A layered classification for malicious function identification and malware detection

Authors:
Ting Liu;Xiaohong Guan;Yu Qu;Yanan Sun
Affiliations:
State Key Laboratory for Manufacturing Systems Engineering, Ministry of Education Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an, 710049, China;State Key Laboratory for Manufacturing Systems Engineering, Ministry of Education Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an, 710049, China;State Key Laboratory for Manufacturing Systems Engineering, Ministry of Education Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an, 710049, China;State Key Laboratory for Manufacturing Systems Engineering, Ministry of Education Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an, 710049, China
Venue:
Concurrency and Computation: Practice & Experience
Year:
2012

Citing 9
Cited 1

Very Simple Classification Rules Perform Well on Most Commonly Used Datasets

Machine Learning
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)

Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
Comparison of feature selection and classification algorithms in identifying malicious executables

Computational Statistics & Data Analysis
Detection of unknown computer worms based on behavioral classification of the host

Computational Statistics & Data Analysis
Malware detection using adaptive data compression

Proceedings of the 1st ACM workshop on Workshop on AISec
Spam filtering for network traffic security on a multi-core environment

Concurrency and Computation: Practice & Experience - Multi-core Supported Network and System Security
Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction

ACM Transactions on Information and System Security (TISSEC)
The use of the area under the ROC curve in the evaluation of machine learning algorithms

Pattern Recognition
CAFS: a novel lightweight cache-based scheme for large-scale intrusion alert fusion

Concurrency and Computation: Practice & Experience

(ICICTA 2012)

Concurrency and Computation: Practice & Experience

Quantified Score

Hi-index	0.00

Visualization

Abstract

Millions of new malicious programs are produced by the mature industry of malware production. These programs have tremendous challenges on the signature-based antivirus products. Machine learning techniques are applicable for detecting unknown malicious programs without knowing their signatures. In this paper, a layered classification method is developed to detect malwares with a two-layer framework. The low-level-classifier is employed to identify whether the programs perform any malicious functions according to the API-calls of the programs; the up-level-classifier is applied to detect malwares according to the function identification. A hybrid structure called Type-Function, constituting of the classification results of low-level-classifier and up-level-classifier, is proposed to describe the malware. This method is compared with Naive Bayes, decision tree, and boosting using a comprehensive test dataset containing 16,135 malwares and 1800 benign programs. The experiments demonstrate that our method outperforms other algorithms in terms of detection accuracy. Moreover, the Type-Function structure is proved as an unprejudiced and effective method for malware description. Copyright © 2011 John Wiley & Sons, Ltd.