Combined dynamic multi-feature and rule-based behavior for accurate malware detection

Mohamed Belaoued,Abdelouahid Derhab,Mohamed Amir Koalal,Abdelaziz Boukellal,Smaine Mazouzi,Farrukh Aslam Khan

doi:10.1177/1550147719889907

Abstract

Malware have become the scourge of the century, as they are continuously evolving and becoming more complex with increasing damages. Therefore, an adequate protection against such threats is vital. Behavior-based malware detection techniques have shown to be effective at overcoming the weaknesses of the signature-based ones. However, they are known for their high false alarms, which is still a very challenging problem. In this article, we address this shortcoming by proposing a rule-based behavioral malware detection system, which inherits the advantages of both signature and behavior-based approaches. We apply the proposed detection system on a combined set of three types of dynamic features, namely, (1) list of application programming interface calls; (2) application programming interface sequences; and (3) network traffic, which represents the IP addresses and domain names used by malware to connect to remote command-and-control servers. Feature selection and construction techniques, that is, term frequency–inverse document frequency and longest common subsequence, are performed on the three extracted features to generate new set of features, which are used to build behavioral Yet Another Recursive Acronym rules. The proposed malware detection approach is able to achieve an accuracy of 97.22% and a false positive rate of 4.69%.

Highlights

Malware remain so far the major threat against the Internet
To evaluate the performance of our malware detection system, we use a data set of 604 Windows Portable Executable 32 (PE32) malware and benign programs
We present the best features obtained according to their degrees of relevance after applying LCS and terminal frequency (TF)-inverse document frequency (IDF)

Summary

Introduction

Malware (i.e. malicious software) remain so far the major threat against the Internet. A malware is a computer program that is designed to accomplish unauthorized actions without the user’s consent.[1] Malware exist in various forms such as viruses, Trojans, worms, and so on, and are at the origin of most of the cyber attacks. They can be used to spread spams, which represent more than half (55%) of all the exchanged emails,[2] and 26% of spams are malicious.[3] malware can be used to launch targeted attacks such as distributed denial of service (DDoS),[4] which can have devastating consequences. Cyber attacks cost the global economy billions, and even trillions of dollars, every year.[5,6]

Objectives

Results

Conclusion