MalInsight: A systematic profiling based malware detection framework

Abstract

To handle the security threat faced by the widespread use of Internet of Things (IoT) devices due to the ever-lasting increase of malware, the security researchers increasingly rely on machine learning techniques based on various static and/or dynamic features. Unfortunately, the state-of-the-art detection techniques may fail to identify the malware effectively because the malware is often obfuscated to camouflage its characteristics and thwart the analysis process. In order to identify the disguised malware accurately, a malware detection framework named MalInsight is proposed by profiling malware from three aspects which are basic structure, low-level behavior, and high-level behavior. These aspects reflect the structural features, the underlying operations interacting with the OS, and the operations on the files, the registry, and the network respectively. Based on the above findings, an accurate and rich feature space is built which enables to depict and detect malware more effectively. In order to validate the effectiveness of MalInsight, an extensive experiment is conducted on a real-world malware dataset. Our experimental results show that MalInsight can detect not only obfuscated malware instances with an accuracy of 99.76% but also unseen and new malware with an accuracy of 97.21%. Furthermore, MalInsight can classify the malware samples into their families with an accuracy of 94.2% outperforming the typical detection approach based on the API sequence as the dynamic behavior features by almost 9%. In addition, the importance of the three aspects is evaluated and sorted quantitatively demonstrating that these aspects play the same effects with the optimal feature set.