The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Data Mining Methods for Detection of New Malicious Executables
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Learning to detect malicious executables in the wild
Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
SmartSiren: virus detection and alert for smartphones
Proceedings of the 5th international conference on Mobile systems, applications and services
Classification of packed executables for accurate computer virus detection
Pattern Recognition Letters
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Recovering the toolchain provenance of binary code
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Structural feature based anomaly detection for packed executable identification
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Collective classification for packed executable identification
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
PEAL--Packed executable analysis
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
A survey of anomaly intrusion detection techniques
Journal of Computing Sciences in Colleges
ESCAPE: entropy score analysis of packed executable
Proceedings of the Fifth International Conference on Security of Information and Networks
Malware detection system by payload analysis of network traffic (poster abstract)
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Boosting scalability in anomaly-based packed executable filtering
Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology
Information Sciences: an International Journal
Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining
Proceedings of the First International Conference on Security of Internet of Things
SPADE: Signature based PAcker DEtection
Proceedings of the First International Conference on Security of Internet of Things
Malware detection by pruning of parallel ensembles using harmony search
Pattern Recognition Letters
SigMal: a static signal processing based malware triage
Proceedings of the 29th Annual Computer Security Applications Conference
Exploring discriminatory features for automated malware classification
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hi-index | 0.00 |
In this paper, we present an accurate and realtime PE-Miner framework that automatically extracts distinguishing features from portable executables (PE) to detect zero-day (i.e. previously unknown) malware. The distinguishing features are extracted using the structural information standardized by the Microsoft Windows operating system for executables, DLLs and object files. We follow a threefold research methodology: (1) identify a set of structural features for PE files which is computable in realtime, (2) use an efficient preprocessor for removing redundancy in the features' set, and (3) select an efficient data mining algorithm for final classification between benign and malicious executables. We have evaluated PE-Miner on two malware collections, VX Heavens and Malfease datasets which contain about 11 and 5 thousand malicious PE files respectively. The results of our experiments show that PE-Miner achieves more than 99% detection rate with less than 0.5% false alarm rate for distinguishing between benign and malicious executables. PE-Miner has low processing overheads and takes only 0.244 seconds on the average to scan a given PE file. Finally, we evaluate the robustness and reliability of PE-Miner under several regression tests. Our results show that the extracted features are robust to different packing techniques and PE-Miner is also resilient to majority of crafty evasion strategies.