Automatic analysis of malware behavior using machine learning

Authors:
Konrad Rieck;Philipp Trinius;Carsten Willems;Thorsten Holz_aff2n3
Affiliations:
(Correspd. E-mail: konrad.rieck@tu-berlin.de) Berlin Institute of Technology, Berlin, Germany;af2 University of Mannheim, Mannheim, Germany;af2 University of Mannheim, Mannheim, Germany;af3 Vienna University of Technology, Vienna, Austria
Venue:
Journal of Computer Security
Year:
2011

Citing 0
Cited 12

Sandnet: network traffic analysis of malicious software

Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
The proactivity of Perceptron derived algorithms in malware detection

Journal in Computer Virology
Malware characterization using behavioral components

MMM-ACNS'12 Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security
Using low-level dynamic attributes for malware detection based on data mining methods

MMM-ACNS'12 Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security
VAMO: towards a fully automated malware clustering validity analysis

Proceedings of the 28th Annual Computer Security Applications Conference
Unveiling Zeus: automated classification of malware samples

Proceedings of the 22nd international conference on World Wide Web companion
Discriminant malware distance learning on structural information for automated malware classification

Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining
Sally: a tool for embedding strings in vector spaces

The Journal of Machine Learning Research
A close look on n-grams in intrusion detection: anomaly detection vs. classification

Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Approaches to adversarial drift

Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Exploring discriminatory features for automated malware classification

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Towards automatic software lineage inference

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Malicious software - so called malware - poses a major threat to the security of computer systems. The amount and diversity of its variants render classic security defenses ineffective, such that millions of hosts in the Internet are infected with malware in the form of computer viruses, Internet worms and Trojan horses. While obfuscation and polymorphism employed by malware largely impede detection at file level, the dynamic analysis of malware binaries during run-time provides an instrument for characterizing and defending against the threat of malicious software. In this article, we propose a framework for the automatic analysis of malware behavior using machine learning. The framework allows for automatically identifying novel classes of malware with similar behavior (clustering) and assigning unknown malware to these discovered classes (classification). Based on both, clustering and classification, we propose an incremental approach for behavior-based analysis, capable of processing the behavior of thousands of malware binaries on a daily basis. The incremental analysis significantly reduces the run-time overhead of current analysis methods, while providing accurate discovery and discrimination of novel malware variants.