Malware Classification using Early Stage Behavioral Analysis

Kumar, Nitesh; Mukhopadhyay, Soumik; Gupta, Mugdha; Handa, Anand; Shukla, Sandeep K.

doi:10.1109/asiajcis.2019.00-10

Cited by 19 publications

(19 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…More particularly, accuracy of the model will be slightly degraded during the warning level and will be boosted after updated when the batch window is full or out of control state is occurred. Figure (8) and Figure (9) show the detailed results of the performance of both fixed batch window size and adaptive batch window size in terms of detection accuracy in Figure (8) and classification error in Figure (9). As can be observed, in both figures the proposed concept-driftbased adaptive incremental batch performs better than the other fixed batch size incremental learning strategies.…”

Section: Figure 5 Base Classifier Selectionmentioning

confidence: 79%

“…Another set of experiments were conducted to select the base classifier. The commonly used classifiers in the existing related works were implemented in this study for the comparison which are Support Vector Machine (SVM) [44], Naïve Bayes (NB) [45], Logistic Regression [46], Random Forest (RF) [47], XGBoost [9] and Deep Learning (DL). These classifiers were trained based on the dataset denoted by DS1 in Table 1.…”

Section: Figure 4 Comparison Of Feature Selection Techniquesmentioning

confidence: 99%

“…According to AV report [7], 350,000 malware are detected every day, 7 million malware attacks were reported in 2019, and the total number of malware worldwide will exceed 1.13 billion by the end of 2020. Most of the malware files are propagated through the internet and most of the new malware is malware variants [1,8,9]. Malware authors increase the complexity of the previous malware files and generate new variants to evade detection.…”

Section: Introductionmentioning

confidence: 99%

“…Malware authors increase the complexity of the previous malware files and generate new variants to evade detection. Many malware variants are generated using sophisticated tools including code-reuse techniques, artificial intelligent-based tools, obfuscation techniques, encryption, and packing among many others are used by malware authors to hide the malicious characteristics of the malware and make the analysis difficult [9,10]. Malware variants are ranked as the major emerging threat faced by internet security [11].…”

Section: Introductionmentioning

confidence: 99%

“…That is, the newly emerging malware variants still have the same malicious behavior as the original malware [1]. Accordingly, many researchers use a dynamic analysis approach to extract the behavioral characteristics of the malware variants [9,10,[12][13][14]. Some researchers [14] combine the features extracted from both static and dynamic analysis to complement each other's limitations.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

et al. 2021

View full text Add to dashboard Cite

Malware variants are the major emerging threats that face cybersecurity due to the potential damage to computer systems. Many solutions have been proposed for detecting malware variants. However, accurate detection is challenging due to the constantly evolving nature of the malware variants that cause concept drift. Existing malware detection solutions assume that the mapping learned from historical malware features will be valid for new and future malware. The relationship between input features and the class label has been considered stationary, which doesn't hold for the ever-evolving nature of malware variants. Malware features change dynamically due to code obfuscations, mutations, and the modification made by malware authors to change the features' distribution and thus evade the detection rendering the detection model obsolete and ineffective. This study presents an Adaptive behavioral-based Incremental Batch Learning Malware Variants Detection model using concept drift detection and sequential deep learning (AIBL-MVD) to accommodate the new malware variants. Malware behavior were extracted using dynamic analysis by running the malware files in a sandbox environment and collecting their Application Programming Interface (API) traces. According to the malware first-time appearance, the malware samples were sorted to capture the malware variants' change characteristics. The base classifier was then trained based on a subset of historical malware samples using a sequential deep learning model. The new malware samples were mixed with a subset of old data and gradually introduced to the learning model in an adaptive batch size incremental learning manner to address the catastrophic forgetting dilemma of the incremental learning. The statistical process control technique has been used to detect the concept drift as indication for incrementally updating the model as well as reducing the frequency of model updates. Results from extensive experiments show that the proposed model is superior in terms of detection rate and the efficiency compared with the static model, periodic retraining approaches, and the fixed batch size incremental learning approach. The model maintains an average of 99.41% detection accuracy of new and variants malware with a low updating frequency of 1.35 times per month.

show abstract

Section: Figure 5 Base Classifier Selectionmentioning

confidence: 79%

Section: Figure 4 Comparison Of Feature Selection Techniquesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

et al. 2021

View full text Add to dashboard Cite

show abstract

Automated Windows behavioral tracing for malware analysis

Rana

Kumar

Handa

et al. 2022

Security and Privacy

Self Cite

View full text Add to dashboard Cite

In malware analysis, there are two problem scenarios—detection and prevention. In prevention, analysts try to quarantine the file before it gets executed in a real system. The file is further analyzed in a sandbox to observe the behavior. Hence, our work shows that our agent captures events for malware analysis. After integration with the sandbox, it produces robust and efficient models. ETW is a Windows in‐build tool with kernel‐level access. We develop an agent using ETW in C++ with proper usage details. We collect data using cuckoo sandbox and ETW agent for 11 546 samples and perform comparative frequency analysis. The performance of various machine learning classifiers is examined on the behavioral data. Random Forest classifier performs the best on the combined (cuckoo+ETW) data with an accuracy of 99.68% and FPR of 0.45%. The improved performance of combined data over cuckoo data on packed and un‐seen malware is also significantly good. In the detection, if malware somehow escapes from the deployed prevention mechanism and gets executed, the analyst tries to detect malicious actions and respond before it is too late. Our agent can tackle such issues and can function as a standalone host‐based monitoring agent to extract kernel‐level information.

show abstract

Classification and Update Proposal for Modern Computer Worms, Based on Obfuscation

Salazar

Barría

2021

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

Malware Classification using Early Stage Behavioral Analysis

Cited by 19 publications

References 11 publications

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

Automated Windows behavioral tracing for malware analysis

Classification and Update Proposal for Modern Computer Worms, Based on Obfuscation

Contact Info

Product

Resources

About