Wavelet decomposition of software entropy reveals symptoms of malicious code

Sophisticated malware authors can sneak hidden malicious code into portable executable files, and this code can be hard to detect, especially if encrypted or compressed. However, when an executable file switches between code regimes (e.g. native, encrypted, compressed, text, and padding), there are corresponding shifts in the file's representation as an entropy signal. In this paper, we develop a method for automatically quantifying the extent to which patterned variations in a file's entropy signal make it "suspicious." In Experiment 1, we use wavelet transforms to define a Suspiciously Structured Entropic Change Score (SSECS), a scalar feature that quantifies the suspiciousness of a file based on its distribution of entropic energy across multiple levels of spatial resolution. Based on this single feature, it was possible to raise predictive accuracy on a malware detection task from 50.0% to 68.7%, even though the single feature was applied to a heterogeneous corpus of malware discovered "in the wild." In Experiment 2, we describe how wavelet-based decompositions of software entropy can be applied to a parasitic malware detection task involving large numbers of samples and features. By extracting only string and entropy features (with wavelet decompositions) from software samples, we are able to obtain almost 99% detection of parasitic malware with fewer than 1% false positives on good files. Moreover, the addition of wavelet-based features uniformly improved detection performance across plausible false positive rates, both in a strings-only model (e.g., from 80.90% to 82.97%) and a strings-plus-entropy model (e.g. from 92.10% to 94.74%, and from 98.63% to 98.90%). Overall, wavelet decomposition of software entropy can be useful for machine learning models for detecting malware based on extracting millions of features from executable files.

[1]  Michael Wojnowicz,et al.  Suspiciously Structured Entropy: Wavelet Decomposition of Software Entropy Reveals Symptoms of Malware in the Energy Spectrum , 2016, FLAIRS.

[2]  Xuan Zhao,et al.  Projecting "Better Than Randomly": How to Reduce the Dimensionality of Very Large Datasets in a Way That Outperforms Random Projections , 2016, 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA).

[3]  Abdulhamit Subasi,et al.  EEG signal classification using wavelet feature extraction and a mixture of expert model , 2007, Expert Syst. Appl..

[4]  Robert Lyda,et al.  Using Entropy Analysis to Find Encrypted and Packed Malware , 2007, IEEE Security & Privacy.

[5]  Xuan Zhao,et al.  SUSPEND: Determining software suspiciousness by non-stationary time series modeling of entropy signals , 2017, Expert Syst. Appl..

[6]  Ivan Sorokin,et al.  Comparing files using structural entropy , 2011, Journal in Computer Virology.

[7]  Guy P. Nason,et al.  Wavelet Methods in Statistics with R , 2008 .

[8]  Muhammad Zubair Shafiq,et al.  Malware detection using statistical analysis of byte-level file content , 2009, CSI-KDD '09.

[9]  Mustafa Yilmaz,et al.  Classification of EMG signals using wavelet neural network , 2006, Journal of Neuroscience Methods.

[10]  Marcus A. Maloof,et al.  Learning to detect malicious executables in the wild , 2004, KDD.

[11]  Yagyensh C. Pati,et al.  Analysis and synthesis of feedforward neural networks using discrete affine wavelet transformations , 1993, IEEE Trans. Neural Networks.

[12]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  Mark Stamp,et al.  Structural entropy and metamorphic malware , 2013, Journal of Computer Virology and Hacking Techniques.

[14]  Samir Avdakovic,et al.  Energy Distribution of EEG Signals: EEG Signal Wavelet-Neural Network Classifier , 2010, ArXiv.

[15]  N. Malmurugan,et al.  Neural classification of lung sounds using wavelet coefficients , 2004, Comput. Biol. Medicine.