berkeley, CA, USA, 2005. USENIX Association.
29. L. I. Kuncheva. Ensemble Methods, pages 186-229. John Wiley & Sons, Inc., 2014.
30. A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: Using system-centric models for malware protection. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 399-412, New York, NY, USA, 2010. ACM.
31. R. Lyda and J. Hamrock. Using entropy analysis to find encrypted and packed malware. IEEE Security and Privacy, 5(2):40-45, Mar. 2007.
32. A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP '07, pages 231-245, Washington, DC, USA, 2007. IEEE Computer Society.
33. A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 421-430, Dec 2007.
34. M. Narouei, MansourAhmadi, G. Giacinto, H. Takabi, and A. Sami. Dllminer: Structural mining for malware detection. Security and Communication Networks, 2015.
35. L. Nataraj, S. Karthikeyan, G. Jacob, and B. S. Manjunath. Malware images: Visualization and automatic classification. In Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec '11, pages 4:1-4:7, New York, NY, USA, 2011. ACM.
36. J. Qiu, B. Yadegari, B. Johannesmeyer, S. Debray, and X. Su. A framework for understanding dynamic anti-analysis defenses. In Proceedings of the 4th Program Protection and Reverse Engineering Workshop, PPREW-4, pages 2:1-2:9, New York, NY, USA, 2014. ACM.
37. K. Rieck, T. Holz, C. Willems, P. Dussel, and P. Laskov. Learning and classification of malware behavior. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, pages 108-125, Berlin, Heidelberg, 2008. Springer-Verlag.
38. C. Rossow, C. Dietrich, C. Grier, C. Kreibich, V. Paxson, N. Pohlmann, H. Bos, and M. van Steen. Prudent practices for designing malware experiments: Status quo and outlook. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 65-79, May 2012.
39. A. Sami, B. Yadegari, H. Rahimi, N. Peiravian, S. Hashemi, and A. Hamze. Malware detection based on mining api calls. In Proceedings of the 2010 ACM Symposium on Applied Computing, SAC '10, pages 1020-1025, New York, NY, USA, 2010. ACM.
40. I. Santos, F. Brezo, X. Ugarte-Pedrero, and P. G. Bringas. Opcode sequences as representation of executables for data-mining-based unknown malware detection. Information Sciences, 231(0):64-82, 2013. Data Mining for Information Security.
41. B. Schwarz, S. Debray, and G. Andrews. Disassembly of executable code revisited. In Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE'02), WCRE '02, pages 45-, Washington, DC, USA, 2002. IEEE Computer Society.
42. M. Shafiq, S. Tabish, F. Mirza, and M. Farooq. Pe-miner: Mining structural information to detect malicious executables in realtime. In E. Kirda, S. Jha, and D. Balzarotti, editors, Recent Advances in Intrusion Detection, Volume 5758 of Lecture Notes in Computer Science, pages 121-141. Springer Berlin Heidelberg, 2009.
43. A. H. Sung, J. Xu, P. Chavez, and S. Mukkamala. Static analyzer of vicious executables (save). In Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC '04, pages 326-334, Washington, DC, USA, 2004. IEEE Computer Society.
44. S. M. Tabish, M. Z. Shafiq, and M. Farooq. Malware detection using statistical analysis of byte-level file content. In Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD '09, pages 23-31, New York, NY, USA, 2009. ACM.
45. C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. Security Privacy, IEEE, 5(2):32-39, March 2007.
46. T. Wüchner, M. Ochoa, and A. Pretschner. Malware detection with quantitative data flow graphs. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '14, pages 271-282, New York, NY, USA, 2014. ACM.
47. B. Yadegari, B. Johannesmeyer, B. Whitely, and S. Debray. A generic approach to automatic deobfuscation of executable code. In IEEE Security and Privacy. IEEE, 2015.
48. Y. Ye, D. Wang, T. Li, D. Ye, and Q. Jiang. An intelligent pe-malware detection system based on association mining. Journal in Computer Virology, 4(4):323-334, 2008.