Support vector machines and malware detection

  • Tanuvir Singh
  • Fabio Di Troia
  • Visaggio Aaron Corrado
  • Thomas H. Austin
  • Mark Stamp
Original Paper

Abstract

In this research, we test three advanced malware scoring techniques that have shown promise in previous research, namely, Hidden Markov Models, Simple Substitution Distance, and Opcode Graph based detection. We then perform a careful robustness analysis by employing morphing strategies that cause each score to fail. We show that combining scores using a Support Vector Machine yields results that are significantly more robust than those obtained using any of the individual scores.

References

  1. 1.
    Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)CrossRefGoogle Scholar
  2. 2.
    Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179–192 (2013)CrossRefGoogle Scholar
  3. 3.
    Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. J. Pattern Recognit. 30(7), 1145–1159 (1997)CrossRefGoogle Scholar
  4. 4.
    Cristianini, N., Shawe-Taylor, J.: An Introduction to Support Vector Machines and Other Kernel-Based Learning Methods. Cambridge University Press, London (2000)CrossRefMATHGoogle Scholar
  5. 5.
    Cygwin. Cygwin utility files. http://www.cygwin.com/ (2015). Accessed 21 Sept 2015
  6. 6.
    Damodaran, A.: Combining dynamic and static analysis for malware detection. San Jose State University, Department of Computer Science, Master’s Projects, Paper 391. http://scholarworks.sjsu.edu/etd_projects/391 (2015). Accessed 21 Sept 2015
  7. 7.
    Deshpande, P.: Metamorphic detection using function call graph analysis. San Jose State University, Department of Computer Science, Master’s Projects, Paper 336. http://scholarworks.sjsu.edu/etd_projects/336 (2013). Accessed 21 Sept 2015
  8. 8.
    Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hacking Tech. 10(1), 53–65 (2014)CrossRefGoogle Scholar
  9. 9.
  10. 10.
    Introduction to Support Vector Machines. http://fourier.eng.hmc.edu/e161/lectures/svm (2015). Accessed 21 Sept 2015
  11. 11.
    Jakobsen, T.: A fast method for the cryptanalysis of substitution ciphers. Cryptologia 19, 265–274 (1995)CrossRefMATHGoogle Scholar
  12. 12.
    Jidigam, R.K., Austin, T.H., Stamp, M.: Singular value decomposition and metamorphic detection. J. Comput. Virol. Hacking Tech (2015). (To appear)Google Scholar
  13. 13.
    Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware. Int. J. Secur. Netw (2015). (To appear)Google Scholar
  14. 14.
    Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)CrossRefGoogle Scholar
  15. 15.
    Lu, Y.B., Din, S.C., Zeng, C.F.: Using multi-feature and classifier ensembles to improve malware detection. J. C.C.I.T 32(2), 57–72 (2010)Google Scholar
  16. 16.
    Malicia Project. http://malicia-project.com/ (2015). Accessed 21 Sept 2015
  17. 17.
    Menahem, E., Shabtai, A., Rokach, L., Elovici, Y.: Improving malware detection by applying multi-inducer ensemble. Comput. Stat. Data Anal. 53(4), 1483–1494 (2009)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Nappa, A., Zubair Rafique, M., Caballero, J.: Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Proceedings of the 10th Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Berlin (2013)Google Scholar
  19. 19.
    Ng, A.: Support vector machines. http://cs229.stanford.edu/notes/cs229-notes3.pdf (2015). Accessed 21 Sept 2015
  20. 20.
    Patel, M.: Similarity tests for metamorphic virus detection. San Jose State University, Department of Computer Science, Master’s Projects, Paper 175. http://scholarworks.sjsu.edu/etd_projects/175 (2011). Accessed 21 Sept 2015
  21. 21.
    Qin, Z., Chen, N., Zhang, Q., Di, Y.: Mobile phone viruses detection based on HMM. In: Proceedings of International Conference on Multimedia Information Networking and Security, pp. 516–519 (2011)Google Scholar
  22. 22.
    Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)CrossRefGoogle Scholar
  23. 23.
  24. 24.
    Shanmugam, G., Low, R., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)CrossRefGoogle Scholar
  25. 25.
    Smart HDD. http://support.kaspersky.com/viruses/rogue?qid=208286454 (2015). Accessed 21 Sept 2015
  26. 26.
    Snakebyte. Next generation virus construction kit (NGVCK). http://vx.netlux.org/vx.php?id=tn02 (2000). Accessed 21 Sept 2015
  27. 27.
    Stamp, M.: A revealing introduction to hidden Markov models. http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf (2015). Accessed 21 Sept 2015
  28. 28.
    Support vector machines (SVM) introductory overview. http://www.statsoft.com/textbook/support-vector-machines (2015). Accessed 21 Sept 2015
  29. 29.
    Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2013)CrossRefGoogle Scholar
  30. 30.
  31. 31.
  32. 32.
  33. 33.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRefGoogle Scholar
  34. 34.
    Xin, K., Li, G., Qin, Z., Zhang, Q.: Malware detection in smartphones using hidden Markov model. In: Proceedings of International Conference on Multimedia Information Networking and Security, pp. 857–860 (2012)Google Scholar
  35. 35.
    Zhang, B., Yin, J., Hao, J., Zhang, D., Wang, S.: Malicious codes detection based on ensemble learning. In: Proceedings of Autonomic and Trusted Computing, 4th International Conference, pp. 468–477 (2007)Google Scholar

Copyright information

© Springer-Verlag France 2015

Authors and Affiliations

  • Tanuvir Singh
    • 1
  • Fabio Di Troia
    • 2
  • Visaggio Aaron Corrado
    • 2
  • Thomas H. Austin
    • 1
  • Mark Stamp
    • 1
  1. 1.Department of Computer ScienceSan Jose State UniversitySan JoseUSA
  2. 2.Department of EngineeringUniversità degli Studi del SannioBeneventoItaly

Personalised recommendations