nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

29.12.2015 | Original Paper

A comparison of static, dynamic, and hybrid analysis for malware detection

verfasst von: Anusha Damodaran, Fabio Di Troia, Corrado Aaron Visaggio, Thomas H. Austin, Mark Stamp

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 1/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In this research, we compare malware detection techniques based on static, dynamic, and hybrid analysis. Specifically, we train Hidden Markov Models (HMMs) on both static and dynamic feature sets and compare the resulting detection rates over a substantial number of malware families. We also consider hybrid cases, where dynamic analysis is used in the training phase, with static techniques used in the detection phase, and vice versa. In our experiments, a fully dynamic approach generally yields the best detection rates. We discuss the implications of this research for malware detection based on hybrid techniques.

Nächster Artikel Plaintext side channels in TLS Chiphertex

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

For example, if one curve dominates another in ROC space, it also dominates in PR space, and vice versa.

Ahmed, F. et al: Using spatio-temporal information in API calls with machine learning algorithms for malware detection, ACM Workshop on Security and Artificial Intelligence (2009)

Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)CrossRef

Annachhatre, C., Austin, T.H., Stamp, M.: Hidden Markov models for malware classification. J. Comput. Virol. Hack. Tech. 11(2), 59–73 (2014)CrossRef

Attaluri, S., McGhee, S., Stamp, M.: Profile Hidden Markov Models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)CrossRef

Aycock, J.: Computer Viruses and Malware. Springer-Verlag, New York (2006)

Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hack. Tech. 9(4), 179–192 (2013)CrossRef

Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)CrossRef

Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. J. Pattern Recogn. 30(7), 1145–1159 (1997)CrossRef

Buster Sandbox Analyser. http://bsa.isoftware.nl/. Accessed 20 Dec 2015

10.

Choi, Y.H. et al.: Toward extracting malware features for classification using static and dynamic analysis. Computing and Networking Technology (ICCNT), Gueongju, South Korea, pp. 126–129

11.

Christodorescu,M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceeding of USENIX Security Symposium. Bellevue, WA, pp. 169–186. http://www.cs.cornell.edu/courses/cs711/2005fa/papers/cj-usenix03.pdf

12.

Dai, J., Guha, R., Lee, J.: Efficient virus detection using dynamic instruction sequences. J. Comput. 4(5), 405–414 (2009)CrossRef

13.

Damodaran, A.: Combining dynamic and static analysis for malware detection, Master’s report, Department of Computer Science, San Jose State University, 2015. http://scholarworks.sjsu.edu/etd_projects/391/

14.

Davis, J., Goadrich, M.: The relationship between precision-recall and ROC curves, http://www.autonlab.org/icml_documents/camera-ready/030_The_Relationship_Bet.pdf

15.

Deshpande, P.: Metamorphic detection using function call graph analysis, Master’s report, Department of Computer Science, San Jose State University, 2013, http://scholarworks.sjsu.edu/etd_projects/336/

16.

Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hack. Techn. 10(1), 53–65 (2014)CrossRef

17.

Dinaburg, A., Royal, P., Sharif, M. and Lee, W.: Ether: Malware analysis via hardware virtualization extensions, CCS 08, October 27–31, 2008, Alexandria, Virginia. http://ether.gtisc.gatech.edu/ether_ccs_2008.pdf

18.

Egele, M., Scholte, T., Kirda, E. and Kruegel, C.: A survey on automated dynamic malware analysis techniques and tools. J. ACM Comput. Surv. 44(2):Article 6, (2012)

19.

Eskandari, M., Hashemi, S.: A graph mining approach for detecting unknown malwares. J. Vis. Lang. Comput. 23(3), 154–162 (2012)CrossRef

20.

Eskandari, M., Khorshidpour, Z., Hashemi, S.: HDM-Analyser: A hybrid analysis approach based on data mining techniques for malware detection. J. Comput. Virol. Hack. Techn. 9(2), 77–93 (2013)CrossRef

21.

Eskandari, M., Khorshidpur, Z. and Hashemi, S.: To incorporate sequential dynamic features in malware detection engines, Intelligence and Security Informatics Conference (EISIC), pp. 46–52 (2012)

22.

