Abstract
With the increasing variants of malware, it is of great significance to detect malware and ensure system security effectively. The existing malware dynamic detection methods are vulnerable to evasion attacks. For this situation, we propose a malware dynamic detection method based on mufti-feature ensemble learning. Firstly, the method adopts the combination of software features such as API call sequence with high detection precision and low-level hardware features such as resistance to evasion the memory dump grayscale and hardware performance counters. Secondly, we improve each feature based on the original research. We select a more advanced classifier model to improve the detection precision of a single feature. Finally, an ensemble learning algorithm composed of multiple classification algorithms detects malware, the multi-features can describe malware behavior from multi-dimensions to improve detection performance. We use a large number of malware sample dataset to experiment, and the results show that our detection method can obtain good detection precision rate, and is better than other recently proposed dynamic detection methods in anti-evasion performance.
Highlights
With the continuous development of information technology, cybercrime is a serious threat to the economic, military and other important areas of various countries
It can be seen from the figure that, the detection performance of API sequence will be seriously affected by injecting benign function, while hardware performance counter (HPC) and memory dump grayscale image are relatively less affected
The existing dynamic detection method based on software features cannot effectively deal with the problem of malware evasion, and the detection method based on hardware features suffers from imitation attacks against features and detectors
Summary
With the continuous development of information technology, cybercrime is a serious threat to the economic, military and other important areas of various countries. The above-mentioned that using only hardware feature method cannot fully describe the characteristics of malware, resulting in a low detection rate, and is vulnerable to evasion attacks aiming at performance counters as classification features. Aiming at the defects of dynamic detection and the shortcomings of insufficient hardware detection rate, in this paper, we proposes an ensemble learning method (SMASH) that combines software and hardware features, extracts API call sequence of malware, hardware performance counters and memory dump [23] as detector features, and builds different types of feature vectors. 1) We propose a method that combines software and hardware features, API call sequences as software features, HPC and memory dump grayscale images as hardware features This method describe malware behavior from multi-dimensions, and can effectively combat the evasion of malware. The remaining sections of this paper are structured as follow: Section 2 summarizes the related work; Section 3 describes the SMASH method in detail, namely the feature extraction method and algorithm model; Section 4 evaluates our method from the detection performance and the anti-evasion performance; Section V concludes the full text and proposes further work
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
