Abstract
The number of malicious applications that appear everyday has reached beyond any manual analysis. In the attempt to spread beyond personal computers, malware authors use new platforms like Android, iOS and .NET. The later has the advantage of being present on both desktop computers running Windows Vista or later and also on Windows Phone devices. Previous studies in the malware classification field have used the concept of OpCode \(n\)-grams. These are sequences of consecutive operation codes, that can be extracted from any type of application. In this paper we will show an improvement to this method, by eliminating some of the OpCodes, in order to get better classification results. The OpCodes selection is performed by two bio-inspired algorithms. First, a fitness function was designed, that measured how well we can detect some clusters of methods. Then, we encoded a possible solution as a chromosome in a Genetic Algorithm and as a particle, in Particle Swarm Optimization. Both methods found good OpCodes subsets that were successful in detecting clusters from the cross-validation tests. The results presented in this paper show that biology can be a source of inspiration not only for computer viruses but also for new methods to combat them.
Similar content being viewed by others
References
Common Language Infrastructure (CLI). Ecma International (2010)
Abou-assaleh, T., Cercone, N., Sweidan, R.: N-gram-based detection of new malicious code. In: Proceedings of the 28th Annual International Computer Software and Applications Conference, IEEE CSP, pp. 10–1109 (2003)
Bäck, T.: Evolutionary Algorithms in Theory and Practice: Evolution Strategies, Evolutionary Programming. Genetic Algorithms. Oxford University Press, Oxford (1996)
Bilar, D.: Opcodes as predictor for malware. Security Informat. 1, 156–168 (2007)
Bray, B.: Announcing the release of the.net framework for windows phone 8. Tech. rep., Microsoft Corporation (2012)
Holland, J.H.: Adaptation in Natural and Artificial Systems. University of Michigan Press, Michigan (1975)
Kennedy, J., Eberhart, R.: Particle swarm optimization. In: IEEE International Conference on. Neural Networks, vol. 4, pp. 1942–1948 (1995)
Pietrek, M.: An in-depth look into the win32 portable executable file format. MSDN Magazine (2002)
Pistelli, D.: The.net file format (2008). http://www.codeproject.com/Articles/12585/The-NET-File-Format
Santos, I., Sanz, B., Laorden, C., Brezo, F., Bringas, P.G.: Opcode-sequence-based semi-supervised unknown malware detection. In: Proceedings of the 4th International Conference on Computational intelligence in security for information systems, CISIS’11, pp. 50–57. Springer, Berlin (2011). http://dl.acm.org/citation.cfm?id=2023430.2023439
Selinger, M.: The ultimate endurance test for internet security suites. Tech. rep, AV-TEST (2012)
Shabtai, A., Moskovitch, R., Feher, C., Dolev, S., Elovici, Y.: Detecting unknown malicious code by applying classification techniques on opcode patterns. Security Informat. 1 (2012)
Shi, Y., Eberhart, R.: A modified particle swarm optimizer. Evolutionary Computation Proceedings 1998. IEEE World Congress on, Computational Intelligence., pp. 69–73 (1998). doi:10.1109/icec.1998.699146
Shi, Y., Eberhart, R.: Parameter selection in particle swarm optimization. In: V. Porto, N. Saravanan, D. Waagen, A. Eiben (eds.) Evolutionary Programming VII, Lecture Notes in Computer Science, vol. 1447, pp. 591–600. Springer, Berlin (1998). doi:10.1007/BFb0040810
Turing, A.: On computable numbers with an application to the entscheidungsproblem. Proc. Lond. Math. Soc. (1936)
Wang, A.: Deploying microsoft.net framework version 3.0. Tech. rep., Microsoft Corporation (2006)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Oprişa, C., Cabău, G. & Coleşa, A. Automatic code features extraction using bio-inspired algorithms. J Comput Virol Hack Tech 10, 165–176 (2014). https://doi.org/10.1007/s11416-013-0191-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-013-0191-6