Malware variants detection based on ensemble learning

doi:10.19682/j.cnki.1005-8885.2020.1010

中国邮电高校学报(英文) ›› 2020, Vol. 27 ›› Issue (2): 82-90.doi: 10.19682/j.cnki.1005-8885.2020.1010

• Others • 上一篇

Malware variants detection based on ensemble learning

Ma Yan, Du Donggao

1. Network and Information Center, Institute of Network Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
2. National Engineering Laboratory for Mobile Network Security, Beijing University of Post and Telecommunications, Beijing 100876, China

收稿日期:2020-02-05 修回日期:2020-05-09 出版日期:2020-04-30 发布日期:2020-07-07
通讯作者: Du Donggao, E-mail: dudonggao@126.com E-mail:dudonggao@126.com
作者简介:Du Donggao, E-mail: dudonggao@126.com
基金资助:
This work was supported by National Natural Science Foundation of China (61601041), Fundamental Research Funds for the Central Universities (2018RC55), Beijing Talents Foundation (2017000020124G062).

Malware variants detection based on ensemble learning

Ma Yan, Du Donggao

1. Network and Information Center, Institute of Network Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
2. National Engineering Laboratory for Mobile Network Security, Beijing University of Post and Telecommunications, Beijing 100876, China

Received:2020-02-05 Revised:2020-05-09 Online:2020-04-30 Published:2020-07-07
Contact: Du Donggao, E-mail: dudonggao@126.com E-mail:dudonggao@126.com
About author:Du Donggao, E-mail: dudonggao@126.com
Supported by:
This work was supported by National Natural Science Foundation of China (61601041), Fundamental Research Funds for the Central Universities (2018RC55), Beijing Talents Foundation (2017000020124G062).

摘要/Abstract

摘要： Application programming interface (API) is a procedure call interface to operation system resource. API-based behavior features can capture the malicious behaviors of malware variants. However, existing malware detection approaches have a deal of complex operations on constructing and matching. Furthermore, graph matching is adopted in many approaches, which is a nondeterministic polynominal (NP)-complete problem because of computational complexity. To address these problems, a novel approach is proposed to detect malware variants. Firstly, the API of the malware are divided by their functions and parameters. Then, the classified behavior graph (CBG) is constructed from the API call sequences. Finally, the signature based on CBGs for each malware family is generated. Besides, the malware variants are classified by ensemble learning algorithm. Experiments on 1 220 malware samples show that the true positive rate (TPR) is up to 89.0% with the low false positive rate (FPR) 3.7% by ensemble learning.

关键词:

classified behavior, malware variant, ensemble learning

Abstract: Application programming interface (API) is a procedure call interface to operation system resource. API-based behavior features can capture the malicious behaviors of malware variants. However, existing malware detection approaches have a deal of complex operations on constructing and matching. Furthermore, graph matching is adopted in many approaches, which is a nondeterministic polynominal (NP)-complete problem because of computational complexity. To address these problems, a novel approach is proposed to detect malware variants. Firstly, the API of the malware are divided by their functions and parameters. Then, the classified behavior graph (CBG) is constructed from the API call sequences. Finally, the signature based on CBGs for each malware family is generated. Besides, the malware variants are classified by ensemble learning algorithm. Experiments on 1 220 malware samples show that the true positive rate (TPR) is up to 89.0% with the low false positive rate (FPR) 3.7% by ensemble learning.

Key words:

classified behavior, malware variant, ensemble learning

Ma Yan, Du Donggao. Malware variants detection based on ensemble learning[J]. The Journal of China Universities of Posts and Telecommunications, 2020, 27(2): 82-90.

参考文献

References
1. Symantec C. Symantec Internet security threat report 2019. Symantec Corporation, 2019, 24: 31 -39
2. Sivakorn S, Jee K, Sun Y, et al. Countering malicious processes with process-NDS association. Proceedings of Network and Distributed System Security Symposium (NDSS 2019), Feb 24 -27, 2019, San Diego, CA, USA, 2019: 1 -15
3. Cui Z, Xue F, Cai X, et al. Detection of malicious code variants based on deep learning. IEEE Trans Industrial Informatics, 2018, 14(7): 3187 -3196
4. Bai J R, Wang J F. Improving malware detection using multi-view ensemble learning. Security and Communication Networks, 2016, 9(17): 4227 -4241
5. Fredrikson M, Jha S, Christodorescu M, et al. Synthesizing near-optimal malware specifications from suspicious behaviors. Proceeding of 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2010: 6 -19
6. Cesare S, Xiang Y, Zhou W L. Control flow-based malware variant detection. IEEE Transactions on Dependable and Secure Computing, 2014, 11(40): 307 -317
7. Elhadi A A E, Maarof M A, Barry B I A, et al. Enhancing the detection of metamorphic malware using call graphs. Computers and Security, 2014, 46: 62 -78
8. Ding Y, Xia X, Chen S, et al. A malware detection method based on family behavior graph. Computer and Security, 2018, 73: 73 -86
9. Fang Y, Yu B, Tang Y, et al. A new malware classification approach based on malware dynamic analysis. Proceedings of Australasian Conference on Information Security and Privacy (ACISP), Auckland, New Zealand: Springer, Cham, 2017: 173 -189
10. Khasawneh K N, Ozsoy M, Donovick C, et al. Ensemble HMD: accurate hardware malware detectors with specialized ensemble classifiers. IEEE Transactions on Dependable and Secure Computing, 2018, 99: 1p
11. Park Y, Reeves D S, Stamp M. Deriving common malware behavior through graph clustering. Computers and Security, 2013, 39: 419 -430
12. Du D G, Sun Y, Ma Y, et al. A novel approach to detect malware variants based on classified behaviors. IEEE Access, 2019(7): 81770 -81782
13. Danti A. Detection of fake opinions on online products using decision tree and information gain. Proceedings of 3rd International Conference on Computing Methodologies and Communication (ICCMC), Erode, India: IEEE, 2019: 372 -375
14. Chen X, Li C, Wang D, et al. Android HIV: a study of repackaging malware for evading machine-learning detection. IEEE Transactions on Information Forensics and Security, 2019, 15: 987 -1001
15. Wolpert D H. Stacked generalization. Neural Networks, 1992, 5(2): 241 -259
16. Guo H X, Li Y J, Shang J, et al. Learning from class-imbalanced data: review of methods and applications. Expert System with Applications, 2017, 73: 220 -239
17. Sokolova M, Lapalme G. A systematic analysis of performance measure for classification tasks. Information Processing and Management, 2009, 45: 427 -437

Malware variants detection based on ensemble learning

Malware variants detection based on ensemble learning

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 0

编辑推荐

Metrics

本文评价