IMAD: in-execution malware analysis and detection

Authors:
Syed Bilal Mehdi;Ajay Kumar Tanwani;Muddassar Farooq
Affiliations:
Next Generation Intelligent Networks Research Center, National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan;Next Generation Intelligent Networks Research Center, National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan;Next Generation Intelligent Networks Research Center, National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan
Venue:
Proceedings of the 11th Annual conference on Genetic and evolutionary computation
Year:
2009

Citing 7
Cited 5

Adaptation in natural and artificial systems

Adaptation in natural and artificial systems
C4.5: programs for machine learning

C4.5: programs for machine learning
Classification and detection of computer intrusions

Classification and detection of computer intrusions
Fast training of support vector machines using sequential minimal optimization

Advances in kernel methods
On Relevance, Probabilistic Indexing and Information Retrieval

Journal of the ACM (JACM)
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Data mining approaches for intrusion detection

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Using differential evolution to optimize 'learning from signals' and enhance network security

Proceedings of the 13th annual conference on Genetic and evolutionary computation
Fast malware family detection method using control flow graphs

Proceedings of the 2011 ACM Symposium on Research in Applied Computation
Feature reduction to speed up malware classification

NordSec'11 Proceedings of the 16th Nordic conference on Information Security Technology for Applications
In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS

Information Sciences: an International Journal
Using file relationships in malware classification

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

The sophistication of computer malware is becoming a serious threat to the information technology infrastructure, which is the backbone of modern e-commerce systems. We, therefore, advocate the need for developing sophisticated, efficient, and accurate malware classification techniques that can detect a malware on the first day of its launch -- commonly known as "zero-day malware detection". To this end, we present a new technique, IMAD, that can not only identify zero-day malware without any apriori knowledge but can also detect a malicious process while it is executing (in-execution detection). The capability of in-execution malware detection empowers an operating system to immediately kill it before it can cause any significant damage. IMAD is a realtime, dynamic, efficient, in-execution zero-day malware detection scheme, which analyzes the system call sequence of a process to classify it as malicious or benign. We use Genetic Algorithm to optimize system parameters of our scheme. The evolutionary algorithm is evaluated on real world synthetic data extracted from a Linux system. The results of our experiments show that IMAD achieves more than 90% accuracy in classifying in-execution processes as benign or malicious. Moreover, our scheme can classify approximately 50% of malicious processes within first 20% of their system calls.