Malware Analysis and Classification Using Sequence Alignments

Cho, In Kyeom; Kim, Tae Guen; Shim, Yu Jin; Ryu, Minsoo; Im, Eul Gyu

doi:10.1080/10798587.2015.1118916

Cited by 21 publications

(9 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…They executed malware programs to compute distance using the LSH technique, which calculates a probabilistic estimate of all near pairs. Cho et al [11] proposed a malware similarity method with malware executing.…”

Section: ⅱ Malware Classificationmentioning

confidence: 99%

Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups

Lim¹,

Kim²,

Noh³

et al. 2017

The Journal of Korean Institute of Communications and Informati

View full text Add to dashboard Cite

The security of Internet systems critically depends on the capability to keep anti-virus (AV) software up-to-date and maintain high detection accuracy against new malware. However, malware variants evolve so quickly they cannot be detected by conventional signature-based detection. In this paper, we proposed a malware classification method based on sequence patterns generated from the network flow of malware samples. We evaluated our method with 766 malware samples and obtained a classification accuracy of approximately 40.4%.In this study, malicious codes were classified only by network behavior of malicious codes, excluding codes and other characteristics. Therefore, this study is expected to be further developed in the future. Also, we can predict the attack groups and additional attacks can be prevented.※ 본 연구는 LIG넥스원의 지원으로 수행되었습니다.

show abstract

Section: ⅱ Malware Classificationmentioning

confidence: 99%

Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups

Lim¹,

Kim²,

Noh³

et al. 2017

The Journal of Korean Institute of Communications and Informati

View full text Add to dashboard Cite

show abstract

“…Cho, et al [1] devised a malware similarity calculation system to detect malware variants and suggested the process which can reduce sequence alignment overheads. They removed the repeated API subsequences in the whole API call sequence due to the fact that such a process makes no loss in the overall accuracy.…”

Section: Related Workmentioning

confidence: 99%

“…Generally dynamic analysis has two ways according to the used feature and applied technique. Firstly, dynamic analysis by the used features utilizes information such as the frequency or sequence of API call [1], [3]- [5], compiled hexadecimal code [2], program execution paths [8] and others [5]- [7] as the feature. Secondly, analysis by applied techniques utilizes a sequence alignment [1], [2] and data mining or machine learning [2]- [5], [9] for the collected feature data.…”

Section: Related Workmentioning

confidence: 99%

“…The behavior information includes overall system I/Os and state changes [6] of system components including a file, registry, network, memory and etc. as well as API calls [1], [3]- [5] and control flows. Although the algorithms or methods of various fields have been applied for malware detection, such as the machine learning, data mining and various algorithms [1]- [5], [9], we introduce a dynamic analysis method based on malware behavior information with API call sequences and Multiple Sequence Alignment (MSA) for malware detection.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Feature-Chain Based Malware Detection Using Multiple Sequence Alignment of API Call

Kim

et al. 2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYThe recent cyber-attacks utilize various malware as a means of attacks for the attacker's malicious purposes. They are aimed to steal confidential information or seize control over major facilities after infiltrating the network of a target organization. Attackers generally create new malware or many different types of malware by using an automatic malware creation tool which enables remote control over a target system easily and disturbs trace-back of these attacks. The paper proposes a generation method of malware behavior patterns as well as the detection techniques in order to detect the known and even unknown malware efficiently. The behavior patterns of malware are generated with Multiple Sequence Alignment (MSA) of API call sequences of malware. Consequently, we defined these behavior patterns as a "feature-chain" of malware for the analytical purpose. The initial generation of the feature-chain consists of extracting API call sequences with API hooking library, classifying malware samples by the similar behavior, and making the representative sequences from the MSA results. The detection mechanism of numerous malware is performed by measuring similarity between API call sequence of a target process (suspicious executables) and feature-chain of malware. By comparing with other existing methods, we proved the effectiveness of our proposed method based on Longest Common Subsequence (LCS) algorithm. Also we evaluated that our method outperforms other antivirus systems with 2.55 times in detection rate and 1.33 times in accuracy rate for malware detection.

show abstract

“…Chamadas de APIs fornecem informações importantes sobre o comportamento de um software, e outros trabalhos já as utilizaram para realizar análise de malware (AHMADI et al, 2016), (CHO et al, 2014). Malwares normalmente utilizam as APIs SetWindowsHookEx, GetForegroundWindow e GetAsyncKeyState para capturar dados digitados pelo alvo (SIKORSKI; HONIG, 2012), técnica conhecida como keylogging.…”

Section: Chamadas De Apisunclassified

Análise e extração de características estruturais e comportamentais para perfis de malware

Caldas¹

View full text Add to dashboard Cite

Grande parte das ações criminosas na rede são praticadas com uso de softwares maliciosos, comumente denominados malwares. Malwares são programas desenvolvidos com o intuito de se infiltrar em um sistema de computador alheio de forma ilícita, para causar danos, alterações ou roubo de informações (confidenciais ou não). Uma resposta eficiente do Estado para um crime cibernético requer o entendimento do meio utilizado para o cometimento da ação criminosa. No ambiente jurídico, a análise de malware deve prover evidências necessárias para a materialização do fato e a determinação da autoria, visando a condenação do agente malicioso, e a fornecer meios para inocentar os erroneamente acusados. Existem duas abordagens fundamentais para o problema da análise de malware, a análise estática, que envolve examinar o malware sem executá-lo observando suas características estruturais, e a análise dinâmica, que envolve analisar o malware durante sua execução, observando suas características comportamentais. A maior parte da pesquisa feita hoje na área de análise de malware tem seu foco na detecção, como forma de prevenção e de evitar ataques. A pesquisa na área de classificação de malware ainda se encontra em estágios iniciais, e as técnicas desenvolvidas até então demonstram serventia limitada no dia a dia do investigador forense. O objetivo deste trabalho é realizar uma contribuição na área de classificação de malware. Tal contribuição é feita na forma de um estudo do panorama atual da área, na indústria de antivírus e na literatura. O estudo apresenta as principais classificações existentes até então, e suas limitações. É apresentada uma nova proposta de classificação, definida como profiling de malware, baseada no profiling criminal. Além da definição de perfis, este trabalho sugere características, comportamentais e estruturais, que podem representar comportamentos que reflitam os perfis, e apresenta uma estratégia eficiente para extração das características, utilizando a ferramenta Cuckoo Sandbox. Por fim faz-se uma análise das características extraídas, que revela que sete das onze características extraídas se mostraram promissoras para o profiling de malware.

show abstract

Malware Analysis and Classification Using Sequence Alignments

Cited by 21 publications

References 10 publications

Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups

Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups

Feature-Chain Based Malware Detection Using Multiple Sequence Alignment of API Call

Análise e extração de características estruturais e comportamentais para perfis de malware

Contact Info

Product

Resources

About