Exploring Discriminatory Features for Automated Malware Classification

Yan, Guanhua; Brown, Nathan; Kong, Deguang

doi:10.1007/978-3-642-39235-1_3

Cited by 54 publications

(36 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We use two different aspects of the instructions, the first one is instruction opcode and the second one is instruction category. Instruction opcode is one of the features previously used for static malware detection [52,54,10,67]. However, it is not common to use the opcodes for dynamic detection of malware.…”

Section: Features Related To Instructionsmentioning

confidence: 99%

“…Bilar et al [10] examine the frequency of opcode use in malware. Santos et al and Yan et al evaluate opcode sequence signatures [54,67], while in particular, opcode sequence signatures were found to effectively classify metamorphic malware. Runwal et al [52] study opcode sequence similarity graphs.…”

Section: Related Workmentioning

confidence: 99%

“…Typical techniques proposed for online malware detection include VM introspection [27], dynamic binary instrumentation [21], information flow tracking [68], and software anomaly detection [29]. These solutions each have coverage limitations and introduce substantial overhead (e.g., 10x slowdown for information flow tracking is typical in software [67]). The problem is especially critical for mobile environments where the energy cost of detection imposes limits on the effort that a system can dedicate to online malware detection.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

115

View full text Add to dashboard Cite

Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) -processors augmented with an online hardware-based detector to serve as the first line of defense to differentiate malware from legitimate programs. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against intermittently operating malware. Our work improves on the state of the art in the following ways: (1) We define and explore the use of sub-semantic features for online detection of malware. (2) We explore hardware implementations and show that simple classifiers appropriate for such implementations can effectively classify malware. We also study different classifiers, develop implementation optimizations, and explore complexity to performance trade-offs. (3) We propose a two-level detection framework where the hardware classifier prioritizes the work of a more accurate but more expensive software defense mechanism. (4) We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA.

show abstract

Section: Features Related To Instructionsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Malware-aware processors: A framework for efficient online malware detection

Özsoy

Donovick

Gorelik

et al. 2015

2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA)

115

View full text Add to dashboard Cite

show abstract

“…Bilar et al use the frequency of opcodes that a specific program uses [3]. Others use sequence signatures of the opcodes [28,34]. Runwal et al use similarity graphs of opcode sequences [27].…”

Section: Related Workmentioning

confidence: 99%

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Khasawneh

Özsoy

Donovick

et al. 2015

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning techniques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal.

show abstract

“…Code coverage can be increased with proper code-stimulation techniques, at the price of an increased complexity, and by relying on hardware-level introspection. As shown by a recent quantitative analysis [40], a combination of static and dynamic analysis, creating so-called hybrid approaches, is the key to achieve the best recall and precision. We observe that previous work revolve around the concept of behavior [16,26], which is leveraged as the bridge between static an dynamic techniques.…”

Section: Binary Analysis and Reverse Engineeringmentioning

confidence: 99%

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Polino

Scorti

Maggi

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

When analyzing an untrusted binary, reverse engineers usually rely on ad-hoc collections of interesting dynamic patterns-known as behaviors in the malware-analysis community-and static patterns-known as signatures in the antivirus community. Such patterns are often part of the skill set of the analyst, sometimes implemented in manually-created post-processing scripts. It would be desirable to be able to automatically find such behaviors, present them to analysts, and create a systematic catalog of matching rules and relevant implementations. We propose JACKDAW, a system that finds interesting dynamic patterns, and ranks them to unveil potentially interesting behaviors. Then, it annotates them with static information, capturing the distinct implementations of each across different malware families. Finally, JACKDAW associates semantic information to the behaviors, so as to create a descriptive summary that helps the analysts in querying the catalog of behaviors by type. To do this, it leverages the dynamic information and an indexed Web-based knowledge databases. We implement and demonstrate JACKDAW on the Win32 API (even if the technique can be generalized to any OS). On a dataset of 2,136 distinct binaries, including both malicious and benign libraries and executables, we compared the behaviors extracted automatically against a ground truth of 44 behaviors created manually by expert analysts. JACKDAW found 77.3% of them and was able to exclude spurious behaviors in 99.6% cases. We also discovered 466 novel behaviors, among which manual exploration and review by expert reverse engineers revealed interesting findings and confirmed the correctness of the semantic tagging.

show abstract

Exploring Discriminatory Features for Automated Malware Classification

Cited by 54 publications

References 20 publications

Malware-aware processors: A framework for efficient online malware detection

Malware-aware processors: A framework for efficient online malware detection

Ensemble Learning for Low-Level Hardware-Supported Malware Detection

Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries

Contact Info

Product

Resources

About