一种基于压缩的变形恶意软件分类技术

2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA) Pub Date : 2016-11-01 DOI:10.1109/AICCSA.2016.7945801

Duaa Ekhtoom, M. Al-Ayyoub, Mohammed I. Al-Saleh, M. Alsmirat, Ismail Hmeidi

{"title":"一种基于压缩的变形恶意软件分类技术","authors":"Duaa Ekhtoom, M. Al-Ayyoub, Mohammed I. Al-Saleh, M. Alsmirat, Ismail Hmeidi","doi":"10.1109/AICCSA.2016.7945801","DOIUrl":null,"url":null,"abstract":"Metamorphic malware are able to change their appearance to evade detection by traditional anti-malware software. One of the ways to help mitigate the threat of new metamorphic malware is to determine their origins, i.e., the families to which they belong. This type of metamorphic malware analysis is not typically handled by commercial software. Moreover, existing works rely on analyzing the op-code sequences extracted from the Assembly files of the malware. Very few papers have tried to perform analysis on the binary files of the malware. However, they focused on the simple binary problem of differentiating between a certain malware family and benign files. In this work, we address the more difficult problem of determining the origin of a new metamorphic malware by measuring its similarity to hundreds of variants taken from 13 families of real malware. To address this problem, we use a compression-based classification approach. We experiment with two such approaches: AMDL and BCN. The results showed that AMDL performed no better than a random guess (11% accuracy for AMDL and 18% for the random baseline). On the other hand, BCN performed really well with 67% accuracy.","PeriodicalId":448329,"journal":{"name":"2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"A compression-based technique to classify metamorphic malware\",\"authors\":\"Duaa Ekhtoom, M. Al-Ayyoub, Mohammed I. Al-Saleh, M. Alsmirat, Ismail Hmeidi\",\"doi\":\"10.1109/AICCSA.2016.7945801\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Metamorphic malware are able to change their appearance to evade detection by traditional anti-malware software. One of the ways to help mitigate the threat of new metamorphic malware is to determine their origins, i.e., the families to which they belong. This type of metamorphic malware analysis is not typically handled by commercial software. Moreover, existing works rely on analyzing the op-code sequences extracted from the Assembly files of the malware. Very few papers have tried to perform analysis on the binary files of the malware. However, they focused on the simple binary problem of differentiating between a certain malware family and benign files. In this work, we address the more difficult problem of determining the origin of a new metamorphic malware by measuring its similarity to hundreds of variants taken from 13 families of real malware. To address this problem, we use a compression-based classification approach. We experiment with two such approaches: AMDL and BCN. The results showed that AMDL performed no better than a random guess (11% accuracy for AMDL and 18% for the random baseline). On the other hand, BCN performed really well with 67% accuracy.\",\"PeriodicalId\":448329,\"journal\":{\"name\":\"2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA)\",\"volume\":\"38 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/AICCSA.2016.7945801\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AICCSA.2016.7945801","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

摘要

变形恶意软件能够改变其外观以逃避传统反恶意软件的检测。帮助减轻新变形恶意软件威胁的方法之一是确定它们的来源，即它们所属的家族。这种类型的变形恶意软件分析通常不是由商业软件处理的。此外，现有的工作依赖于分析从恶意软件的汇编文件中提取的操作码序列。很少有论文试图对恶意软件的二进制文件进行分析。然而，他们关注的是区分某个恶意软件家族和良性文件的简单二进制问题。在这项工作中，我们解决了更困难的问题，即通过测量其与来自13个真实恶意软件家族的数百种变体的相似性来确定新的变形恶意软件的起源。为了解决这个问题，我们使用基于压缩的分类方法。我们试验了两种这样的方法:AMDL和BCN。结果表明，AMDL的表现并不比随机猜测好(AMDL的准确率为11%，随机基线的准确率为18%)。另一方面，BCN表现得非常好，准确率达到67%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A compression-based technique to classify metamorphic malware

Metamorphic malware are able to change their appearance to evade detection by traditional anti-malware software. One of the ways to help mitigate the threat of new metamorphic malware is to determine their origins, i.e., the families to which they belong. This type of metamorphic malware analysis is not typically handled by commercial software. Moreover, existing works rely on analyzing the op-code sequences extracted from the Assembly files of the malware. Very few papers have tried to perform analysis on the binary files of the malware. However, they focused on the simple binary problem of differentiating between a certain malware family and benign files. In this work, we address the more difficult problem of determining the origin of a new metamorphic malware by measuring its similarity to hundreds of variants taken from 13 families of real malware. To address this problem, we use a compression-based classification approach. We experiment with two such approaches: AMDL and BCN. The results showed that AMDL performed no better than a random guess (11% accuracy for AMDL and 18% for the random baseline). On the other hand, BCN performed really well with 67% accuracy.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA)

自引率

0.00%

发文量