Malware Classification Based on File and Registry Activities

Zeng, Ling-Ming

12 September 2012

Cyber criminals are trying to steal personal information from victim¡¦s machine to acquire more benefits by using malware. Antivirus is the most commonly used tool of malware identification, but the frequency of virus definition update is often less than the frequency of new type malware increase. Therefore, we need an effective and fast tool of malware identification in the current environment. In addition to antivirus, software analysis platform is currently one of the ways to identify malware. User could figure out behaviors of software in detail by the analysis report provided by software analysis platform. Most of software analysis platforms only offer an analysis report, user have to identify whether the software is malware or not by them self. This type of report is no help for user if their expertise not enough to find out these behaviors. Some of software analysis platforms which used antivirus can provide information to user about the software is malware or not, but they don¡¦t have the ability of identifying new type malware immediately. According to research and analysis report, we generalized differences in file and registry activities of normal software and malware and defined malware classification features from these differences. We adopted Support Vector Machine¡]SVM¡^as our algorithm of classification to build and test three classifiers which can identify normal software and malware. After several experimental evaluations, we confirmed that the identification rate of malware was up to 97.6%. Finally, we compared the performance of our classifiers with ThreatExpert, and the result show that the performance of our classifiers is as well as ThreatExpert.

Malware

Malware Classification

SVM

Výpočetní inteligence pro klasifikaci malware / Computational Intelligence for Malware Classification

Tomášek, Jan

January 2015

As the number of computers and other smart devices grows in every aspect of human life, the amount of malicious software (malware) also grows. Such software tries to disrupt computer usage. Therefore one of the challenges for computer science is to divide the Malware into classes according to its behaviour. The thesis summarizes known ways to look at the problem at hand, some of them are extensions of known approaches, while others are completely new. They are all implemented, tested and compared. We also propose few ideas for future research. Powered by TCPDF (www.tcpdf.org)

Automating Malware Detection in Windows Memory Images using Machine Learning

Glendowne, Dae

09 May 2015

Malicious software, or malware, is often employed as a tool to maintain access to previously compromised systems. It enables the intruders to utilize system resources, harvest legitimate credentials, and maintain a level of stealth throughout the process. During incident response, identifying systems infected with malware is necessary for effective remediation of an attack. When analysts lack sufficient indicators of compromise they are forced to conduct a comprehensive examination to identify anomalous behavior on a system, a time consuming and challenging task. Malware authors use several techniques to conceal malware on a system, with a common method being DLL injection. In this dissertation we present a system for automatically generating Windows 7 x86 memory images infected with malware, identifying the malicious DLLs injected into a process, and extracting the features associated with those DLLs. A set of 3,240 infected memory images was produced and analyzed to identify common characteristics of malicious DLLs in memory. From this analysis a feature set was constructed and two datasets were used to evaluate five classification algorithms. The ZeroR method was used as a baseline for comparison with accuracy and false positive rate (misclassifying malicious DLLs as legitimate) being the two metrics of interest. The results of the experiments showed that learning using the feature set is viable and that the performance of the classifiers can be further improved through the use of feature selection. Each of the classification methods outperformed the ZeroR method with the J48 Decision Tree obtaining the, overall, best results.

memory analysis

malware classification

DLL injection

Code Classification Based on Structure Similarity

Yang, Chia-hui

14 September 2012

Automatically classifying malware variants source code is the most important research issue in the field of digital forensics. By means of malware classification, we can get complete behavior of malware which can simplify the forensics task. In previous researches, researchers use malware binary to perform dynamic analysis or static analysis after reverse engineering. In the other hand, malware developers even use anti-VM and obfuscation techniques try to cheating malware classifiers. With honeypots are increasingly used, researchers could get more and more malware source code. Analyzing these source codes could be the best way for malware classification. In this paper, a novel classification approach is proposed which based on logic and directory structure similarity of malwares. All collected source code will be classified correctly by hierarchical clustering algorithm. The proposed system not only helps us classify known malwares correctly but also find new type of malware. Furthermore, it avoids forensics staffs spending too much time to reanalyze known malware. And the system could also help realize attacker's behavior and purpose. The experimental results demonstrate the system can classify the malware correctly and be applied to other source code classification aspect.

Malware Classification

Source Code

Static Analysis

Structure Similarity

Analysis of Rank Distance for Malware Classification

Subramanian, Nandita

January 2016

No description available.

