Elements of information theory
Elements of information theory
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
A Study of Malcode-Bearing Documents
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Graph-based malware detection using dynamic analysis
Journal in Computer Virology
Classification of packet contents for malware detection
Journal in Computer Virology
Static detection of malicious JavaScript-bearing PDF documents
Proceedings of the 27th Annual Computer Security Applications Conference
Improving malware classification: bridging the static/dynamic gap
Proceedings of the 5th ACM workshop on Security and artificial intelligence
Malicious PDF detection using metadata and structural features
Proceedings of the 28th Annual Computer Security Applications Conference
Information Sciences: an International Journal
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Information Sciences: an International Journal
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Detection of StegoBot: a covert social network botnet
Proceedings of the First International Conference on Security of Internet of Things
Detecting machine-morphed malware variants via engine attribution
Journal in Computer Virology
Detection of cross site scripting attack in wireless networks using n-Gram and SVM
Mobile Information Systems - Advances in Network-Based Information Systems
Hi-index | 0.00 |
Embedded malware is a recently discovered security threat that allows malcode to be hidden inside a benign file. It has been shown that embedded malware is not detected by commercial antivirus software even when the malware signature is present in the antivirus database. In this paper, we present a novel anomaly detection scheme to detect embedded malware. We first analyze byte sequences in benign files to show that benign files' data generally exhibit a 1-st order dependence structure. Consequently, conditional n-grams provide a more meaningful representation of a file's statistical properties than traditional n-grams. To capture and leverage this correlation structure for embedded malware detection, we model the conditional distributions as Markov n-grams. For embedded malware detection, we use an information-theoretic measure, called entropy rate, to quantify changes in Markov n-gram distributions observed in a file. We show that the entropy rate of Markov n-grams gets significantly perturbed at malcode embedding locations, and therefore can act as a robust feature for embedded malware detection. We evaluate the proposed Markov n-gram detector on a comprehensive malware dataset consisting of more than 37,000 malware samples and 1,800 benign samples of six well-known filetypes. We show that the Markov n-gram detector provides better detection and false positive rates than the only existing embedded malware detection scheme.