Detection of zero-day malware based on the analysis of opcode sequences

Zolotukhin, Mikhail; Hämäläinen, Timo D.

doi:10.1109/ccnc.2014.6866599

Cited by 36 publications

(12 citation statements)

References 88 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Two key elements have been extracted, reviewed and examined in this systematic review, namely detection methods and their accompanying statistics (empirical evidence) to evaluate their efficiency. The first technique observed was Opcode based, Operands of Opcode provide additional information about the suspicious file (Zolotukhin and Hamalainen, 2014) which might help in detecting other malware variants. However, this will require large number of labelled executables for each variant, and it is difficult to acquire such data (Santos et al, 2011).…”

Section: Conclusion and Further Discussionmentioning

confidence: 99%

“…Opcode is the portion of the code that specifies the operations while Operands (the data to be processed) could provide extra information about the executable files (Zolotukhin and Hamalainen, 2014). The source code of a given software, including Opcode, is more consistent and therefore suitable to produce signatures for malicious software-classes compared to compiled code.…”

Section: A Operational Code (Opcode)mentioning

confidence: 99%

See 1 more Smart Citation

Effective methods to detect metamorphic malware: a systematic review

Irshad¹,

Al-Khateeb²,

Mansour³

et al. 2018

IJESDF

View full text Add to dashboard Cite

The succeeding code for metamorphic Malware is routinely rewritten to remain stealthy and undetected within infected environments. This characteristic is maintained by means of encryption and decryption methods, obfuscation through garbage code insertion, code transformation and registry modification which makes detection very challenging. The main objective of this study is to contribute an evidence-based narrative demonstrating the effectiveness of recent proposals. Sixteen primary studies were included in this analysis based on a pre-defined protocol. The majority of the reviewed detection methods used Opcode, Control Flow Graph (CFG) and API Call Graph. Key challenges facing the detection of metamorphic malware include code obfuscation, lack of dynamic capabilities to analyse code and application difficulty. Methods were further analysed on the basis of their approach, limitation, empirical evidence and key parameters such as dataset, Detection Rate (DR) and False Positive Rate (FPR).

show abstract

Section: Conclusion and Further Discussionmentioning

confidence: 99%

Section: A Operational Code (Opcode)mentioning

confidence: 99%

Effective methods to detect metamorphic malware: a systematic review

Irshad¹,

Al-Khateeb²,

Mansour³

et al. 2018

IJESDF

View full text Add to dashboard Cite

show abstract

“…Also, N-gram is widely used in malware detection domain. Mikhail used N-gram model to extract essential feature from operation code sequence and construct an N-gram frequency vector [12]. The example of N-gram with Opcode is shown in fig.…”

Section: N-grammentioning

confidence: 99%

A Study on the Performance of Feature Extraction Methods According to the Size of N-Gram

Kwon¹,

Son²,

Chung³

et al. 2018

IJET

View full text Add to dashboard Cite

In this paper, we studied the performance of feature extraction methods according to the size of N-gram for malware detection. The feature is extracted by three methods, using Opcode Only, both Opcode and API and API Only from PE file. We measure the performance of them indirectly with measuring the AUC score and accuracy of classifier. We did experiments with the different N size by using several classifiers such as DT, SVM, KNN and BNB classifiers. As a result, we got the conclusion as followings. If we use N-gram technique, we recommend Opcode Only method through our experiments. Also, the instance-based classifier KNN and DT among the model based classifier have good performance than SVM and BNB.

show abstract

“…To defend against zero-day malware there has been a shift from signature-based [5][6][7][8]38] to anomaly-based detection [9] and behavioral-based detection [10][11][12][13][14][15][16]39]. Various behavior-based detection techniques have been proposed that understands the behavior of zero-day malware through dynamic execution [10,11].…”

Section: Introductionmentioning

confidence: 99%

Hybrid Real-time Zero-day Malware Analysis and Reporting System

Kaur

Singh

2016

IJITCS

View full text Add to dashboard Cite

Abstract-To understand completely the malicious intents of a zero-day malware there is really no automated way. There is no single best approach for malware analysis so it demands to combine existing static, dynamic and manual malware analysis techniques in a single unit. In this paper a hybrid real-time analysis and reporting system is presented. The proposed system integrates various malware analysis tools and utilities in a component-based architecture. The system automatically provides detail result about zero-day malware's behavior. The ultimate goal of this analysis and reporting is to gain a quick and brief understanding of the malicious activity performed by a zero-day malware while minimizing the time frame between the detection of zero-day attack and generation of a security solution. The results are paramount valuable for a malware analyst to perform zero-day malware detection and containment.

show abstract

Detection of zero-day malware based on the analysis of opcode sequences

Cited by 36 publications

References 88 publications

Effective methods to detect metamorphic malware: a systematic review

Effective methods to detect metamorphic malware: a systematic review

A Study on the Performance of Feature Extraction Methods According to the Size of N-Gram

Hybrid Real-time Zero-day Malware Analysis and Reporting System

Contact Info

Product

Resources

About