Malware classification method via binary content comparison

Kang, BooJoong; Kim, Taekeun; Kwon, Heejun; Choi, Yang‐Kyu; Im, Eul Gyu

doi:10.1145/2401603.2401672

Cited by 25 publications

(10 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several themes to mechanize malware classification are actively researched and pertinent. One theme is the advancements of automated systems for static and dynamic detection, including an emphasis on model-based classification [22,21,15]. Nonetheless a strong need for expert human evaluation remains [20], thereby indicating the importance of retaining the human in the loop.…”

Section: Malware Classificationmentioning

confidence: 99%

This Malware Looks Familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures

VanHoudnos¹,

Casey²,

French³

et al. 2017

Proceedings of the 10th EAI International Conference on Bio-Inspired Information and Communications Technologies (Formerly BION

View full text Add to dashboard Cite

Classifying unknown malicious binaries into malware families provides valuable information to security professionals. The task of recognizing a malicious binary (i.e., attributing it to a previously observed attack pattern) is widely considered a difficult task requiring extensive domain expertise. In this work, we offer a new approach which focuses on transforming the the recognition problem domain from system traces to Chernoff faces, thereby engaging the facial recognition aptitude of laymen. To do so we (i) curated a expert tagged dataset of malware variants, (ii) instrumented behavior trace monitors for each variant, (iii) constructed a simple, graph based feature set from the runtime behavior, and (iv) visualized low-dimensional representations of these system call graphs with stick figures and Chernoff faces. We then selected the three families with the largest variation and asked non-experts on Amazon Mechanical Turk to classify binaries between these three families using the generated visual representations, a task that would otherwise be delegated to experts. We found that non-experts completed the task with between 63% and * Main contributions were while employed at CMU Software Engineering Institute. 86% accuracy, and when aggregated, these non-expert labels successfully trained a classifier to a similar level of performance as the ground truth labels. Although simple, the experiments conducted provide a novel evaluation of the inherent difficulty of malware recognition tasks. Additionally new operational possibilities for effective human in the loop malware recognition are indicated and discussed as future work within the research prospectus.

show abstract

Section: Malware Classificationmentioning

confidence: 99%

This Malware Looks Familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures

VanHoudnos¹,

Casey²,

French³

et al. 2017

Proceedings of the 10th EAI International Conference on Bio-Inspired Information and Communications Technologies (Formerly BION

View full text Add to dashboard Cite

show abstract

“…The issue was solved by reducing operation cost and converting to a type that is appropriate for using with clustering and classification logic. That is, dimensions are reduced by converting the 2-gram value to 1,204th fixed length vector values using the feature-hashing function before calculating similarity and classifying groups [5].…”

Section: Malware Group Classification Modulementioning

confidence: 99%

A Study on Malware Profiling and Result Visualization Design Framework

2017

IJAERD

View full text Add to dashboard Cite

show abstract

“…Malware signature detection is employed by the tradition anti-virus systems but it is easy to be evaded. Some researches analyzed the malware binary codes by static analysis [5] [6] [7] [8] [9]. They extracted the API names and strings from malicious PE executables and then analyzed these information with algorithms in order to find out the differences between malicious and benign programs.…”

Section: Host Based Detectionmentioning

confidence: 99%

Malware Detection Systems Based on API Log Data Mining

Fan

Hsiao

Chou

et al. 2015

2015 IEEE 39th Annual Computer Software and Applications Conference

View full text Add to dashboard Cite

As information technology improves, the Internet is involved in every area in our daily life. When the mobile devices and cloud computing technology start to play important parts of our life, they have become more susceptible to attacks. In recent years, phishing and malicious websites have increasingly become serious problems in the field of network security. Attackers use many approaches to implant malware into target hosts in order to steal significant data and cause substantial damage. The growth of malware has been very rapid, and the purpose has changed from destruction to penetration. The signatures of malware have become more difficult to detect. In addition to static signatures, malware also tries to conceal dynamic signatures from anti-virus inspection. In this research, we use hooking techniques to trace the dynamic signatures that malware tries to hide. We then compare the behavioural differences between malware and benign programs by using data mining techniques in order to identify the malware. The experimental results show that our detection rate reaches 95% with only 80 attributes. This means that our method can achieve a high detection rate with low complexity.

show abstract

Malware classification method via binary content comparison

Cited by 25 publications

References 14 publications

This Malware Looks Familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures

This Malware Looks Familiar: Laymen Identify Malware Run-time Similarity with Chernoff faces and Stick Figures

A Study on Malware Profiling and Result Visualization Design Framework

Malware Detection Systems Based on API Log Data Mining

Contact Info

Product

Resources

About