Malware Detection Method Based on Shapelet

doi:10.3969/j.issn.1671-1122.2018.03.009

Abstract

Abstract:

Against malware detection method based on traditional malware signature in the detection of malware is difficult in dealing with metamorphosis, polymorphic and other malware variation technologies, and the feature of high time complexity of the worst case in the detection process, this paper uses the idea of Shapelet in the classification of time series data, and builds the malware classification tree that can be used for malware classification based on the API calling sequence used running in sandbox, the experimental show that this method can not only cope with the malware variation technology, but also reduce the malware detection time.

Key words: malware detection, metamorphosis, time complexity, Shapelet, classification tree

CLC Number:

TP309

Yunchun LI, Wentao LU, Wei LI. Malware Detection Method Based on Shapelet[J]. Netinfo Security, 2018, 18(3): 70-77.

Figures/Tables 5

References 25

[1]	SANTOS I, PENYA Y K, DEVESA J, et al. N-grams-based File Signatures for Malware Detection[EB/OL]. .
[2]	STOLFO S J, WANG K. ApparatusMethod and Medium for Detecting Payload Anomaly Using N-gram Distribution of Normal Data: U.S. Patent 7639714[P].2009-12-29.
[3]	IDIKA N, MATHUR A P.A Survey of Malware Detection Techniques[D]. West Lafayette:Purdue University, 2007.
[4]	TABISH S M, SHAFIQ M Z, FAROOQ M.Malware Detection Using Statistical Analysis of Byte-level File Content[C]//ACM. 18th USENIX Security Symposium, August 10-14, 2009, Montreal, Canada. Berkeley: USENIX, 2009: 23-31.
[5]	BAYSA D, LOW R M, STAMP M.Structural Entropy and Metamorphic Malware[J]. Journal of Computer Virology and Hacking Techniques, 2013, 9(4): 179-192.
[6]	PATRI O, WOJNOWICZ M, WOLFF M. Discovering Malware with Time Series Shapelets[EB/OL]. , 2017-10-26.
[7]	KOLBITSCH C, COMPARETTI P M, KRUEGEL C, et al.Effective and Efficient Malware Detection at the End Host[C]//ACM. 18th USENIX Security Symposium, August 10-14, 2009, Montreal, Canada. Berkeley: USENIX, 2009: 351-366.
[8]	YIN H, SONG D, EGELE M, et al.Panorama:Capturing System-wide Information Flow for Malware Detection and Analysis[C]//Association for Computing Machinery. Proceedings of the 14th ACM Conference on Computer and Communications Security, October 29-November 02, 2007, Alexandria, VA, USA. New York: ACM, 2007: 116-127.
[9]	BRUSCHI D, MARTIGNONI L, MONGA M.Detecting Self-mutating Malware Using Control-flow Graph Matching[C]//German Society of Informatics (GI). DIMVA, July 13-14, 2006, Berlin, Germany. Verlag Berlin Heidelberg:Springer, 2006:129-143.
[10]	CESARE S, XIANG Y.Malware Variant Detection Using Similarity Search over Sets of Control Flow Graphs[C]//IEEE. Trust, Security and Privacy in Computing and Communications (TrustCom), November 16-18, 2011, Changsha, China. Piscataway: IEEE, 2011: 181-189.
[11]	BONFANTE G, KACZMAREK M, MARION J Y. Control Flow Graphs as Malware Signatures[EB/OL]. .
[12]	Sæbjørnsen A, WILLCOCK J, PANAS T, et al.Detecting Code Clones in Binary Executables[C]//ACM. Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, July 19-23, 2009, Chicago, IL, USA. New York: ACM, 2009: 117-127.
[13]	YE L, KEOGH E.Time Series Shapelets: a New Primitive for Data Mining[C]//ACM. Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, June 28-July 1, 2009, Paris, France. New York: ACM, 1971: 17-38.
[14]	TANG Y, CHEN S.Defending against Internet Worms: a Signature-based Approach[C]//IEEE. 24th Annual Joint Conference of the IEEE Computer and Communications Societies, March 13-17, 2005, Miami, FL, USA. Piscataway: IEEE, 2005: 1384-1394.
[15]	WANG K, STOLFO S J.Anomalous Payload-based Network Intrusion Detection[C]//Eurécom Institute. 7th International Symposium, September 15-17, 2004, France. Verlag Berlin Heidelberg: Springer, 2004: 203-222.
[16]	KREIBICHC, CROWCROFT J.Honeycomb: Creating Intrusion Detection Signatures Using Honeypots[J]. ACM SIGCOMM Computer Communication Review, 2004, 34(1): 51-56.
[17]	CHRISTODORESCU M, JHA S, SESHIA S A, et al.Semantics-aware Malware Detection[C]//IEEE. Proceedings of the 2005 IEEE Symposium on Security and Privacy, May 8-11, 2005, Los Angeles, Oakland, CA, USA. Piscataway: IEEE, 2005: 32-46.
[18]	YEGNESWARAN V, GIFFIN J T, BARFORD P, et al.An Architecture for Generating Semantic Aware Signatures[C]//USENIX. Proceedings of the 14th USENIX Security Symposium, July 31-August 5, 2005, Baltimore, MD USA. Berkeley: USENIX, 2005: 97-112.
[19]	NEWSOME J, KARP B, SONG D.Polygraph: Automatically Generating Signatures for Polymorphic Worms[C]//IEEE. Proceedings of the 2005 IEEE Symposium on Security and Privacy, May 8-11, 2005, Los Angeles, Oakland, CA, USA. Piscataway: IEEE, 2005: 226-241.
[20]	SINGH S, ESTAN C, VARGHESE G, et al. Automated Worm Fingerprinting [EB/OL]. , 2017-10-24.
[21]	FILIOL E, JOSSE S.A Statistical Model for Undecidable Viral Detection[J]. Journal in Computer Virology, 2007, 3(2): 65-74.
[22]	TAHAN G, GLEZER C, ELOVICI Y, et al.Auto-sign: an Automatic Signature Generator for High-speed Malware Filtering Fevices[J]. Journal in Computer Virology, 2010, 6(2): 91-103.
[23]	TRINIUS P, WILLEMS C, HOLZ T, et al. A Malware Instruction Set for Behavior-based Analysis[EB/OL]. , 2017-10-12.
[24]	RAKTHANMANON T, KEOGH E.Fast Shapelets: a Scalable Algorithm for Discovering Time Series Shapelets[C]//SIAM. Proceedings of the 2013 SIAM International Conference on Data Mining, May 2-4, 2013, Austin, Texas. Berlin: Springer, 2013: 668-676.
[25]	RIECK K, TRINIUS P, WILLEMS C, et al.Automatic Analysis of Malware Behavior Using Machine Learning[J]. Journal of Computer Security, 2011, 19(4): 639-668.