Automatic Benchmark Generation Framework for Malware Detection

Liang, Guanghui; Pang, Jianmin; Shan, Zheng; Yang, Runqing; Chen, Yihang

doi:10.1155/2018/4947695

Cited by 8 publications

(7 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…So far, malware classification methods mainly focus on feature engineering, which need to extract features from malware or visualization images, for example, API calls [6,7], system calls [8,9], and opcode sequences [10,11]. e malware classification framework in our work is closely related to opcode sequences and SVM.…”

Section: Malware Classificationmentioning

confidence: 99%

Incremental Learning for Malware Classification in Small Datasets

Xue

et al. 2020

Security and Communication Networks

View full text Add to dashboard Cite

Information security is an important research area. As a very special yet important case, malware classification plays an important role in information security. In the real world, the malware datasets are open-ended and dynamic, and new malware samples belonging to old classes and new classes are increasing continuously. This requires the malware classification method to enable incremental learning, which can efficiently learn the new knowledge. However, existing works mainly focus on feature engineering with machine learning as a tool. To solve the problem, we present an incremental malware classification framework, named “IMC,” which consists of opcode sequence extraction, selection, and incremental learning method. We develop an incremental learning method based on multiclass support vector machine (SVM) as the core component of IMC, named “IMCSVM,” which can incrementally improve its classification ability by learning new malware samples. In IMC, IMCSVM adds the new classification planes (if new samples belong to a new class) and updates all old classification planes for new malware samples. As a result, IMC can improve the classification quality of known malware classes by minimizing the prediction error and transfer the old model with known knowledge to classify unknown malware classes. We apply the incremental learning method into malware classification, and the experimental results demonstrate the advantages and effectiveness of IMC.

show abstract

Section: Malware Classificationmentioning

confidence: 99%

Incremental Learning for Malware Classification in Small Datasets

Xue

et al. 2020

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…In our experiments, two groups of PE files are collected to form a dataset. The first group is the malware set containing 5,200 malicious files from three projects: VirusShare [42], DAS [43], and malwarebenchmark [44], where each file is labelled with 1. The second group is the benign set containing 5,150 benign files from the pure version of Windows XP (32bit/SP3), Windows 7 ultimate (64bit/SP1), Windows 8.1 (64bit) image and more than 30 software companies, where each file is labelled with 0.…”

Section: A Datasetmentioning

confidence: 99%

Adversarial Examples for CNN-Based Malware Detectors

Chen

Ren

et al. 2019

IEEE Access

View full text Add to dashboard Cite

The convolutional neural network (CNN)-based models have achieved tremendous breakthroughs in many end-to-end applications, such as image identification, text classification, and speech recognition. By replicating these successes to the field of malware detection, several CNN-based malware detectors have achieved encouraging performance without significant feature engineering effort in recent years. Unfortunately, by analyzing their robustness using gradient-based algorithms, several studies have shown that some of these malware detectors are vulnerable to the evasion attacks (also known as adversarial examples). However, the existing attack methods can only achieve quite low attack success rates. In this paper, we propose two novel white-box methods and one novel black-box method to attack a recently proposed malware detector. By incorporating the gradient-based algorithm, one of our white-box methods can achieve a success rate of over 99%. Without prior knowledge of the exact structure and internal parameters of the detector, the proposed black-box method can also achieve a success rate of over 70%. In addition, we consider adversarial training as a defensive mechanism in order to resist evasion attacks. While proving the effectiveness of adversarial training, we also analyze its security risk, that is, a large number of adversarial examples can poison the training dataset of the detector. Therefore, we propose a pre-detection mechanism to reject adversarial examples. The experiments show that this mechanism can effectively improve the safety and efficiency of malware detection.

show abstract

“…In addition to the sample analysis method, the sampling method used in the construction of small-scale test sample set is as important as the data source. The genetic algorithm-based roulette sampling algorithm adopted by Liang et al [3]. has a high time complexity problem, and the sandbox-based behavioral characteristics detection scheme would result in inaccurate analysis because the sample did not fully expose all behaviors.…”

Section: Related Workmentioning

confidence: 99%

“…Different antivirus softwares have different ability to identify and definite malicious programs [2]. Therefore, constructing a high-quality test set can adequately evaluate the performance of antivirus software and help improve antivirus strategies [3], [4]. The test sample set should be characterized by appropriate volume, rich variety, and retention of the original dataset density distribution characteristics.…”

Section: Introductionmentioning

confidence: 99%

The Software Gene-Based Test Set Automatic Generation Framework for Antivirus Software

Bai¹,

Cncert²,

Rong³

et al. 2019

JSW

View full text Add to dashboard Cite

After studying the existing test set generation methods of antivirus software and sample analysis methods based on manual experience, the paper proposes a software gene-based test set automatic generation framework for antivirus software. Most of current test set automatic generation frameworks have problems of unstable performance, time-consuming, and the fact that its test set cannot well reflect the density distribution character of the original dataset. In this paper, some improvements are made to resolve above problems. Experiment results show that the framework can efficiently generate the test sample set with the volume no more than one tenth of the original data set, meanwhile the distribution characteristics of the original dataset can be retained.

show abstract

Automatic Benchmark Generation Framework for Malware Detection

Cited by 8 publications

References 16 publications

Incremental Learning for Malware Classification in Small Datasets

Incremental Learning for Malware Classification in Small Datasets

Adversarial Examples for CNN-Based Malware Detectors

The Software Gene-Based Test Set Automatic Generation Framework for Antivirus Software

Contact Info

Product

Resources

About