Abstract
Embedded malware is a recently discovered security threat that allows malcode to be hidden inside a benign file. It has been shown that embedded malware is not detected by commercial antivirus software even when the malware signature is present in the antivirus database. In this paper, we present a novel anomaly detection scheme to detect embedded malware. We first analyze byte sequences in benign files to show that benign files’ data generally exhibit a 1-st order dependence structure. Consequently, conditional n-grams provide a more meaningful representation of a file’s statistical properties than traditional n-grams. To capture and leverage this correlation structure for embedded malware detection, we model the conditional distributions as Markov n -grams. For embedded malware detection, we use an information-theoretic measure, called entropy rate, to quantify changes in Markov n-gram distributions observed in a file. We show that the entropy rate of Markov n-grams gets significantly perturbed at malcode embedding locations, and therefore can act as a robust feature for embedded malware detection. We evaluate the proposed Markov n-gram detector on a comprehensive malware dataset consisting of more than 37,000 malware samples and 1,800 benign samples of six well-known filetypes. We show that the Markov n-gram detector provides better detection and false positive rates than the only existing embedded malware detection scheme.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Symantec Internet Security Threat Report XI: Trends for July – December 2007 (September 2007)
Stolfo, S.J., Wang, K., Li, W.J.: Towards Stealthy Malware Detection. Advances in Information Security, vol. 27, pp. 231–249. Springer, Heidelberg (2007)
Li, W.J., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.D.: A Study of Malcode-Bearing Documents. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579. Springer, Heidelberg (2007)
Leyden, J.: Trojan exploits unpatchedWord vulnerability. The Register (May 2006)
Evers, J.: Zero-day attacks continue to hit Microsoft. News.com (September 2006)
Kierznowski, D.: Backdooring PDF Files (September 2006)
Damashek, M.: Gauging Similarity with n-Grams: Language-Independent Categorization of Text. Science 267, 842–848 (1995)
Friedl, S.: Steve Friedl’s Unixwiz.net Tech Tips: Analysis of the new ‘Code Red II’ Variant, http://www.unixwiz.net/techtips/CodeRedII.html
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. ACM SIGCOMM (September 2005)
Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley-Interscience, Chichester (1991)
VX Heavens Virus Collection, VX Heavens, http://vx.netlux.org/vl.php
McAfee Anti-virus and Internet security, McAfee, CA
Kaspersky Antivirus, Kaspersky Lab HQ, Moscow, Russia
AVG Anti-Virus and Internet Security, GRISOFT Inc., FL, USA
Huang, Y.: Vulnerabilities in Portable Executable (PE) File Format For Win32 Architecture, TR, Exurity Inc., Canada (2006)
Fawcett, T.: ROC Graphs: Notes and Practical Considerations for Researchers, TR, HP Labs, CA, USA (2003-2004)
Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. ACM CCS (November 2002)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shafiq, M.Z., Khayam, S.A., Farooq, M. (2008). Embedded Malware Detection Using Markov n-Grams. In: Zamboni, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70542-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-70542-0_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-70541-3
Online ISBN: 978-3-540-70542-0
eBook Packages: Computer ScienceComputer Science (R0)