A Layered Detection Method for Malware Identification

  • Ting Liu
  • Xiaohong Guan
  • Yu Qu
  • Yanan Sun
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6985)


In recent years, millions of new malicious programs are produced by Pa mature industry of malware production. These programs have tremendous challenges on the signature-based anti-virus products and pose great threats on network and information security. Machine learning techniques are applicable for detecting unknown malicious programs without knowing their signatures. In this paper, a Layered Detection (LD) method is developed to detect malwares with a two-layer framework. The Low-Level-Classifiers (LLC) are employed to identify whether the programs perform any malicious functions according to the API-calls of the programs. The Up-level-Classifier (ULC) is applied to detect malwares according to the low level function identification. The LD method is compared with many classical classification algorithms with comprehensive test datasets containing 16135 malwares and 1800 benign programs. The experiments demonstrate that the LD method outperforms other algorithms in terms of detection accuracy.


Machine learning Network security Malware detection Malicious function identification 


  1. 1.
    Gostev, A.: Kaspersky Security Bulletin. In: Statistics 2008 (2009)Google Scholar
  2. 2.
    Lo, R., Kerchen, P., Crawford, R., Ho, W., Crossley, J., Fink, G., Levitt, K., Olsson, R., Archer, M.: Towards a testbed for malicious code detection. In: Compcon Spring 1991, Digest of Papers, pp. 160–166 (1991)Google Scholar
  3. 3.
    Wang, X., Yu, W., Champion, A., Fu, X., Xuan, D.: Detecting worms via mining dynamic program execution. In: Third International Conference on Security and Privacy in Communications Networks and the Workshops, SecureComm (2007)Google Scholar
  4. 4.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based "out-of-the-box" semantic view reconstruction. ACM Transactions on Information and System Security 13 (2010)Google Scholar
  5. 5.
    Wenke, L., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models.: Security and Privacy. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 120–132 (1999)Google Scholar
  6. 6.
    Berral, J.L., Poggi, N., Alonso, J., Gavald, R., Torres, J., Parashar, M.: Adaptive distributed mechanism against flooding network attacks based on machine learning. In: Proceedings of the 1st ACM Workshop on AISec, pp. 43–50. ACM, Alexandria (2008)CrossRefGoogle Scholar
  7. 7.
    Kloft, M., Brefeld, U., Pessel, D., Gehl, C., Laskov, P.: Automatic feature selection for anomaly detection. In: Proceedings of the 1st ACM Workshop on AISec, pp. 71–76. ACM, Alexandria (2008)CrossRefGoogle Scholar
  8. 8.
    Renchao, Q., Tao, L., Yu, Z.: An immune inspired model for obfuscated virus detection. In: 2009 International Conference on Industrial Mechatronics and Automation, ICIMA 2009, Chengdu, China, pp. 228–231 (2009)Google Scholar
  9. 9.
    Windows: Windows API Reference: Scholar
  10. 10.
    Landis, J.R., Koch, G.G.: The measurement of observer agreement for categorical data. Biometrics 33 (1977)Google Scholar
  11. 11.
    Holte, R.C.: Very simple classification rules perform well on most commonly used data-sets. Mach. Learn. 11, 63-91 (1993)Google Scholar
  12. 12.
    Moskovitch, R., Elovici, Y., Rokach, L.: Detection of unknown computer worms based on behavioral classification of the host. Computational Statistics and Data Analysis 52, 4544–4566 (2008)MathSciNetMATHCrossRefGoogle Scholar
  13. 13.
    Witten, I.H., Frank, E.: Data Mining: Practical Machine Learning Tools and Techniques, 2nd edn. Morgan Kaufmann, San Francisco (2005)Google Scholar
  14. 14.
    Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, 2nd edn. Wiley-Interscience, Hoboken (2000)Google Scholar
  15. 15.
    Gostev, A.: Rustock and All That (2008)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Ting Liu
    • 1
  • Xiaohong Guan
    • 1
  • Yu Qu
    • 1
  • Yanan Sun
    • 1
  1. 1.SKLMS Lab and MOE KLNNIS LabXi’an Jiaotong UniversityP.R. China

Personalised recommendations