PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime

Authors:
M. Zubair Shafiq;S. Momina Tabish;Fauzan Mirza;Muddassar Farooq
Affiliations:
Next Generation Intelligent Networks Research Center (nexGIN RC), National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan 44000;Next Generation Intelligent Networks Research Center (nexGIN RC), National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan 44000 and School of Electrical Engineering & ...;School of Electrical Engineering & Computer Science (SEECS), National University of Sciences & Technology (NUST), Islamabad, Pakistan 44000 and Next Generation Intelligent Networks Research Center ...;Next Generation Intelligent Networks Research Center (nexGIN RC), National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan 44000
Venue:
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Year:
2009

Citing 7
Cited 16

The base-rate fallacy and its implications for the difficulty of intrusion detection

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Data Mining Methods for Detection of New Malicious Executables

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Learning to detect malicious executables in the wild

Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)

Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
SmartSiren: virus detection and alert for smartphones

Proceedings of the 5th international conference on Mobile systems, applications and services
Classification of packed executables for accurate computer virus detection

Pattern Recognition Letters
McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables

ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference

Recovering the toolchain provenance of binary code

Proceedings of the 2011 International Symposium on Software Testing and Analysis
Structural feature based anomaly detection for packed executable identification

CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Collective classification for packed executable identification

Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
A cuckoo's egg in the malware nest on-the-fly signature-less malware analysis, detection, and containment for large networks

LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
PEAL--Packed executable analysis

ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
A survey of anomaly intrusion detection techniques

Journal of Computing Sciences in Colleges
ESCAPE: entropy score analysis of packed executable

Proceedings of the Fifth International Conference on Security of Information and Networks
Malware detection system by payload analysis of network traffic (poster abstract)

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Boosting scalability in anomaly-based packed executable filtering

Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology
In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS

Information Sciences: an International Journal
Discriminant malware distance learning on structural information for automated malware classification

Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining
Detection of packed malware

Proceedings of the First International Conference on Security of Internet of Things
SPADE: Signature based PAcker DEtection

Proceedings of the First International Conference on Security of Internet of Things
Malware detection by pruning of parallel ensembles using harmony search

Pattern Recognition Letters
SigMal: a static signal processing based malware triage

Proceedings of the 29th Annual Computer Security Applications Conference
Exploring discriminatory features for automated malware classification

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present an accurate and realtime PE-Miner framework that automatically extracts distinguishing features from portable executables (PE) to detect zero-day (i.e. previously unknown) malware. The distinguishing features are extracted using the structural information standardized by the Microsoft Windows operating system for executables, DLLs and object files. We follow a threefold research methodology: (1) identify a set of structural features for PE files which is computable in realtime, (2) use an efficient preprocessor for removing redundancy in the features' set, and (3) select an efficient data mining algorithm for final classification between benign and malicious executables. We have evaluated PE-Miner on two malware collections, VX Heavens and Malfease datasets which contain about 11 and 5 thousand malicious PE files respectively. The results of our experiments show that PE-Miner achieves more than 99% detection rate with less than 0.5% false alarm rate for distinguishing between benign and malicious executables. PE-Miner has low processing overheads and takes only 0.244 seconds on the average to scan a given PE file. Finally, we evaluate the robustness and reliability of PE-Miner under several regression tests. Our results show that the extracted features are robust to different packing techniques and PE-Miner is also resilient to majority of crafty evasion strategies.