Embedded Malware Detection Using Markov n-Grams

Shafiq, M. Zubair; Khayam, Syed Ali; Farooq, Muddassar

doi:10.1007/978-3-540-70542-0_5

M. Zubair Shafiq¹,
Syed Ali Khayam² &
Muddassar Farooq¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5137))

Included in the following conference series:

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

3092 Accesses
50 Citations
3 Altmetric

Abstract

Embedded malware is a recently discovered security threat that allows malcode to be hidden inside a benign file. It has been shown that embedded malware is not detected by commercial antivirus software even when the malware signature is present in the antivirus database. In this paper, we present a novel anomaly detection scheme to detect embedded malware. We first analyze byte sequences in benign files to show that benign files’ data generally exhibit a 1-st order dependence structure. Consequently, conditional n-grams provide a more meaningful representation of a file’s statistical properties than traditional n-grams. To capture and leverage this correlation structure for embedded malware detection, we model the conditional distributions as Markov n -grams. For embedded malware detection, we use an information-theoretic measure, called entropy rate, to quantify changes in Markov n-gram distributions observed in a file. We show that the entropy rate of Markov n-grams gets significantly perturbed at malcode embedding locations, and therefore can act as a robust feature for embedded malware detection. We evaluate the proposed Markov n-gram detector on a comprehensive malware dataset consisting of more than 37,000 malware samples and 1,800 benign samples of six well-known filetypes. We show that the Markov n-gram detector provides better detection and false positive rates than the only existing embedded malware detection scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Symantec Internet Security Threat Report XI: Trends for July – December 2007 (September 2007)
Google Scholar
Stolfo, S.J., Wang, K., Li, W.J.: Towards Stealthy Malware Detection. Advances in Information Security, vol. 27, pp. 231–249. Springer, Heidelberg (2007)
Book Google Scholar
Li, W.J., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.D.: A Study of Malcode-Bearing Documents. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579. Springer, Heidelberg (2007)
Chapter Google Scholar
Leyden, J.: Trojan exploits unpatchedWord vulnerability. The Register (May 2006)
Google Scholar
Evers, J.: Zero-day attacks continue to hit Microsoft. News.com (September 2006)
Google Scholar
Kierznowski, D.: Backdooring PDF Files (September 2006)
Google Scholar
Damashek, M.: Gauging Similarity with n-Grams: Language-Independent Categorization of Text. Science 267, 842–848 (1995)
Article Google Scholar
Friedl, S.: Steve Friedl’s Unixwiz.net Tech Tips: Analysis of the new ‘Code Red II’ Variant, http://www.unixwiz.net/techtips/CodeRedII.html
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. ACM SIGCOMM (September 2005)
Google Scholar
Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley-Interscience, Chichester (1991)
MATH Google Scholar
VX Heavens Virus Collection, VX Heavens, http://vx.netlux.org/vl.php
McAfee Anti-virus and Internet security, McAfee, CA
Google Scholar
Kaspersky Antivirus, Kaspersky Lab HQ, Moscow, Russia
Google Scholar
AVG Anti-Virus and Internet Security, GRISOFT Inc., FL, USA
Google Scholar
Huang, Y.: Vulnerabilities in Portable Executable (PE) File Format For Win32 Architecture, TR, Exurity Inc., Canada (2006)
Google Scholar
Fawcett, T.: ROC Graphs: Notes and Practical Considerations for Researchers, TR, HP Labs, CA, USA (2003-2004)
Google Scholar
Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. ACM CCS (November 2002)
Google Scholar

Download references

Author information

Authors and Affiliations

Next Generation Intelligent Networks Research Center (nexGINRC), National University of Computer & Emerging Sciences (NUCES), Islamabad, Pakistan
M. Zubair Shafiq & Muddassar Farooq
School of Electrical Engineering & Computer Science (SEECS), National University of Sciences & Technology (NUST), Rawalpindi, Pakistan
Syed Ali Khayam

Authors

M. Zubair Shafiq
View author publications
You can also search for this author in PubMed Google Scholar
Syed Ali Khayam
View author publications
You can also search for this author in PubMed Google Scholar
Muddassar Farooq
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Shafiq, M.Z., Khayam, S.A., Farooq, M. (2008). Embedded Malware Detection Using Markov n-Grams. In: Zamboni, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70542-0_5

Download citation

DOI: https://doi.org/10.1007/978-3-540-70542-0_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-70541-3
Online ISBN: 978-3-540-70542-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics