Skip to main content
SpringerLink
Log in

PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5758))

Included in the following conference series:

Abstract

In this paper, we present an accurate and realtime PE-Miner framework that automatically extracts distinguishing features from portable executables (PE) to detect zero-day (i.e. previously unknown) malware. The distinguishing features are extracted using the structural information standardized by the Microsoft Windows operating system for executables, DLLs and object files. We follow a threefold research methodology: (1) identify a set of structural features for PE files which is computable in realtime, (2) use an efficient preprocessor for removing redundancy in the features’ set, and (3) select an efficient data mining algorithm for final classification between benign and malicious executables.

We have evaluated PE-Miner on two malware collections, VX Heavens and Malfease datasets which contain about 11 and 5 thousand malicious PE files respectively. The results of our experiments show that PE-Miner achieves more than 99% detection rate with less than 0.5% false alarm rate for distinguishing between benign and malicious executables. PE-Miner has low processing overheads and takes only 0.244 seconds on the average to scan a given PE file. Finally, we evaluate the robustness and reliability of PE-Miner under several regression tests. Our results show that the extracted features are robust to different packing techniques and PE-Miner is also resilient to majority of crafty evasion strategies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AVG Free Antivirus, http://free.avg.com/ .

  2. Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: ACM Conference on Computer and Communications Security (CCS), Singapore, pp. 1–7 (1999)

    Google Scholar 

  3. Cheng, J., Wong, S.H.Y., Yang, H., Lu, S.: SmartSiren: virus detection and alert for smartphones. In: International Conference on Mobile Systems, Applications and Services (MobiSys), USA, pp. 258–271 (2007)

    Google Scholar 

  4. DUMPBIN utility, Article ID 177429, Revision 4.0, Micorsoft Help and Support (2005)

    Google Scholar 

  5. Fawcett, T.: ROC Graphs: Notes and Practical Considerations for Researchers, TR HPL-2003-4, HP Labs, USA (2004)

    Google Scholar 

  6. F-Secure Corporation, F-Secure Reports Amount of Malware Grew by 100% during 2007, Press release (2007)

    Google Scholar 

  7. F-Secure Virus Description Database, http://www.f-secure.com/v-descs/

  8. hash_map, Visual C++ Standard Library, http://msdn.microsoft.com/en-us/library/6x7w9f6z.aspx

  9. Hnatiw, N., Robinson, T., Sheehan, C., Suan, N.: PIMP MY PE: Parsing Malicious and Malformed Executables. In: Virus Bulletin Conference (VB), Austria (2007)

    Google Scholar 

  10. Kendall, K., McMillan, C.: Practical Malware Analysis. In: Black Hat Conference, USA (2007)

    Google Scholar 

  11. Kolter, J.Z., Maloof, M.A.: Learning to detect malicious executables in the wild. In: ACM International Conference on Knowledge Discovery and Data Mining (KDD), USA, pp. 470–478 (2004)

    Google Scholar 

  12. Microsoft Portable Executable and Common Object File Format Specification, Windows Hardware Developer Central, Updated March 2008 (2008), http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx .

  13. Munro, J.: Antivirus Research and Detection Techniques, Antivirus Research and Detection Techniques, Extreme Tech. (2002), http://www.extremetech.com/article2/0,2845,367051,00.asp

  14. Panda Antivirus, http://www.pandasecurity.com/

  15. PE file format, Webster Technical Documentation, http://webster.cs.ucr.edu/Page_TechDocs/pe.txt

  16. PEiD, http://www.peid.info/

  17. Perdisci, R., Lanzi, A., Lee, W.: Classification of Packed Executables for Accurate Computer Virus Detection. Elsevier Pattern Recognition Letters 29(14), 1941–1946 (2008)

    Article  Google Scholar 

  18. Perdisci, R., Lanzi, A., Lee, W.: McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables. In: Annual Computer Security Applications Conference (ACSAC), pp. 301–310. IEEE Press, USA (2008)

    Google Scholar 

  19. Protection ID - the ultimate Protection Scanner, http://pid.gamecopyworld.com/

  20. Pietrek, M.: An In-Depth Look into the Win32 Portable Executable File Format, Part 2. MSDN Magazine (March 2002)

    Google Scholar 

  21. Project Malfease, http://malfease.oarci.net/

  22. Schultz, M.G., Eskin, E., Zadok, E., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: IEEE Symposium on Security and Privacy (S&P), USA, pp. 38–49 (2001)

    Google Scholar 

  23. Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: A Framework for Efficient Mining of Structural Information to Detect Zero-Day Malicious Portable Executables, Technical Report, TR-nexGINRC-2009-21 (January 2009), http://www.nexginrc.org/papers/tr21-zubair.pdf

  24. Shafiq, M.Z., Tabish, S.M., Farooq, M.: PE-Probe: Leveraging Packer Detection and Structural Information to Detect Malicious Portable Executables. In: Virus Bulletin Conference (VB), Switzerland (2009)

    Google Scholar 

  25. Symantec Internet Security Threat Reports I-XI (January 2002-January 2008)

    Google Scholar 

  26. Veldman, F.: Heuristic Anti-Virus Technology. In: International Virus Bulletin Conference, USA, pp. 67–76 (1993)

    Google Scholar 

  27. VX Heavens Virus Collection, VX Heavens website, http://vx.netlux.org

  28. Walter, S.D.: The partial area under the summary ROC curve. Statistics in Medicine 24(13), 2025–2040 (2005)

    Article  MathSciNet  Google Scholar 

  29. Witten, I.H., Frank, E.: Data mining: Practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann, USA (2005)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Next Generation Intelligent Networks Research Center (nexGIN RC), National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, 44000, Pakistan

    M. Zubair Shafiq, S. Momina Tabish, Fauzan Mirza & Muddassar Farooq

  2. School of Electrical Engineering & Computer Science (SEECS), National University of Sciences & Technology (NUST), Islamabad, 44000, Pakistan

    S. Momina Tabish & Fauzan Mirza

Authors
  1. M. Zubair Shafiq
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. S. Momina Tabish
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fauzan Mirza
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Muddassar Farooq
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia-Antipolis Cedex, France

    Engin Kirda  & Davide Balzarotti  & 

  2. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M. (2009). PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds) Recent Advances in Intrusion Detection. RAID 2009. Lecture Notes in Computer Science, vol 5758. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04342-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04342-0_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04341-3

  • Online ISBN: 978-3-642-04342-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation