Hybrids of support vector machine wrapper and filter based framework for malware detection |
| |
| Affiliation: | 1. Machine Learning Lab, Department of Computer Science & Engineering & Information Technology, Shiraz University, Shiraz, Iran;2. Cyber Science Lab, School of Computer Science, University of Guelph, Ontario, Canada;3. Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249, USA;4. Smart Cyber-Physical System Lab, School of Engineering, University of Guelph, Ontario, Canada;5. School of Computer Science, University of Salford, Manchester, UK;6. Department of Software Engineering and Game Development, Kennesaw State University, Marietta, GA 30060, USA;1. School of Cyberspace Security, Beijing University of Post and Telecommunications, China;2. China Information Technology Security Evaluation Center, China;3. The Third Research Institute of Ministry of Public Security, China;4. Computer Laboratory, University of Cambridge, United Kingdom;1. National School of Computer Science, University of Manouba, Tunis, Tunisia;2. Higher Institute of Computer Science and Communication Technologies, University of Sousse, Hammam Sousse, Tunisia |
| |
| Abstract: | Malware replicates itself and produces offspring with the same characteristics but different signatures by using code obfuscation techniques. Current generation Anti-Virus (AV) engines employ a signature-template type detection approach where malware can easily evade existing signatures in the database. This reduces the capability of current AV engines in detecting malware. In this paper we propose a hybrid framework for malware detection by using the hybrids of Support Vector Machines Wrapper, Maximum-Relevance–Minimum-Redundancy Filter heuristics where Application Program Interface (API) call statistics are used as a malware features. The novelty of our hybrid framework is that it injects the filter’s ranking score in the wrapper selection process and combines the properties of both wrapper and filters and API call statistics which can detect malware based on the nature of infectious actions instead of signature. To the best of our knowledge, this kind of hybrid approach has not been explored yet in the literature in the context of feature selection and malware detection. Knowledge about the intrinsic characteristics of malicious activities is determined by the API call statistics which is injected as a filter score into the wrapper’s backward elimination process in order to find the most significant APIs. While using the most significant APIs in the wrapper classification on both obfuscated and benign types malware datasets, the results show that the proposed hybrid framework clearly surpasses the existing models including the independent filters and wrappers using only a very compact set of significant APIs. The performances of the proposed and existing models have further been compared using binary logistic regression. Various goodness of fit comparison criteria such as Chi Square, Akaike’s Information Criterion (AIC) and Receiver Operating Characteristic Curve ROC are deployed to identify the best performing models. Experimental outcomes based on the above criteria also show that the proposed hybrid framework outperforms other existing models of signature types including independent wrapper and filter approaches to identify malware. |
| |
| Keywords: | Malware detection API call statistics Hybrid wrapper–filter heuristics |
| 本文献已被 ScienceDirect 等数据库收录! |
|
