Profiling and classifying the behavior of malicious codes

Research output: Contribution to journalArticleResearchpeer-review

Abstract

Malware is a major security threat confronting computer systems and networks and has increased in scale and impact from the early days of ICT. Traditional protection mechanisms are largely incapable of dealing with the diversity and volume of malware variants which is evident today. This paper examines the evolution of malware including the nature of its activity and variants, and the implication of this for computer security industry practices.

As a first step to address this challenge, I propose a framework to extract features statically and dynamically from malware that reflect the behavior of its code such as the Windows Application Programming Interface (API) calls. Similarity based mining and machine learning methods have been employed to profile and classify malware behaviors. This method is based on the sequences of API sequence calls and frequency of appearance.

Experimental analysis results using large datasets show that the proposed method is effective in identifying known malware variants, and also classifies malware with high accuracy and low false alarm rates. This encouraging result indicates that classification is a viable approach for similarity detection to help detect malware. This work advances the detection of zero-day malware and offers researchers another method for understanding impact.

Original languageEnglish
Pages (from-to)91-102
Number of pages12
JournalJournal of Systems and Software
Volume100
Early online date25 Oct 2014
DOIs
Publication statusPublished - Feb 2015
Externally publishedYes

Fingerprint

Application programming interfaces (API)
Malware
Security of data
Computer networks
Learning systems
Computer systems
Industry

Cite this

@article{a4ddfaa34cd44f3a8498159a39f1d25e,
title = "Profiling and classifying the behavior of malicious codes",
abstract = "Malware is a major security threat confronting computer systems and networks and has increased in scale and impact from the early days of ICT. Traditional protection mechanisms are largely incapable of dealing with the diversity and volume of malware variants which is evident today. This paper examines the evolution of malware including the nature of its activity and variants, and the implication of this for computer security industry practices. As a first step to address this challenge, I propose a framework to extract features statically and dynamically from malware that reflect the behavior of its code such as the Windows Application Programming Interface (API) calls. Similarity based mining and machine learning methods have been employed to profile and classify malware behaviors. This method is based on the sequences of API sequence calls and frequency of appearance. Experimental analysis results using large datasets show that the proposed method is effective in identifying known malware variants, and also classifies malware with high accuracy and low false alarm rates. This encouraging result indicates that classification is a viable approach for similarity detection to help detect malware. This work advances the detection of zero-day malware and offers researchers another method for understanding impact.",
keywords = "Cybercrime, Malware, Profiling",
author = "Mamoun Alazab",
year = "2015",
month = "2",
doi = "10.1016/j.jss.2014.10.031",
language = "English",
volume = "100",
pages = "91--102",
journal = "Journal of Systems and Software",
issn = "0164-1212",
publisher = "Elsevier",

}

Profiling and classifying the behavior of malicious codes. / Alazab, Mamoun.

In: Journal of Systems and Software, Vol. 100, 02.2015, p. 91-102.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - Profiling and classifying the behavior of malicious codes

AU - Alazab, Mamoun

PY - 2015/2

Y1 - 2015/2

N2 - Malware is a major security threat confronting computer systems and networks and has increased in scale and impact from the early days of ICT. Traditional protection mechanisms are largely incapable of dealing with the diversity and volume of malware variants which is evident today. This paper examines the evolution of malware including the nature of its activity and variants, and the implication of this for computer security industry practices. As a first step to address this challenge, I propose a framework to extract features statically and dynamically from malware that reflect the behavior of its code such as the Windows Application Programming Interface (API) calls. Similarity based mining and machine learning methods have been employed to profile and classify malware behaviors. This method is based on the sequences of API sequence calls and frequency of appearance. Experimental analysis results using large datasets show that the proposed method is effective in identifying known malware variants, and also classifies malware with high accuracy and low false alarm rates. This encouraging result indicates that classification is a viable approach for similarity detection to help detect malware. This work advances the detection of zero-day malware and offers researchers another method for understanding impact.

AB - Malware is a major security threat confronting computer systems and networks and has increased in scale and impact from the early days of ICT. Traditional protection mechanisms are largely incapable of dealing with the diversity and volume of malware variants which is evident today. This paper examines the evolution of malware including the nature of its activity and variants, and the implication of this for computer security industry practices. As a first step to address this challenge, I propose a framework to extract features statically and dynamically from malware that reflect the behavior of its code such as the Windows Application Programming Interface (API) calls. Similarity based mining and machine learning methods have been employed to profile and classify malware behaviors. This method is based on the sequences of API sequence calls and frequency of appearance. Experimental analysis results using large datasets show that the proposed method is effective in identifying known malware variants, and also classifies malware with high accuracy and low false alarm rates. This encouraging result indicates that classification is a viable approach for similarity detection to help detect malware. This work advances the detection of zero-day malware and offers researchers another method for understanding impact.

KW - Cybercrime

KW - Malware

KW - Profiling

UR - http://www.scopus.com/inward/record.url?scp=84919360062&partnerID=8YFLogxK

U2 - 10.1016/j.jss.2014.10.031

DO - 10.1016/j.jss.2014.10.031

M3 - Article

VL - 100

SP - 91

EP - 102

JO - Journal of Systems and Software

JF - Journal of Systems and Software

SN - 0164-1212

ER -