Total views : 147

Malware Classification Framework for Dynamic Analysis using Information Theory

Affiliations

  • Computer Science and Information Technology Department (CSIT), Universiti Putra, Malaysia (UPM)

Abstract


Objectives: 1. To propose a framework for Malware Classification System (MCS) to analyze malware behavior dynamically using a concept of information theory and a machine learning technique. 2. To extract behavioral patterns from execution reports of malware in terms of its features and generates a data repository. 3. To select the most promising features using information theory based concepts. Methods/Statistical Analysis: Today, malware is a major concern of computer security experts. Variety and in- creasing number of malware affects millions of systems in the form of viruses, worms, Trojans etc. Many techniques have been proposed to analyze the malware to its class accurately. Some of analysis techniques analyzed malware based upon its structure, code flow, etc. without executing it (called static analysis), whereas other techniques (termed as dynamic analysis) focused to monitor the behavior of malware by executing it and comparing it with known malware behavior. Dynamic analysis has proved to be effective in malware detection as behavior is more difficult to mask while executing than its underlying code (static analysis). In this study, we propose a framework for Malware Classification System (MCS) to analyze malware behavior dynamically using a concept of information theory and a machine learning technique. The proposed framework extracts behavioral patterns from execution reports of malware in terms of its features and generates a data repository. Further, it selects the most promising features using information theory based concepts. Findings: The proposed framework detects the family of unknown malware samples after training of a classifier from malware data repository. We validated the applicability of the proposed framework by comparing with the other dynamic malware analysis technique on a real malware dataset from Virus Total. Application: The proposed framework is a Malware Classification System (MCS) to analyze malware behavior dynamically using a concept of information theory and a machine learning technique.

Keywords

Information Theory, Malware Classification, Mutual Information, Neural Network

Full Text:

 |  (PDF views: 177)

References


  • Krister KM. Automated analyses of malicious code.Springer. 2006; 2:67–77.
  • Egele M, Scholte T, Kirda E, Kruegel A. A survey on automated dynamic malware-analysis techniques and tools.ACM Computing Surveys (CSUR) USA. 2012; 44(2):6.
  • Moser C, Kruegel E, Kirda K. Limits of static analysis for malware detection. Computer Security Applications Conference, ACSAC Twenty-Third Annual, IEEE, Vienna; 2007. p. 421–30. Crossref
  • Cesare S, Xiang Y. Software similarity and classification.Springer Science & Business Media; 2012. Crossref
  • Kane PO, Sezer S, Laughlin K. Obfuscation: The hidden malware. Security & Privacy, IEEE. 2011; 9(5):41–7. Crossref
  • Ki Y, Kim K, Kim HK. A novel approach to detect malware based on API call sequence analysis. International Journal of Distributed Sensor Networks; 2015. p. 4.
  • Sharif M, Yegneswaran V, Saidi H, Porras P, Lee W. Eureka: A framework for enabling static malware analysis. Computer Security-ESORICS Springer. 2008; 5283:481–500. Crossref
  • Ahmad S, Ahmad S, Xu S, Li B. Next generation malware analysis techniques and tools. Electronics, Information Technology and Intellectualization: Proceedings of the International Conference EITI Shenzhen, China,CRC Press; 2015. p. 17. Crossref
  • Gorecki C, Freiling FC, Kührer M, Holz T. Trumanbox: Improving dynamic malware analysis by emulating the internet. Stabilization, Safety, and Security of Distributed Systems, Springer; 2011. p. 208–222. Crossref
  • Griffin K, Schneider S, Hu X, Chiueh TC. Automatic generation of string signatures for malware detection. Recent advances in intrusion detection, Springer; 2009. p. 101– 120. Crossref
  • Tian R, Islam R, Batten L, Versteeg S. Differentiating malware from cleanware using behavioural analysis. 5th International Conference on Malicious and Unwanted Software (MALWARE), IEEE, Australia; 2010. p. 23–30.
  • Crossref
  • Shankarapani MK, Ramamoorthy S, Movva RS, Mukkamala S. Malware detection using assembly and API call sequences. Journal in Computer Virology. 2011; 7(2):107–19. Crossref
  • Lee T, Mody JJ. Behavioral classification. EICAR Conference, USA. 2006; 45(4):1–17.
  • Bailey M, Oberheide J, Andersen J, Mao ZM, Jahanian F, Nazario J. Automated classification and analysis of internet malware. Recent Advances in Intrusion Detection, Springer; 2007. p. 178–97. Crossref
  • Rieck K, Holz T, Willems C, DüsselP, Laskov L. Learning and classification of malware behavior. Detection of intrusions and malware, and vulnerability assessment, Springer; 2008. p. 108–25. Crossref
  • Bayer U, Comparetti PM, Hlauschek C, Kruegel C, Kirda K. Scalable, behavior-based malware clustering. NDSS, Citeseer, 9; 2009. p. 8–11.
  • Nari S, Ghorbani AA. Automated malware classification based on network behavior. 2013 International Conference on Computing, Networking and Communications (ICNC), IEEE, Canada; 2013. p. 642–7. Crossref
  • Willems C, Holz T, Freiling F. Cwsandbox: Towards automated dynamic binary analysis. IEEE Security and Privacy.2007; 5(2):32–9. Crossref
  • Bayer U, Moser A, Kruegel C, Kirda K. Dynamic analysis of malicious code. Journal in Computer Virology. 2006; 2(1):67–77. Crossref
  • Rieck K. Malheur-automatic analysis of malware behavior.2015.
  • Trinius P, Willems C, Holz T, Rieck K. A malware instruction set for behavior-based analysis; 2009. p. 1–11.
  • Sandbox C. Automated malware analysis. Germany; 2013.p. 1–11.
  • VirusTotal, Virustotal-free online virus, malware and url scanner [Internet]. [cited 2016 Jun 16]. Available from: www.virustotal.com.
  • Bellman R. Adaptive control processes: a guided tour. Princeton university press, Princeton, New Jersey, USA; 2007.
  • Sharma UM. Hybrid feature based face verification and recognition system using principal component analysis and artificial neural network. Indian Journal of Science and Technology. 2015; 8(S1):115–20. Crossref
  • Das K, Ray J, Mishra D. Gene selection using information theory and statistical approach. Indian Journal of Science and Technology. 2015; 8(8):695. Crossref
  • Radhika S, Arumugam S. Improved non mutual information based multi-path time delay estimation. Indian Journal of Science and Technology. 2014; 7(8):1101–06.
  • Kumar G, Kumar K. An information theoretic approach for feature selection. Security and Communication Networks. 2012; 5(2):178–85. Crossref
  • Shekar MS, Krishna PM, Venkatesan M. Artificial neural network based prediction of pressure drop in heat exchangers. Indian Journal of Science and Technology. 2015; 8(S9):87–92. Crossref
  • Kumar G, Kumar K. Ai based supervised classifiers: An analysis for intrusion detection. Proceedings of International Conference on Advances in Computing and Artificial Intelligence, ACM, USA; 2011. p. 170–4. Crossref
  • Fan Y, Ye Y, Chen L. Malicious sequential pattern mining for automatic malware detection. Expert Systems with Applications. 2016; 52:16–25.

Refbacks

  • »
  • »
  • »
  • »
  • »
  • »
  • »
  • »
  • »
  • »
  • »
  • »
  • »
  • »


Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.