Abstract

With the increasing variants of malware, it is of great significance to detect malware and ensure system security effectively. The existing malware dynamic detection methods are vulnerable to evasion attacks. For this situation, we propose a malware dynamic detection method based on mufti-feature ensemble learning. Firstly, the method adopts the combination of software features such as API call sequence with high detection precision and low-level hardware features such as resistance to evasion the memory dump grayscale and hardware performance counters. Secondly, we improve each feature based on the original research. We select a more advanced classifier model to improve the detection precision of a single feature. Finally, an ensemble learning algorithm composed of multiple classification algorithms detects malware, the multi-features can describe malware behavior from multi-dimensions to improve detection performance. We use a large number of malware sample dataset to experiment, and the results show that our detection method can obtain good detection precision rate, and is better than other recently proposed dynamic detection methods in anti-evasion performance.

Highlights

  • With the continuous development of information technology, cybercrime is a serious threat to the economic, military and other important areas of various countries

  • It can be seen from the figure that, the detection performance of API sequence will be seriously affected by injecting benign function, while hardware performance counter (HPC) and memory dump grayscale image are relatively less affected

  • The existing dynamic detection method based on software features cannot effectively deal with the problem of malware evasion, and the detection method based on hardware features suffers from imitation attacks against features and detectors

Read more

Summary

INTRODUCTION

With the continuous development of information technology, cybercrime is a serious threat to the economic, military and other important areas of various countries. The above-mentioned that using only hardware feature method cannot fully describe the characteristics of malware, resulting in a low detection rate, and is vulnerable to evasion attacks aiming at performance counters as classification features. Aiming at the defects of dynamic detection and the shortcomings of insufficient hardware detection rate, in this paper, we proposes an ensemble learning method (SMASH) that combines software and hardware features, extracts API call sequence of malware, hardware performance counters and memory dump [23] as detector features, and builds different types of feature vectors. 1) We propose a method that combines software and hardware features, API call sequences as software features, HPC and memory dump grayscale images as hardware features This method describe malware behavior from multi-dimensions, and can effectively combat the evasion of malware. The remaining sections of this paper are structured as follow: Section 2 summarizes the related work; Section 3 describes the SMASH method in detail, namely the feature extraction method and algorithm model; Section 4 evaluates our method from the detection performance and the anti-evasion performance; Section V concludes the full text and proposes further work

LITERATURE REVIEW
MEMORY DUMP GRAYSCALE IMAGE EXTRACTION
EVALUATION CRITERION
Findings
CONCLUSION

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.