SMASH: A Malware Detection Method Based on Multi-Feature Ensemble Learning

With the increasing variants of malware, it is of great significance to detect malware and ensure system security effectively. The existing malware dynamic detection methods are vulnerable to evasion attacks. For this situation, we propose a malware dynamic detection method based on mufti-feature ensemble learning. Firstly, the method adopts the combination of software features such as API call sequence with high detection precision and low-level hardware features such as resistance to evasion the memory dump grayscale and hardware performance counters. Secondly, we improve each feature based on the original research. We select a more advanced classifier model to improve the detection precision of a single feature. Finally, an ensemble learning algorithm composed of multiple classification algorithms detects malware, the multi-features can describe malware behavior from multi-dimensions to improve detection performance. We use a large number of malware sample dataset to experiment, and the results show that our detection method can obtain good detection precision rate, and is better than other recently proposed dynamic detection methods in anti-evasion performance.

[1]  Avinash Srinivasan,et al.  Lightweight behavioral malware detection for windows platforms , 2017, 2017 12th International Conference on Malicious and Unwanted Software (MALWARE).

[2]  Gianluca Dini,et al.  MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention , 2018, IEEE Transactions on Dependable and Secure Computing.

[3]  Lorenzo Cavallaro,et al.  An Efficient Technique for Preventing Mimicry and Impossible Paths Execution Attacks , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[4]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[5]  Pavel Laskov,et al.  Practical Evasion of a Learning-Based Classifier: A Case Study , 2014, 2014 IEEE Symposium on Security and Privacy.

[6]  Meltem Ozsoy,et al.  EnsembleHMD: Accurate Hardware Malware Detectors with Specialized Ensemble Classifiers , 2020, IEEE Transactions on Dependable and Secure Computing.

[7]  Mansour Ahmadi,et al.  DroidScribe: Classifying Android Malware Based on Runtime Behavior , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[8]  Salvatore J. Stolfo,et al.  Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[9]  Nael B. Abu-Ghazaleh,et al.  Malware-aware processors: A framework for efficient online malware detection , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[10]  Ajay Joshi,et al.  Hardware Performance Counters Can Detect Malware: Myth or Fact? , 2018, AsiaCCS.

[11]  Ibrahim Sogukpinar,et al.  Analysis and Evaluation of Dynamic Feature-Based Malware Detection Methods , 2018, SecITC.

[12]  Nael B. Abu-Ghazaleh,et al.  Hardware-Based Malware Detection Using Low-Level Architectural Features , 2016, IEEE Transactions on Computers.

[13]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[14]  B. S. Manjunath,et al.  Malware images: visualization and automatic classification , 2011, VizSec '11.

[15]  Sunita V. Dhavale,et al.  Control Flow Graph Based Multiclass Malware Detection Using Bi-normal Separation , 2016 .

[16]  Tudor Dumitras,et al.  Catching Worms, Trojan Horses and PUPs: Unsupervised Detection of Silent Delivery Campaigns , 2016, NDSS.

[17]  Mahmood Yousefi-Azar,et al.  Malytics: A Malware Detection Scheme , 2018, IEEE Access.

[18]  Giorgio Giacinto,et al.  Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection , 2013, ASIA CCS '13.

[19]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[20]  Minh Hai Nguyen,et al.  Auto-detection of sophisticated malware using lazy-binding control flow graph and deep learning , 2018, Comput. Secur..

[21]  Jack W. Stokes,et al.  Malware classification with LSTM and GRU language models and a character-level CNN , 2017, 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[22]  Nael B. Abu-Ghazaleh,et al.  Ensemble Learning for Low-Level Hardware-Supported Malware Detection , 2015, RAID.

[23]  Sheng Chen,et al.  A malware detection method based on family behavior graph , 2018, Comput. Secur..

[24]  Eul Gyu Im,et al.  Extracting the Representative API Call Patterns of Malware Families Using Recurrent Neural Network , 2017, RACS.

[25]  Takeshi Yagi,et al.  Malware Detection with Deep Neural Network Using Process Behavior , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[26]  B. S. Manjunath,et al.  SPAM: Signal Processing to Analyze Malware [Applications Corner] , 2016, IEEE Signal Processing Magazine.

[27]  Hui Li,et al.  A malware classification method based on memory dump grayscale image , 2018, Digit. Investig..

[28]  Jens Myrup Pedersen,et al.  An approach for detection and family classification of malware based on behavioral analysis , 2016, 2016 International Conference on Computing, Networking and Communications (ICNC).

[29]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[30]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[31]  Angelos Stavrou,et al.  When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware Detectors , 2016, NDSS.

[32]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[33]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[34]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[35]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[36]  Giorgio Giacinto,et al.  A structural and content-based approach for a precise and robust detection of malicious PDF files , 2015, 2015 International Conference on Information Systems Security and Privacy (ICISSP).

[37]  Nael B. Abu-Ghazaleh,et al.  RHMD: Evasion-Resilient Hardware Malware Detectors , 2017, 2017 50th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).