Comparative Study of Two- and Multi-Class-Classification-Based Detection of Malicious Executables Using Soft Computing Techniques on Exhaustive Feature Set

Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 246)

Abstract

Detection of malware using soft computing methods has been explored extensively by many malware researchers to enable fast and infallible detection of newly released malware. In this work, we did a comparative study of two- and multi-class-classification-based detection of malicious executables using soft computing techniques on exhaustive feature set. During this comparative study, a rigorous analysis of static features, extracted from benign and malicious files, was conducted. For the analysis purpose, a generic framework was devised and is presented in this paper. Reference dataset (RDS) from National software reference library (NSRL) was explored in this study as a mean for filtering out benign files during analysis. Finally, through well-corroborated experiments, it is shown that AdaBoost, when combined with algorithms such as C4.5 and random forest with two-class classification, outperforms many other soft-computing-based techniques.

Keywords

Malware Portable executable features Static analysis NSRL Classification 

References

  1. 1.
    M. Christodorescu and S. Jha. Testing malware detectors. In Proceedings of the International Symposium on Software Testing and Analysis, July 2004.Google Scholar
  2. 2.
    G. McGraw and G. Morrisett. Attacking malicious code: A report to the infosec research council. IEEE Software, 17(5):33–44, 2000.Google Scholar
  3. 3.
    A. Vasudevan and R. Yerraballi. Spike: Engineering malware analysis tools using unobtrusive binary-instrumentation. In Proceedings of the 29th Australasian Computer Science Conference, pages 311–320, 2006.Google Scholar
  4. 4.
    F. Veldman, “Heuristic Anti-Virus Technology”, International Virus Bulletin Conference, pp.67–76, USA, 1993.Google Scholar
  5. 5.
    J. Munro, “Antivirus Research and Detection Techniques”, Antivirus Research and Detection Techniques, ExtremeTech, 2002, available at http://www.extremetech.com/article2/0,2845,367051,00.asp.
  6. 6.
    M. G. Schultz, E. Eskin, E. Zadok, and S. J. Stolfo. Data mining methods for detection of new malicious executables. In Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P’01), pages 38–49, May 2001Google Scholar
  7. 7.
    M. Zubair Shafiq, S. Momina Tabish, Fauzan Mirza, Muddassar Farooq. PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In Proceedings of the 2009 Recent Advances in Intrusion Detection (RAID) Symposium-Springer.Google Scholar
  8. 8.
    YanfangYe, D. Wang, T. Li, and D. Ye. IMDS: Intelligent Malware Detection System. In KDD ‘07: Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and Data MiningGoogle Scholar
  9. 9.
    Yanfang Ye, Dingding Wang, Tao Li, Dongyi Ye, Qingshan Jiang: An intelligent PE-malware detection system based on association mining. Journal in Computer Virology 4(4): 323–334 (2008)Google Scholar
  10. 10.
    Tzu-Yen Wang, Chin-Hsiung Wu, Chu-Cheng Hsieh, A Virus Prevention Model Based on Static Analysis and Data Mining Methods, IEEE 8th International Conference on Computer and Information Technology Workshops, 2008.Google Scholar
  11. 11.
    Feng Shaorong, Han Zhixue, An Incremental Associative Classification algorithm used for Malware Detection, 2nd International Conference on Future Computer and Communication (ICFCC), 2010.Google Scholar
  12. 12.
    A Sami, B Yadegari, H Rahimi, N Peiravian, S Hashemi and A Hamze, Malware Detection based on Mining API Calls, In Proceedings of the 2010 ACM Symposium on Applied Computing.Google Scholar
  13. 13.
    M. Siddiqui, M. C. Wang, and J. Lee, “Detecting trojans using data mining techniques.” in IMTIC, ser. Communications in Computer and Information Science, D. M. A. Hussain, A. Q. K. Rajput, B. S. Chowdhry, and Q. Gee, Eds., vol. 20. Springer, 2008, pp. 400–411Google Scholar
  14. 14.
    H. Khan, F. Mirza, and S. Khayam, “Determining malicious executable distinguishing attributes and low-complexity detection,” Journal in Computer Virology, pp. 1–11, 2010,  10.1007/s11416-010-0140-6. [Online]. Available: http://dx.doi.org/10.1007/s11416-010-0140-6
  15. 15.

Copyright information

© Springer India 2014

Authors and Affiliations

  1. 1.PSG College of TechnologyCoimbatoreIndia

Personalised recommendations