Host based Feature Description Method for Detecting APT Attack

Moon, Daesung; Lee, Hansung; Kim, Ikkyun

doi:10.13089/jkiisc.2014.24.5.839

Cited by 7 publications

(2 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The decision tree has been trained and generated from the frequency count of API calls in our previous study [10] by C4.5 algorithm of WEKA [15] data mining tool. C4.5 is the popular algorithm of decision tree mechanism.…”

Section: Data Classificationmentioning

confidence: 99%

See 1 more Smart Citation

Feature-Chain Based Malware Detection Using Multiple Sequence Alignment of API Call

Kim

et al. 2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYThe recent cyber-attacks utilize various malware as a means of attacks for the attacker's malicious purposes. They are aimed to steal confidential information or seize control over major facilities after infiltrating the network of a target organization. Attackers generally create new malware or many different types of malware by using an automatic malware creation tool which enables remote control over a target system easily and disturbs trace-back of these attacks. The paper proposes a generation method of malware behavior patterns as well as the detection techniques in order to detect the known and even unknown malware efficiently. The behavior patterns of malware are generated with Multiple Sequence Alignment (MSA) of API call sequences of malware. Consequently, we defined these behavior patterns as a "feature-chain" of malware for the analytical purpose. The initial generation of the feature-chain consists of extracting API call sequences with API hooking library, classifying malware samples by the similar behavior, and making the representative sequences from the MSA results. The detection mechanism of numerous malware is performed by measuring similarity between API call sequence of a target process (suspicious executables) and feature-chain of malware. By comparing with other existing methods, we proved the effectiveness of our proposed method based on Longest Common Subsequence (LCS) algorithm. Also we evaluated that our method outperforms other antivirus systems with 2.55 times in detection rate and 1.33 times in accuracy rate for malware detection.

show abstract

Section: Data Classificationmentioning

confidence: 99%

“…C4.5 is the popular algorithm of decision tree mechanism. About 2000 input data from both malware samples and benign applications from the previous study [10] were used to train the decision tree model. In this step, our training data with 856 malware samples was classified into 48 malware groups by this decision tree.…”

Section: Data Classificationmentioning

confidence: 99%