Novel active learning methods for enhanced PC malware detection in windows OS

Nissim, Nir; Moskovitch, Robert; Rokach, Lior; Elovici, Yuval

doi:10.1016/j.eswa.2014.02.053

Cited by 94 publications

(51 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SVM-Simple-Margin [24] is a current AL method considered in our experiments. Active learning was successfully used to enhance the detection of unknown computer worms [25] and malicious executable files targeting the Windows OS [26]. Such methods are used in the current study in order to enhance the detection of malicious PDF files.…”

Section: Related Workmentioning

confidence: 99%

“…Therefore our percentage (24 %) likely represents the upper reasonable boundary of the actual percentage of malicious PDF files. Moreover, in our previous study [26], aimed at the detection of malicious executables using ML and AL methods, we estimated the malicious executables percentage to be approximately 9 %. In that study we therefore adjusted our dataset to 9 % malicious files, and our methods worked very well, providing high true positive rates (TPR) and low false positive rate (FPR) rates.…”

Section: Dataset Collectionmentioning

confidence: 99%

“…We used the SVM algorithm for the following reasons: (1) SVM has been successfully used to detect worms [25,28], classify malware into species, and detect zero day attacks [29]; (2) the trained SVM classifier is a black-box that is hard for an attacker to understand [28]; (3) SVM has proven to be very efficient when combined with AL methods [26]; and (4) SVM is known for its ability to handle large numbers of features which makes it suitable for handling the number of structural paths extracted from the PDF files [18]. In our experiments we used Lib-SVM implementation [30] which also supports multiclass classification.…”

Section: Detection and Updatingmentioning

confidence: 99%

See 2 more Smart Citations

Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework

et al. 2016

Self Cite

View full text Add to dashboard Cite

Attackers increasingly take advantage of naive users who tend to treat non-executable files casually, as if they are benign. Such users often open non-executable files although they can conceal and perform malicious operations. Existing defensive solutions currently used by organizations prevent executable files from entering organizational networks via web browsers or email messages. Therefore, recent advanced persistent threat attacks tend to leverage non-executable files such as portable document format (PDF) documents which are used daily by organizations. Machine Learning (ML) methods have recently been applied to detect malicious PDF files, however these techniques lack an essential element-they cannot be efficiently updated daily. In this study we present an active learning (AL) based framework, specifically designed to efficiently assist anti-virus vendors focus their analytical efforts aimed at acquiring novel malicious content. This focus is accomplished by identifying and acquiring both new PDF files that are most likely malicious and informative benign PDF documents. These files are used for retraining and enhancing the knowledge stores of both the detection model and anti-virus. We propose two AL based methods: exploitation and combination. Our methods are evaluated and compared to existing AL method (SVM-margin) and to random sampling for 10 days, and results indicate that on the last day of the experiment, combination outperformed all of the other methods, enriching the signature repository of the anti-virus with almost seven times more new malicious PDF files, while each day improving the detection model's capabilities further. At the same time, it dramatically reduces security experts' efforts by 75 %. Despite this significant reduction, results also indicate that our framework better detects new malicious PDF files than leading anti-virus tools commonly used by organizations for protection against malicious PDF files.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Dataset Collectionmentioning

confidence: 99%

Section: Detection and Updatingmentioning

confidence: 99%

See 1 more Smart Citation

Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework

et al. 2016

Self Cite

View full text Add to dashboard Cite

show abstract

“…If the malware is designed to not operate in a specific environment, that is, in a virtualized environment, it is difficult to acquire quality analysis information, and, thus, reliability is hard to secure. The research in [25,26] are excellent in detecting or preventing the intrusion of malware, malware execution, and redirection, but integrity and usability are not considered and are limited in securing reliability. Only using social information to analyze is not enough to prevent already known intrusions.…”

Section: Analysis Of Hb-dipmmentioning

confidence: 99%

“…Nissim et al [25] proposed a new machine learning method designed to acquire a malware framework based on exploitation and combination. It uses a static analysis method to express the benign and malicious execution files by taking the idea from text categorization.…”

Section: Existing Studiesmentioning

confidence: 99%

HB-DIPM: Human Behavior Analysis-Based Malware Detection and Intrusion Prevention Model in the Future Internet

2016

J Inf Process Syst

View full text Add to dashboard Cite

As interest in the Internet increases, related technologies are also quickly progressing. As smart devices become more widely used, interest is growing in words are missing here like "improving the" or "figuring out how to use the" future Internet to resolve the fundamental issues of transmission quality and security. The future Internet is being studied to improve the limits of existing Internet structures and to reflect new requirements. In particular, research on words are missing here like "finding new forms of" or "applying new forms of" or "studying various types of" or "finding ways to provide more" reliable communication to connect the Internet to various services is in demand. In this paper, we analyze the security threats caused by malicious activities in the future Internet and propose a human behavior analysis-based security service model for malware detection and intrusion prevention to provide more reliable communication. Our proposed service model provides high reliability services by responding to security threats by detecting various malware intrusions and protocol authentications based on human behavior.

show abstract

Targeting malware discrimination based on reversed association task

Han

Zhou

Han

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

Summary Regarding the current situation that the recognition rate of malware is decreasing, the article points out that the reason for this dilemma is that more and more targeting malware have emerged, which share little or no common feature with traditional malware. The premise of malware recognition judging whether a software is malicious or benign is actually a decision problem. We propose that malware discrimination should resort to the corresponding task or purpose. We first present a formal definition of a task and then provide further classifications of malicious tasks. Based on the decidable theory, we prove that task performed by any software is recursive and determinable. By establishing a mapping from software to task, we prove that software is many‐to‐one reducible to corresponding tasks. Thus, we demonstrate that software, including malware, is also recursive and can be determined by the corresponding tasks. Finally, we present the discrimination process of our method. Nine real malwares are presented, which were firstly discriminated by our method but at that time could not be identified by Kaspersky, McAfee, Symantec Norton, or Kingsoft Antivirus.

show abstract

Novel active learning methods for enhanced PC malware detection in windows OS

Cited by 94 publications

References 28 publications

Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework

Keeping pace with the creation of new malicious PDF files using an active-learning based detection framework

HB-DIPM: Human Behavior Analysis-Based Malware Detection and Intrusion Prevention Model in the Future Internet

Targeting malware discrimination based on reversed association task

Contact Info

Product

Resources

About