ABSTRACT
In this paper, we compare the effectiveness of Hidden Markov Models (HMMs) with that of Profile Hidden Markov Models (PHMMs), where both are trained on sequences of API calls. We compare our results to static analysis using HMMs trained on sequences of opcodes, and show that dynamic analysis achieves significantly stronger results in many cases. Furthermore, in comparing our two dynamic analysis approaches, we find that using PHMMs consistently outperforms our technique based on HMMs.
- B. Anderson. Graph-based malware detection using dynamic analysis. Journal in Computer Virology, 7(4):247--258, 2011. Google ScholarDigital Library
- C. Annachhatre, T. H. Austin, and M. Stamp. Hidden Markov models for malware classification. Journal of Computer Virology and Hacking Techniques, 11(2):59--73, 2014.Google ScholarCross Ref
- S. Attaluri, S. McGhee, and M. Stamp. Profile hidden Markov models and metamorphic virus detection. Journal in Computer Virology, 5(2):151--169, 2009.Google ScholarCross Ref
- T. H. Austin, E. Filiol, S. Josse, and M. Stamp. Exploring hidden Markov models for virus analysis: A semantic approach. In Hawaii International Conference on System Sciences, 2013. Google ScholarDigital Library
- J. Aycock. Computer Viruses and Malware. Springer, 2006. Google ScholarDigital Library
- Y. Bai, X. Sun, G. Sun, X. Deng, and X. Zhou. Dynamic k-gram based software birthmark. In 19th Australian Conference on Software Engineering, 2008. Google ScholarDigital Library
- A. P. Bradley. The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognition, 30(7):1145--1159, 1997. Google ScholarDigital Library
- Buster Sandbox Analyzer. http://bsa.isoftware.nl/. Accessed 2016--1--11.Google Scholar
- R. Durbin, S. Eddy, A. Krogh, and G. Mitchison. Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids. Cambridge University Press, 1988.Google Scholar
- D. Feng and R. Doolittle. Progressive sequence alignment as a prerequisite to correct phylogenetic trees. Journal of Molecular Evolution, 25(4):351--360, 1987.Google ScholarCross Ref
- E. Filiol and S. Josse. A statistical model for undecidable viral detection. Journal in Computer Virology, 3(2):65--74, 2007.Google ScholarDigital Library
- K. Fukuda and H. Tamada. A dynamic birthmark from analyzing operand stack runtime behavior to detect copied software. In Proceedings of SNPD '13, pages 505--510, Hawaii, 2013. Google ScholarDigital Library
- L. Huang and M. Stamp. Masquerade detection using profile hidden Markov models. Computers & Security, 30(8):732--747, 2011. Google ScholarDigital Library
- A. Kalbhor, T. H. Austin, E. Filiol, S. Josse, and M. Stamp. Dueling hidden Markov models for virus analysis. Journal in Computer Virology, 11(2):2015, 2015.Google Scholar
- Kaspersky Lab. Rogue Security Software. http://support.kaspersky.com/viruses/rogue?qid=208286454. Accessed 2016--1--11.Google Scholar
- J. Z. Kolter and M. A. Maloof. Learning to detect and classify malicious executables in the wild. Journal of Machine Learning Research, 7:2721--2744, 2006. Google ScholarDigital Library
- E. Konstantinou. Metamorphic virus: Analysis and detection. Technical Report RHUL-MA-2008-02, Royal Holloway University of London, 2008.Google Scholar
- Microsoft Malware Protection Center. Security Shield. www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=SecurityShield. Accessed 2016--1--11.Google Scholar
- Microsoft Malware Protection Center. Winwebsec. http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Rogue:Win32/Winwebsec. Accessed 2016--1--11.Google Scholar
- G. Myles and C. S. Collberg. k-gram based software birthmarks. In Proceedings of ACM Symposium on Applied Computing, pages 314--318, New Mexico, 2005. Google ScholarDigital Library
- A. Nappa, M. Z. Rafique, and J. Caballero. Driving in the cloud: An analysis of drive-by download operations and abuse reporting. In Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Germany, 2013. Google ScholarDigital Library
- Panda Security. Harebot.M. http://www.pandasecurity.com/usa/homeusers/security-info/220319/Harebot.M/. Accessed 2016--1--11.Google Scholar
- M. Stamp. Machine Learning with Applications in Information Security. Unpublished manuscript.Google Scholar
- M. Stamp. A revealing introduction to hidden Markov models. http://www.cs.sjsu.edu/ stamp/RUA/HMM.pdf. Accessed 2016--1--11.Google Scholar
- M. Sudarshan and M. Stamp. Metamorphic worm that carries its own morphing engine. Journal in Computer Virology, 9(2):49--58, 2013. Google ScholarDigital Library
- Symantec. Trojan.Cridex. http://www.symantec.com/security_response/writeup.jsp?docid=2012-012103-0840--99. Accessed 2016--1--11.Google Scholar
- Symantec. Trojan.Zbot. http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016--3514--99. Accessed 2016--1--11.Google Scholar
- Symantec. Trojan.ZeroAccess. http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410--99. Accessed 2016--1--11.Google Scholar
- H. Tamada et al. Dynamic software birthmarks to detect the theft of windows applications. In International Symposium on Future Software Technology 2004 (ISFST 2004), China, 2005.Google Scholar
- H. Tamada, K. Okamoto, M. Nakamura, A. Monden, and K. Matsumoto. Design and evaluation of dynamic software birthmarks based on API calls. Technical report, Nara Institute of Science and Technology, 2007.Google Scholar
- S. Vemparala. Malware detection using dynamic analysis. Master's thesis, San Jose State University, 2015. Accessed 2016--1--11.Google Scholar
- X. Wang, Y. Jhi, S. Zhu, and P. Liu. Detecting software theft via system call based birthmarks. In Proceedings of 25th Annual Computer Security Applications Conference, Hawaii, 2009. Google ScholarDigital Library
- W. Wong and M. Stamp. Hunting for metamorphic engines. Journal in Computer Virology, 2(3):211--229, 2006.Google ScholarCross Ref
- X. Zhou, X. Sun, G. Sun, and Y. Yang. A combined static and dynamic software birthmark based on component dependence graph. In International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pages 1416--1421, China, 2008. Google ScholarDigital Library
Index Terms
- Malware Detection Using Dynamic Birthmarks
Recommendations
Masquerade detection using profile hidden Markov models
In this paper, we consider the problem of masquerade detection, based on user-issued UNIX commands. We present a novel detection technique based on profile hidden Markov models (PHMMs). For comparison purposes, we implement an existing modeling ...
Static Analysis of Malicious Java Applets
IWSPA '16: Proceedings of the 2016 ACM on International Workshop on Security And Privacy AnalyticsIn this research we consider the problem of detecting malicious Java applets, based on static analysis. Dynamic analysis can be more informative, since it is immune to many common obfuscation techniques, while static analysis is often more efficient, ...
An advanced profile hidden Markov model for malware detection
The rapid growth of malicious software (malware) production in recent decades and the increasing number of threats posed by malware to network environments, such as the Internet and intelligent environments, emphasize the need for more research on ...
Comments