Towards a Methodical Evaluation of Antivirus Scans and Labels

Mohaisen, Aziz; Alrawi, Omar; Larson, Matt; McPherson, Danny

doi:10.1007/978-3-319-05149-9_15

Cited by 18 publications

(18 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Consistent with the results of [12] on a smaller and less representative set of files, our results support the conclusion that the five malware-identification methods are looking for different kinds of things. Note that the hypothesis that some malware methods include files that merely contain vulnerabilities rather than exploits is not supported by the data in the BV (Bit9 vulnerability) column, since there was very little overlap between Bit9's vulnerable set and the malicious hash sets.…”

Section: Obtaining Malware For Testingsupporting

confidence: 89%

Finding contextual clues to malware using a large corpus

Rowe

2015

2015 IEEE Symposium on Computers and Communication (ISCC)

View full text Add to dashboard Cite

Identification of malware is a critical problem in computer security. Many signature-identification, behaviorrecognition, and reputation-based tools are available for hostbased detection. However, so many files are present on systems today that checking all files is time-consuming, and better methods are needed to suggest which files are of highest priority to check in partial scans. This work developed and tested local contextual clues to malware in the metadata of file systems on an international corpus of 248 million files on 3961 drives. 398,949 hash values of malware were found in this corpus using five methods, and 3,681,211 hash values of non-malware were chosen for comparison using three methods. Malware identification rates were compared for the fifteen combinations and were crosscorrelated for different types of drives and file types. Results showed that different malware identification methods find significantly different things. Then the strength of particular local clues in file metadata (directory and file names, sizes, times, and hash values) was assessed and results were compared for the fifteen combinations. Some classic clues (e.g. rare file extensions and deletion status) were confirmed and others were not (e.g. double extensions and occurrence in the operating system). With this data, a program was implemented to estimate the likelihood that a given file was malware based solely on its metadata context. With three random subsets of our corpus, our methods gave 51 times better precision (fraction of malware in files identified as malware) with 70% better recall (fraction of malware detected) than the approach of inspecting executables alone. They also ran significantly faster than signature checking, and can be used before other kinds of malware analysis.

show abstract

Section: Obtaining Malware For Testingsupporting

confidence: 89%

Finding contextual clues to malware using a large corpus

Rowe

2015

2015 IEEE Symposium on Computers and Communication (ISCC)

View full text Add to dashboard Cite

show abstract

“…The count used was the number of distinct malware hash values associated with the clue, since we saw drives where the same malware hash value occurred in hundreds of files it had infected. The five malware identification methods clearly seem to be addressing different kinds of files, consistent with the results of [11] on a larger number of malware detection methods but fewer files. Taking as valid those clues occurring more than two standard deviations in the same direction on at least three of the five methods, the positive clues were files whose size had a natural logarithm of more than 15, files at the top level of the directory hierarchy, deleted files (not helpful because many were deleted by anti-malware software), files where the file extension category was incompatible with its type based on its header and other "magic numbers", files created at odd creation times for their directory, files with singleoccurrence hash values, files with unusual characters in their paths, executables, files related to hardware, temporary files, and files not in major categories.…”

Section: Testing Malware Cluessupporting

confidence: 77%

“…Thus it is valuable to have more specific criteria for when a file is worth checking. Although there has been much work on malware detection [3,9,11], it is almost entirely focused on analysis of file and packet contents, and methods that examine the smaller amount of metadata and hashes could be a useful first step.…”

Section: Finding Uninteresting Files In Malware Investigationsmentioning

confidence: 99%

Identifying forensically uninteresting files in a large corpus

Rowe¹

2016

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

For digital forensics, eliminating the uninteresting is often more critical than finding the interesting. We discuss methods exploiting the metadata of a large corpus. Tests were done with an international corpus of 262.7 million files obtained from 4018 drives. For malware investigations, we show that using a Bayesian ranking formula on metadata can increase malware recall by 5.1 while increasing precision by 1.7 times over inspecting executables alone. For more general investigations, we show that requiring two of nine criteria for uninteresting files, with exceptions for some special interesting files, can exclude 77.4% of our corpus. For a test set that was manually inspected, interesting files identified as uninteresting were 0.18% and uninteresting files identified as interesting were 29.31%. The generality of the methods was confirmed by separately testing two halves of our corpus. This work provides both new uninteresting hash values and programs for finding more.

show abstract

“…The signature based detection is a widely used method in static analysis. According to this method, the binary executables are transformed to represent hashes which are matched with a database of known malware samples [ 13] [ 14] [15] [ 16] [ 17], but it shows following weaknesses. The signature method requires continuous updates of signature and high maintenance cost.…”

Section: Introductionmentioning

confidence: 99%

Android malicious code Classification using Deep Belief Network

Luo¹,

Tian²,

Long³

et al. 2018

KSII TIIS

View full text Add to dashboard Cite

This paper presents a novel Android malware classification model planned to classify and categorize Android malicious code at Drebin dataset. The amount of malicious mobile application targeting Android based smartphones has increased rapidly. In this paper, Restricted Boltzmann Machine and Deep Belief Network are used to classify malware into families of Android application. A texture-fingerprint based approach is proposed to extract or detect the feature of malware content. A malware has a unique "image texture" in feature spatial relations. The method uses information on texture image extracted from malicious or benign code, which are mapped to uncompressed gray-scale according to the texture image-based approach. By studying and extracting the implicit features of the API call from a large number of training samples, we get the original dynamic activity features sets. In order to improve the accuracy of classification algorithm on the features selection, on the basis of which, it combines the implicit features of the texture image and API call in malicious code, to train Restricted Boltzmann Machine and Back Propagation. In an evaluation with different malware and benign samples, the experimental results suggest that the usability of this method-using Deep Belief Network to classify Android malware by their texture images and API calls, it detects more than 94% of the malware with few false alarms. Which is higher than shallow machine learning algorithm clearly.

show abstract

Towards a Methodical Evaluation of Antivirus Scans and Labels

Cited by 18 publications

References 10 publications

Finding contextual clues to malware using a large corpus

Finding contextual clues to malware using a large corpus

Identifying forensically uninteresting files in a large corpus

Android malicious code Classification using Deep Belief Network

Contact Info

Product

Resources

About