Yong Qiao, Yuexiang Yang, Lin Ji, Chuan Tang, Jie He
{"title":"恶意软件行为表示的轻量级设计","authors":"Yong Qiao, Yuexiang Yang, Lin Ji, Chuan Tang, Jie He","doi":"10.1109/TrustCom.2013.198","DOIUrl":null,"url":null,"abstract":"To encode the malware behavior reports to accessible forms for further automatic analysis methods like data mining and machine, we proposed a lightweight design of malware behavior representation named BBIS (Bytes-Based Instruction Set), which can utilize least single-byte characters to represent the items in dynamic behavior reports. BBIS is able to build flexible mapping table for different application scenarios. Experiments show that BBIS can significantly reduce the computation and storage cost while keeping the performance of clustering compared with existed methods. Moreover, a method called CHRL (Compression of High Repetitions in Logarithmic level) is introduced to compress frequently seen repetitions in unexpected API calls sequences. In combination with BBIS, CHRL can further reduce the size of behavior reports to significantly and consequently reduce the computation time while keeping or improving the performance of further malware analysis like clustering.","PeriodicalId":206739,"journal":{"name":"2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"A Lightweight Design of Malware Behavior Representation\",\"authors\":\"Yong Qiao, Yuexiang Yang, Lin Ji, Chuan Tang, Jie He\",\"doi\":\"10.1109/TrustCom.2013.198\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"To encode the malware behavior reports to accessible forms for further automatic analysis methods like data mining and machine, we proposed a lightweight design of malware behavior representation named BBIS (Bytes-Based Instruction Set), which can utilize least single-byte characters to represent the items in dynamic behavior reports. BBIS is able to build flexible mapping table for different application scenarios. Experiments show that BBIS can significantly reduce the computation and storage cost while keeping the performance of clustering compared with existed methods. Moreover, a method called CHRL (Compression of High Repetitions in Logarithmic level) is introduced to compress frequently seen repetitions in unexpected API calls sequences. In combination with BBIS, CHRL can further reduce the size of behavior reports to significantly and consequently reduce the computation time while keeping or improving the performance of further malware analysis like clustering.\",\"PeriodicalId\":206739,\"journal\":{\"name\":\"2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-07-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/TrustCom.2013.198\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/TrustCom.2013.198","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Lightweight Design of Malware Behavior Representation
To encode the malware behavior reports to accessible forms for further automatic analysis methods like data mining and machine, we proposed a lightweight design of malware behavior representation named BBIS (Bytes-Based Instruction Set), which can utilize least single-byte characters to represent the items in dynamic behavior reports. BBIS is able to build flexible mapping table for different application scenarios. Experiments show that BBIS can significantly reduce the computation and storage cost while keeping the performance of clustering compared with existed methods. Moreover, a method called CHRL (Compression of High Repetitions in Logarithmic level) is introduced to compress frequently seen repetitions in unexpected API calls sequences. In combination with BBIS, CHRL can further reduce the size of behavior reports to significantly and consequently reduce the computation time while keeping or improving the performance of further malware analysis like clustering.