COMPUTER SCIENCE AND TECHNOLOGY |
|
|
|
|
|
API based sequence and statistical features in a combined malware detection architecture |
LU Xiaofeng1, JIANG Fangshuo1, ZHOU Xiao1, CUI Baojiang1, YI Shengwei2, SHA Jing3 |
1. School of Cyberspace Security, Beijing University of Post and Telecommunications, Beijing 100876, China; 2. China Information Technology Security Evaluation Center, Beijing 100085, China; 3. The Third Research Institute of Ministry of Public Security, Shanghai 201204, China |
|
|
Abstract This paper presents a combined machine learning framework for malware behavior analyses. One part of the framework analyzes the dependency relation in the API call sequence at the functional level to extract features to train and classify a random forest. The other part uses a recurrent neural network (RNN) to study the API sequence to identify malware with redundant information preprocessing using the RNN time series forecasting ability. Tests on a malware dataset show that both methods can effectively detect malwares. However, the combined framework is better with an AUC of 99.3%.
|
Keywords
computer virus and prevention
malware classification
machine learning
deep learning
call sequence
|
|
Issue Date: 15 May 2018
|
|
|
[1] WANG X Z, LIU J W, CHEN X E. Say no to overfitting. (2017-05-31). https://www.kaggle.com/c/malware-classification/discussion/13897. [2] LIPTON Z C, BERKOWITZ J, ELKAN C. A critical review of recurrent neural networks for sequence learning[J]. arXiv preprint arXiv:1506.00019, 2015. [3] 黄全伟. 基于N-Gram系统调用序列的恶意代码静态检测[D]. 哈尔滨:哈尔滨工业大学, 2009.HUANG Q W. Malicious executables detection based on N-Gram system call sequences[D]. Harbin:Harbin Institute of Technology, 2009.(in Chinese) [4] 刘阳. 应用随机森林与神经网络算法检测与分析Android应用恶意样本[D]. 北京:北京交通大学, 2015.LIU Y. Employing the algorithms of random forest and neural networks for the detection and analysis of malicious code of Android applications[D]. Beijing:Beijing Jiaotong University, 2015. (in Chinese) [5] 杨宏宇, 徐晋. 基于改进随机森林算法的Android恶意软件检测[J]. 通信学报, 2017(4):8-16.YANG H Y, XU J. Android malware detection based on improved random forest[J]. Journal on Communications, 2017(4):8-16. (in Chinese) [6] 张家旺, 李燕伟. 基于机器学习算法的Android恶意程序检测系统[J]. 计算机应用研究, 2017(6):1-6.ZHANG J W, LI Y W. Malware detection system implementation of Android application based on machine learning[J]. Application Research of Computers, 2017(6):1-6. (in Chinese) [7] SANTOS I, BREZO F, UGARTE-PEDRERO X, et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences, 2013, 231:64-82. [8] RAVI C, MANOHARAN R. Malware detection using windows API sequence and machine learning[J]. International Journal of Computer Applications, 2012, 43(17):12-16. [9] 廖国辉, 刘嘉勇. 基于数据挖掘和机器学习的恶意代码检测方法[J]. 信息安全研究, 2016(1):74-79.LIAO G H, LIU J Y. A malicious code detection method based on data mining and machine learning[J]. Journal of Information Security Research, 2016(1):74-79. (in Chinese) [10] DAHL G E, STOKES J W, DENG L, et al. Large-scale malware classification using random projections and neural networks[C]//2013 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). Vancouver, BC, Canada:IEEE, 2013:3422-3426. [11] SAXE J, BERLIN K. Deep neural network based malware detection using two dimensional binary program features[C]//201510th International Conference on Malicious and Unwanted Software (MALWARE). Fajardo, Puerto Rico:IEEE, 2015:11-20. [12] KOLOSNJAJI B, ZARRAS A, WEBSTER G, et al. Deep learning for classification of malware system call sequences[C]//Australasian Joint Conference on Artificial Intelligence. Hobart, TAS, Australia:Springer International Publishing, 2016:137-149. [13] TOBIYAMA S, YAMAGUCHI Y, SHIMADA H, et al. Malware detection with deep neural network using process behavior[C]//201640th Annual IEEE Conference on Computer Software and Applications (COMPSAC). Atlanta, GA, USA:IEEE, 2016, 2:577-582. [14] PASCANU R, STOKES J W, SANOSSIAN H, et al. Malware classification with recurrent networks[C]//2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). Brisbane, QLD, Australia:IEEE, 2015:1916-1920. [15] Tensorflow.. (2017-05-31). https://www.tensorflow.org/,2017. [16] VirusShare.. (2017-05-31). https://virusshare.com,2017. [17] VirusTotal.. (2017-05-31). http://www.virustotal.com,2017. [18] Scikit-Learn.. (2017-05-31). http://scikit-learn.org/,2017. |
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|