A Hybrid Static Tool to Increase the Usability and Scalability of Dynamic Detection of Malware

2018 13th International Conference on Malicious and Unwanted Software (MALWARE) Pub Date : 2018-10-01 DOI:10.1109/MALWARE.2018.8659373

Danny Kim, Daniel Mirsky, Amir Majlesi-Kupaei, R. Barua

{"title":"A Hybrid Static Tool to Increase the Usability and Scalability of Dynamic Detection of Malware","authors":"Danny Kim, Daniel Mirsky, Amir Majlesi-Kupaei, R. Barua","doi":"10.1109/MALWARE.2018.8659373","DOIUrl":null,"url":null,"abstract":"Malware detection is a paramount priority in today’s world in order to prevent malware attacks. Malware detection comes in three methods: static analysis, dynamic analysis, and hybrids. Static analysis is fast and effective for detecting previously seen malware where as dynamic analysis can be more accurate and robust against zero-day or polymorphic malware, but at the cost of a high computational load, which results in an often-prohibitive dollar cost for the needed server farm to handle all incoming traffic at an organization’s network entry point. Most modern defenses today use a hybrid approach, which uses both static and dynamic analysis to maximize their chances of detecting malware. However, current hybrid approaches are suboptimal. We propose a solution to utilize the strengths of both while minimizing their weaknesses by using a two-phase hybrid detection tool. The first phase is a static tool, which we call a “static-hybrid” tool, that is based on machine learning and static analysis to categorize incoming programs into three buckets: definitely benign, definitely malicious, and needs further analysis. Only the small fraction of programs in the third bucket are run on the dynamic analyzer. Our system approaches the accuracy of the dynamic-only system with only a small fraction of its computational cost, while maintaining a real-time malware detection timeliness similar to a static-only system, thus achieving the best of both approaches.A key feature of our system is that the first (static) phase can run in active mode, i.e. it blocks malware in real time, which is possible because of the low 0.08% rate of mistakenly blocking benign programs as malicious (all results in our salient configuration). The second (dynamic) phase is run in passive mode, i.e. it send alerts for suspected malware without blocking them, and has a higher false positive rate of 0.75%. The first phase blocks 88.98% of malware, whereas the second phase brings up the detection rate to 98.73%. Since only a small fraction of malware missed by the first stage but caught by the second stage generates alerts, our system reduces alerts by 9.5X vs any highly accurate system running by itself in the typical passive mode seen in practice. Since only 3.63% of programs that need further study are sent to the second phase, this reduces the computation load for dynamic analysis by 100/3.63 = 27.5X.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2018.8659373","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Malware detection is a paramount priority in today’s world in order to prevent malware attacks. Malware detection comes in three methods: static analysis, dynamic analysis, and hybrids. Static analysis is fast and effective for detecting previously seen malware where as dynamic analysis can be more accurate and robust against zero-day or polymorphic malware, but at the cost of a high computational load, which results in an often-prohibitive dollar cost for the needed server farm to handle all incoming traffic at an organization’s network entry point. Most modern defenses today use a hybrid approach, which uses both static and dynamic analysis to maximize their chances of detecting malware. However, current hybrid approaches are suboptimal. We propose a solution to utilize the strengths of both while minimizing their weaknesses by using a two-phase hybrid detection tool. The first phase is a static tool, which we call a “static-hybrid” tool, that is based on machine learning and static analysis to categorize incoming programs into three buckets: definitely benign, definitely malicious, and needs further analysis. Only the small fraction of programs in the third bucket are run on the dynamic analyzer. Our system approaches the accuracy of the dynamic-only system with only a small fraction of its computational cost, while maintaining a real-time malware detection timeliness similar to a static-only system, thus achieving the best of both approaches.A key feature of our system is that the first (static) phase can run in active mode, i.e. it blocks malware in real time, which is possible because of the low 0.08% rate of mistakenly blocking benign programs as malicious (all results in our salient configuration). The second (dynamic) phase is run in passive mode, i.e. it send alerts for suspected malware without blocking them, and has a higher false positive rate of 0.75%. The first phase blocks 88.98% of malware, whereas the second phase brings up the detection rate to 98.73%. Since only a small fraction of malware missed by the first stage but caught by the second stage generates alerts, our system reduces alerts by 9.5X vs any highly accurate system running by itself in the typical passive mode seen in practice. Since only 3.63% of programs that need further study are sent to the second phase, this reduces the computation load for dynamic analysis by 100/3.63 = 27.5X.

查看原文本刊更多论文

一种混合静态工具，以提高恶意软件动态检测的可用性和可扩展性

为了防止恶意软件攻击，恶意软件检测是当今世界的首要任务。恶意软件检测有三种方法:静态分析、动态分析和混合分析。静态分析对于检测以前看到的恶意软件是快速和有效的，而动态分析可以更准确和健壮地对抗零日或多态恶意软件，但这是以高计算负载为代价的，这导致在组织的网络入口点处理所有传入流量所需的服务器群的成本往往令人难以承受。今天，大多数现代防御都使用混合方法，即使用静态和动态分析来最大化检测恶意软件的机会。然而，目前的混合方法是次优的。我们提出了一种解决方案，利用两者的优势，同时通过使用两相混合检测工具最大限度地减少它们的弱点。第一阶段是静态工具，我们称之为“静态混合”工具，它基于机器学习和静态分析，将传入的程序分为三类:绝对良性的，绝对恶意的，需要进一步分析。只有第三个桶中的一小部分程序在动态分析器上运行。我们的系统以其计算成本的一小部分接近动态系统的准确性，同时保持与静态系统相似的实时恶意软件检测及时性，从而实现了两种方法的最佳效果。我们系统的一个关键特征是，第一阶段(静态)可以在活动模式下运行，即它可以实时阻止恶意软件，这是可能的，因为错误地将良性程序阻止为恶意程序的比率低至0.08%(所有结果都在我们的显著配置中)。第二阶段(动态)以被动模式运行，即对可疑恶意软件发送警报而不阻止它们，并且假阳性率更高，为0.75%。第一阶段阻止了88.98%的恶意软件，而第二阶段将检测率提高到98.73%。由于只有一小部分恶意软件在第一阶段未被发现，但在第二阶段被捕获，因此我们的系统比任何在典型被动模式下自行运行的高精度系统减少了9.5倍的警报。由于只有3.63%的需要进一步研究的程序被发送到第二阶段，这使得动态分析的计算负荷减少了100/3.63 = 27.5X。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 13th International Conference on Malicious and Unwanted Software (MALWARE)

自引率

0.00%

发文量