Fawcett. T.: An introduction to ROC analysis. http://people.inf.elte.hu/kiss/13dwhdm/roc.pdf

23.

Ghahramani, Z.: An introduction to hidden Markov models and Bayesian networks. Int. J. Pattern Recognit. Artif. Intell. 15(1), 9–42 (2001)CrossRef

24.

Harebot.: http://www.pandasecurity.com/homeusers/security-info/220319/Harebot.M

25.

Jacob, G., Debar, H., Filiol, E.: Behavioral detection of malware: From a survey towards an established taxonomy. J. Comput. Virol. 4(3), 251–266 (2008)CrossRef

26.

Jidigam, R.K., Austin, T.H., Stamp, M.: Singular value decomposition and metamorphic detection. J. Comput. Virol. Hack. Techn 11(4), 203–216 (2015)CrossRef

27.

Kolbitsch, C. et al.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th conference on USENIX security symposium, pp. 351–366. Montreal Canada. https://www.usenix.org/legacy/event/sec09/tech/full_papers/kolbitsch.pdf

28.

Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware. Int. J. Secur. Netw 10(2), 124–136 (2015)CrossRef

29.

Nappa, A., Rafique, M.Z. and Caballero, J.: Driving in the cloud: An analysis of drive-by download operations and abuse reporting, Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Berlin, Germany, July (2013)

30.

Park, Y., Reeves, D., Mulukutla, V. and Sundaravel, B.: Fast malware classification by automated behavioral graph matching. In: Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research (2010)

31.

Park, Y., Reeves, D. and Stamp, M.: Deriving common malware behavior through graph clustering. Comput. Secur. 39(B):419–430 (2013)

32.

Qiao, Y., He, J., Yang, Y., Ji, L.: Analyzing malware by abstracting the frequent itemsets in API call sequences, pp. 265–270. Trust, Security and Privacy in Computing and Communications (TrustCom) (2013)

33.

Rhee, J., Riley, R., Xu, D., Jiang, X.: Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. Recent Adv. Intrusion Detect. Lect. Notes Comput. Sci. 6307, 178–197 (2010)

34.

Rabiner, L.R.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proc IEEE 77(2):257–286 (1989). http://www.cs.ubc.ca/~murphyk/Bayes/rabiner.pdf

35.

Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)CrossRef

36.

SandBoxie. http://sandboxie.com/

37.

Security Shield. http://www.symantec.com/security_response/glossary/define.jsp?letter=s&word=security-shield

38.

Shankarapani, M.K., Ramamoorthy, S., Movva, R.S., Mukkamala, S.: Malware detection using assembly and API call sequences. J. Comput. Virol. 2(7), 107–119 (2011)CrossRef

39.

Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hack. Techn. 9(3), 159–170 (2013)CrossRef

40.

Singh, T.: Support Vector Machines and metamorphic malware detection, Master’s report, Department of Computer Science, San Jose State University (2015). http://scholarworks.sjsu.edu/etd_projects/409/

41.

Smart HDD. http://support.kaspersky.com/viruses/rogue?qid=208286454

42.

Sorokin, I.: Comparing files using structural entropy. J. Comput. Virol. 7(4), 259–265 (2011)MathSciNetCrossRef

43.

Stamp, M.: A revealing introduction to hidden Markov models (2012). http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf

44.

Symantec White Paper, Internet Security Report, vol 20, (2015). http://www.symantec.com/security_response/publications/threatreport.jsp

45.

Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hack. Techn. 9(1), 1–14 (2013)CrossRef

46.

Trojan.Zbot. http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

47.

Trojan.ZeroAccess. http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

48.

Win32/Winwebsec. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fWinwebsec

49.

Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRef

50.

Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An intelligent PE-malware detection system based on association mining. J. Comput. Virol. 4(4), 323–334 (2008)CrossRef

Titel: A comparison of static, dynamic, and hybrid analysis for malware detection
verfasst von: Anusha Damodaran
Fabio Di Troia
Corrado Aaron Visaggio
Thomas H. Austin
Mark Stamp
Publikationsdatum: 29.12.2015
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 1/2017
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-015-0261-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner