Using opcode sequences in single-class learning to detect unknown malware

Santos, Igor; Brezo, Félix; Urquijo, Borja Sanz; Laorden, Carlos; Bringas, Pablo García

doi:10.1049/iet-ifs.2010.0180

Cited by 50 publications

(19 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several measures have been proposed in the literature for evaluating the predictive accuracy of machine learning based classifiers. These efficiency measures have been utilized in previous machine learning work [22], [28], [29], for example. In the context of our problem, the relevant measures utilized in our experiments are given below.…”

Section: Evaluation Measuresmentioning

confidence: 99%

Analysis of Bayesian classification‐based approaches for Android malware detection

Yerima¹,

Sezer²,

McWilliams³

2014

IET Information Security

141

View full text Add to dashboard Cite

Mobile malware has been growing in scale and complexity spurred by the unabated uptake of smartphones worldwide. Android is fast becoming the most popular mobile platform resulting in sharp increase in malware targeting the platform. Additionally, Android malware is evolving rapidly to evade detection by traditional signature-based scanning. Despite current detection measures in place, timely discovery of new malware is still a critical issue. This calls for novel approaches to mitigate the growing threat of zero-day Android malware. Hence, in this paper we develop and analyze proactive Machine Learning approaches based on Bayesian classification aimed at uncovering unknown Android malware via static analysis. The study, which is based on a large malware sample set of majority of the existing families, demonstrates detection capabilities with high accuracy. Empirical results and comparative analysis are presented offering useful insight towards development of effective static-analytic Bayesian classification based solutions for detecting unknown Android malware.

show abstract

Section: Evaluation Measuresmentioning

confidence: 99%

Analysis of Bayesian classification‐based approaches for Android malware detection

Yerima¹,

Sezer²,

McWilliams³

2014

IET Information Security

141

View full text Add to dashboard Cite

show abstract

“…Many malware detection methods analyze n-grams generated from the data, where an n-gram is defined as a sequential set of n commands. [17] analyzes opcode sequence 2 g (known as bigrams) and applies SVM to detect malware based on bigram frequencies. Ref.…”

Section: Literature Overviewmentioning

confidence: 99%

APT malware static trace analysis through bigrams and graph edit distance

Bolton

Anderson‐Cook

2017

Statistical Analysis

View full text Add to dashboard Cite

Research and business organizations are vulnerable to attack by malware, particularly advanced persistent threat malware tailored for a specific target. Malware identification is made more difficult because samples can be subtly altered to avoid detection by methods that check for an identical match to known code. Different versions of an original piece of malware form a malware family. When new malicious software is identified, reverse engineers seek to identify its origin and purpose. Knowing whether new malware is from a known family or a previously unobserved family aids the efficiency of reverse engineers. This article presents a three‐stage method to classify new malware into a family by comparing its similarity to existing static traces, and assigning it to the most similar family. First, a fast filtering method creates a shortlist of samples with some similarity to the new malware, using a simple bigram comparison of the instructions. The second stage takes the call graph view of the shortlisted static traces and uses simulated annealing to estimate the graph edit distance, a measure of dissimilarity between graphs. Finally, a random forest classifier combines the previous two results to predict the family to which a new sample belongs. The paper also considers how to detect when malware is from a new family.

show abstract

“…The authors show that their results are more satisfying than the ones got by commercial antivirus software. Concerning the search and analysis of opcodes (from operation code, a portion of a machine language instruction that specifies the operation to be performed), we can mention the literature . In the work of O'Kane, it is aimed at individuating a subset of opcodes suitable for malware detection through SVM.…”

Section: State Of the Artmentioning

confidence: 99%

“…Using opcode sequences typically needs to label a large amount of both malicious and benign code. Santos et al propose a method that uses single‐class learning to detect unknown malware families. Specific results vary if labeling is performed through malicious or benign software but in general: labeling 60 % of the legitimate software assures about 85 % accuracy.…”

Section: State Of the Artmentioning

confidence: 99%

“…Using opcode sequences typically needs to label a large amount of both malicious and benign code. Santos et al 28 Concerning the systems that use anomaly detection (or also hybrid statistical analysis/MD): Aydin et al 32 propose a hybrid IDS combining packet header anomaly detection and network traffic anomaly detection. The combined action seems to work even if it is difficult to detect precise percentages from the reported results.…”

Section: False Negative (Fn)mentioning

confidence: 99%

See 1 more Smart Citation

Statistical fingerprint‐based intrusion detection system (SF‐IDS)

Boero

Cello

Marchese

et al. 2016

Int J Communication

View full text Add to dashboard Cite

Summary Intrusion detection systems (IDS) are systems aimed at analyzing and detecting security problems. The IDS may be structured into misuse and anomaly detection. The former are often signature/rule IDS that detect malicious software by inspecting the content of packets or files looking for a “signature” labeling malware. They are often very efficient, but their drawback stands in the weakness of the information to check (eg, the signature), which may be quickly dated, and in the computation time because each packet or file needs to be inspected. The IDS based on anomaly detection and, in particular, on statistical analysis have been originated to bypass the mentioned problems. Instead of inspecting packets, each traffic flow is observed so getting a statistical characterization, which represents the fingerprint of the flow. This paper introduces a statistical analysis based intrusion detection system, which, after extracting the statistical fingerprint, uses machine learning classifiers to decide whether a flow is affected by malware or not. A large set of tests is presented. The obtained results allow selecting the best classifiers and show the performance of a decision maker that exploits the decisions of a bank of classifiers acting in parallel.

show abstract

Using opcode sequences in single-class learning to detect unknown malware

Cited by 50 publications

References 32 publications

Analysis of Bayesian classification‐based approaches for Android malware detection

Analysis of Bayesian classification‐based approaches for Android malware detection

APT malware static trace analysis through bigrams and graph edit distance

Statistical fingerprint‐based intrusion detection system (SF‐IDS)

Contact Info

Product

Resources

About