Constructing Heuristic Malware Detection Mechanism Based on Static Analysis
Abstract - To ensure the protection of information processed by computer systems is currently the most important task in the construction and operation of the automated systems. The paper presents the application justification of a new set of features distinguished at the stage of the static analysis of the executable files to address the problem of malicious code detection. In the course of study, following problems were solved: development of the executable files classifier in the absence of a priori data concerning their functionality; designing class models of uninfected files and malware during the machine learning process; development of malicious code detection procedure using the neural networks mathematical apparatus and decision tree composition relating to the set of features specified on the basis of the executable files static analysis. The paper also describes the functional model of malware detection system using the executable files static analysis. The conclusion contains the results of experimental evaluation of the developed detection mechanism efficiency on the basis of neural networks and decision tree composition. The obtained data confirmed the hypothesis about the possibility of constructing the heuristic malware analyzer on the basis of features distinguished during the static analysis of the executable files. However, the approach based on the decision tree composition enables to obtain a significantly lower false negative rate probability with the specified initial data and classifier parameter values relating to neural networks.
Tài liệu tham khảo [1] Kozachok, A. V. “Mathematical model of recognition destructive software tools based on hidden Markov models”, A.V. Kozachok, “Vestnik SibGUTI”, Vol. 3, pp. 29-39. – (in Russian), 2012. [2] AV-Comparatives (2017) Malware protection test. URL https://www.av-comparatives.org/wpcontent/ uploads/2017/04/avc mpt 201703_en.pdf. [3] Shabtai A, Moskovitch R, Elovici Y, Glezer C “Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey”. Information Security Technical Report 14(1) pp.16–29, 2009. https://doi.org/10.1016/j.istr.2009.03.003 http://www.sciencedirect.com/science/article/pii/S136341270900004. [4] Santos I, Devesa J, Brezo F, Nieves J, Bringas PG “Opem: A static-dynamic approach for machine-learning based malware detection”. In: International Joint Conference CISIS12-ICEUTE 12-SOCO 12 Special Sessions, Springer, Springer-Verlag Berlin Heidelberg, Ostrava, Czech Republic, pp 271–280, 2013. [5] David B, Filiol E, Gallienne K , “Structural analysisof binary executable headers for malware detection optimization”. Journal of Computer Virology and Hacking Techniques Vol. 13(2),pp. 87–93, 2017.http://dx.doi.org/10.1007/s11416-016-0274-2. [6] Uossermen, F. “Neurocomputing machinery”, F. Uosserman – Moscow: “Mir” Publisher (in Russian), p.184, 1992. [7] Smagin, A. A. “Intelligent information systems / A.A. Smagin, S.V. Lipatova, A.S. Mel'nichenko”, Ul'janovsk: “UlGU” Publisher, (in Russian), p.136, 2010. [8] Bayer, U. Scalable, “Behavior-Based Malware Clustering / U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, E. Kirda”, NDSS, Vol. 9, pp. 8–11, 2009. [9] Hinton, G. E. “A fast learning algorithm for deep belief nets”, G. E. Hinton, S. Osindero, Y. W. Teh Neural computation. Vol. 18(7), pp. 1527–1554, 2006. [10] Moser, A. “Limits of static analysis for malware detection”, A. Moser, C. Kruegel, E. Kirda Twenty-Third Annual Computer Security Applications Conference. pp. 421-430, 2007. [11] Srivastava, N. “Dropout: a simple way to prevent neural networks from overfitting”, N. Srivastava, G. E. Hinton, A. Krizhevsky, I. Sutskever, R. Salakhutdinov. – Journal of Machine Learning Research, Vol. 15(1), pp. 1929-1958, 2014. [12] Schmind, H. “Probabilistic part-ofispeech tagging using decision trees”, H. Schmind, In New methods in language processing. Routledge Publisher, p.154, 2013. [13] Shi, T. “Unsupervised learning with random forest predictors”, T. Shi, S. Horvath, Journal of Computational and Graphical Statistics Vol. 15(1), pp. 118–138, 2006. [14] Federal Service for Technology and Export Control, “Informacionnoe soobshhenie ob utverzhdenii trebovanij k sredstvam antivirusnoj zashhity” (in Russian) 240/24/3095, 2012. |
Alexander Kozachok