A layered classification for malicious function identification and malware detection

  • Authors:
  • Ting Liu;Xiaohong Guan;Yu Qu;Yanan Sun

  • Affiliations:
  • State Key Laboratory for Manufacturing Systems Engineering, Ministry of Education Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an, 710049, China;State Key Laboratory for Manufacturing Systems Engineering, Ministry of Education Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an, 710049, China;State Key Laboratory for Manufacturing Systems Engineering, Ministry of Education Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an, 710049, China;State Key Laboratory for Manufacturing Systems Engineering, Ministry of Education Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an, 710049, China

  • Venue:
  • Concurrency and Computation: Practice & Experience
  • Year:
  • 2012
  • (ICICTA 2012)

    Concurrency and Computation: Practice & Experience

Quantified Score

Hi-index 0.00

Visualization

Abstract

Millions of new malicious programs are produced by the mature industry of malware production. These programs have tremendous challenges on the signature-based antivirus products. Machine learning techniques are applicable for detecting unknown malicious programs without knowing their signatures. In this paper, a layered classification method is developed to detect malwares with a two-layer framework. The low-level-classifier is employed to identify whether the programs perform any malicious functions according to the API-calls of the programs; the up-level-classifier is applied to detect malwares according to the function identification. A hybrid structure called Type-Function, constituting of the classification results of low-level-classifier and up-level-classifier, is proposed to describe the malware. This method is compared with Naive Bayes, decision tree, and boosting using a comprehensive test dataset containing 16,135 malwares and 1800 benign programs. The experiments demonstrate that our method outperforms other algorithms in terms of detection accuracy. Moreover, the Type-Function structure is proved as an unprejudiced and effective method for malware description. Copyright © 2011 John Wiley & Sons, Ltd.