Computer Science

Rank Distance

Malware Classification

Mutual Information

Text Mining

Similarity Measures

Windows Malware

An Evaluation of Machine Learning Approaches for Hierarchical Malware Classification

Roth, Robin, Lundblad, Martin

January 2019

With an evermore growing threat of new malware that keeps growing in both number and complexity, the necessity for improvement in automatic detection and classification of malware is increasing. The signature-based approaches used by several Anti-Virus companies struggle with the increasing amount of polymorphic malware. The polymorphic malware change some minor aspects of the code to be able to remain undetected. Malware classification using machine learning have been used to try to solve this issue in previous research. In the proposed work, different hierarchical machine learning approaches are implemented to conduct three experiments. The methods utilise a hierarchical structure in various ways to be able to get a better classification performance. A selection of hierarchical levels and machine learning models are used in the experiments to evaluate how the results are affected. A data set is created, containing over 90000 different labelled malware samples. The proposed work also includes the creation of a labelling method that can be helpful for researchers in malware classification that needs labels for a created data set.The feature vector used contains 500 n-gram features and 3521 Import Address Table features. In the experiments for the proposed work, the thesis includes the testing of four machine learning models and three different amount of hierarchical levels. Stratified 5-fold cross validation is used in the proposed work to reduce bias and variance in the results. The results from the classification approach shows it achieves the highest hF-score, using Random Forest (RF) as the machine learning model and having four hierarchical levels, which got an hF-score of 0.858228. To be able to compare the proposed work with other related work, pure-flat classification accuracy was generated. The highest generated accuracy score was 0.8512816, which was not the highest compared to other related work.

Machine Learning

Hierarchical Malware Classification

Static Malware Analysis

Mnemonic N-grams

Other Computer and Information Science

Annan data- och informationsvetenskap

Malware Analysis using Profile Hidden Markov Models and Intrusion Detection in a Stream Learning Setting

Saradha, R

January 2014

In the last decade, a lot of machine learning and data mining based approaches have been used in the areas of intrusion detection, malware detection and classification and also traffic analysis. In the area of malware analysis, static binary analysis techniques have become increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In prior art, a number of clustering and classification techniques have been used to classify the malwares into families and to also identify new malware families, from the behavior reports. In this thesis, we have analysed in detail about the use of Profile Hidden Markov models for the problem of malware classification and clustering. The advantage of building accurate models with limited examples is very helpful in early detection and modeling of malware families. The thesis also revisits the learning setting of an Intrusion Detection System that employs machine learning for identifying attacks and normal traffic. It substantiates the suitability of incremental learning setting(or stream based learning setting) for the problem of learning attack patterns in IDS, when large volume of data arrive in a stream. Related to the above problem, an elaborate survey of the IDS that use data mining and machine learning was done. Experimental evaluation and comparison show that in terms of speed and accuracy, the stream based algorithms perform very well as large volumes of data are presented for classification as attack or non-attack patterns. The possibilities for using stream algorithms in different problems in security is elucidated in conclusion.

Malware (Malicious Software)

Malware, Cyber Attacks

Malware Analysis

Profile Hidden Markov Models

Intrusion Detection Systems

Data Mining

Malware Classification and Clustering

Machine Learning

Malware Detection

Cyber Attacks

Stream-based Learning

Polymorphic Malware Detection

Huffman Encoding

Stream Algorithms

Computer Science

Identifikace a charakterizace škodlivého chování v grafech chování / Identification and characterization of malicious behavior in behavioral graphs

Varga, Adam

January 2021

Za posledné roky je zaznamenaný nárast prác zahrňujúcich komplexnú detekciu malvéru. Pre potreby zachytenia správania je často vhodné pouziť formát grafov. To je prípad antivírusového programu Avast, ktorého behaviorálny štít deteguje škodlivé správanie a ukladá ich vo forme grafov. Keďže sa jedná o proprietárne riešenie a Avast antivirus pracuje s vlastnou sadou charakterizovaného správania bolo nutné navrhnúť vlastnú metódu detekcie, ktorá bude postavená nad týmito grafmi správania. Táto práca analyzuje grafy správania škodlivého softvéru zachytené behavioralnym štítom antivírusového programu Avast pre proces hlbšej detekcie škodlivého softvéru. Detekcia škodlivého správania sa začína analýzou a abstrakciou vzorcov z grafu správania. Izolované vzory môžu efektívnejšie identifikovať dynamicky sa meniaci malware. Grafy správania sú uložené v databáze grafov Neo4j a každý deň sú zachytené tisíce z nich. Cieľom tejto práce bolo navrhnúť algoritmus na identifikáciu správania škodlivého softvéru s dôrazom na rýchlosť skenovania a jasnosť identifikovaných vzorcov správania. Identifikácia škodlivého správania spočíva v nájdení najdôležitejších vlastností natrénovaných klasifikátorov a následnej extrakcie podgrafu pozostávajúceho iba z týchto dôležitých vlastností uzlov a vzťahov medzi nimi. Následne je navrhnuté pravidlo pre hodnotenie extrahovaného podgrafu. Diplomová práca prebehla v spolupráci so spoločnosťou Avast Software s.r.o.