A scalable multi-level feature extraction technique to detect malicious executables |
| |
Authors: | Mohammad M. Masud Latifur Khan Bhavani Thuraisingham |
| |
Affiliation: | (1) Department of Computer Science, The University of Texas at Dallas, 2700 Waterview Pkwy, #5116, Richardson, TX 75080, USA;(2) Department of Computer Science, The University of Texas at Dallas, Box 830688, EC 31, Richardson, TX 75083-0688, USA |
| |
Abstract: | We present a scalable and multi-level feature extraction technique to detect malicious executables. We propose a novel combination of three different kinds of features at different levels of abstraction. These are binary n-grams, assembly instruction sequences, and Dynamic Link Library (DLL) function calls; extracted from binary executables, disassembled executables, and executable headers, respectively. We also propose an efficient and scalable feature extraction technique, and apply this technique on a large corpus of real benign and malicious executables. The above mentioned features are extracted from the corpus data and a classifier is trained, which achieves high accuracy and low false positive rate in detecting malicious executables. Our approach is knowledge-based because of several reasons. First, we apply the knowledge obtained from the binary n-gram features to extract assembly instruction sequences using our Assembly Feature Retrieval algorithm. Second, we apply the statistical knowledge obtained during feature extraction to select the best features, and to build a classification model. Our model is compared against other feature-based approaches for malicious code detection, and found to be more efficient in terms of detection accuracy and false alarm rate. |
| |
Keywords: | Disassembly Feature extraction Malicious executable n-gram analysis |
本文献已被 SpringerLink 等数据库收录! |
|