Novel active learning methods for enhanced PC malware detection in windows OS |
| |
| Affiliation: | 1. Department of Electrical Engineering, Faculty of Engineering, Universiti Malaya, Lembah Pantai, 50603 Kuala Lumpur, Malaysia;2. Odette School of Business, University of Windsor, 401 Sunset Ave, Windsor, ON N9B 3P4, Canada;1. Grup de Recerca en Sistemes Intel·ligents, Ramon Llull University, Quatre Camins 2, 08022 Barcelona, Spain;2. Grup de Recerca en Internet Technologies & Storage, Ramon Llull University, Quatre Camins 2, 08022 Barcelona, Spain;3. Departamento de Ingeniería Matemática e Informática, Universidad Pública de Navarra, Campus de Arrosadía, 31006 Pamplona, Spain;1. Faculty of Electronic Engineering, University of Niš, Aleksandra Medvedeva 14, Niš, Serbia;2. Faculty of Mechanical Engineering, University of Niš, Aleksandra Medvedeva 14, Niš, Serbia;1. School of Control Science and Engineering, Dalian University of Technology, Dalian 116024, China;2. Department of Electrical and Computer Engineering, University of Alberta, Edmonton T6R 2V4 AB, Canada;3. School of Information, Liaoning University, Shenyang 110036, China;1. University of Cauca, Cll. 5 4-70 Popayán, Colombia;2. Universidad Carlos III de Madrid, Av. Universidad 30, 28911 Leganés, Spain;3. University of East London, Docklands Campus, London E16 2RD, United Kingdom |
| |
| Abstract: | The formation of new malwares every day poses a significant challenge to anti-virus vendors since antivirus tools, using manually crafted signatures, are only capable of identifying known malware instances and their relatively similar variants. To identify new and unknown malwares for updating their anti-virus signature repository, anti-virus vendors must daily collect new, suspicious files that need to be analyzed manually by information security experts who then label them as malware or benign. Analyzing suspected files is a time-consuming task and it is impossible to manually analyze all of them. Consequently, anti-virus vendors use machine learning algorithms and heuristics in order to reduce the number of suspect files that must be inspected manually. These techniques, however, lack an essential element – they cannot be daily updated. In this work we introduce a solution for this updatability gap. We present an active learning (AL) framework and introduce two new AL methods that will assist anti-virus vendors to focus their analytical efforts by acquiring those files that are most probably malicious. Those new AL methods are designed and oriented towards new malware acquisition. To test the capability of our methods for acquiring new malwares from a stream of unknown files, we conducted a series of experiments over a ten-day period. A comparison of our methods to existing high performance AL methods and to random selection, which is the naïve method, indicates that the AL methods outperformed random selection for all performance measures. Our AL methods outperformed existing AL method in two respects, both related to the number of new malwares acquired daily, the core measure in this study. First, our best performing AL method, termed “Exploitation”, acquired on the 9th day of the experiment about 2.6 times more malwares than the existing AL method and 7.8 more times than the random selection. Secondly, while the existing AL method showed a decrease in the number of new malwares acquired over 10 days, our AL methods showed an increase and a daily improvement in the number of new malwares acquired. Both results point towards increased efficiency that can possibly assist anti-virus vendors. |
| |
| Keywords: | Malware Malicious code Machine Learning Active learning SVM |
| 本文献已被 ScienceDirect 等数据库收录! |
|
