Malware classification using dynamic features and Hidden Markov Model

In recent years the number of new malware threats has increased significantly, causing a damage of billions of dollars globally. To counter this aggressive malware attack, the anti-malware industry needs to be able to correctly classify malware in order to provide defense against them. Consequently, malware classification has been an active area of research, and a multitude of malware classification approaches have been proposed in the literature. This paper evaluates two methods of sequence classification based on Hidden Markov Model, namely the maximum likelihood and similarity-based methods, for classification of malware using a large and comprehensive dataset. System calls generated by known malware during execution are used as observation sequences to train the Hidden Markov Models. Malware samples are evaluated against the trained models to produce similarity vectors, which are used in the maximum likelihood and similarity-based classification schemes to predict the family for an unknown malware sample. Comparison of the two schemes shows that combining the powerful statistical pattern analysis capability of Hidden Markov Models and discriminative classifiers in the similarity- based method results in a significantly better classification performance as compared to the maximum likelihood approach. Furthermore, evaluation of different classifiers in the similarity-based method demonstrates that Random Forest classifier performs better than other classifiers on malware similarity vectors.

[1]  Felix C. Freiling,et al.  Visual analysis of malware behavior using treemaps and thread graphs , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[2]  Bazara I. A. Barry,et al.  Enhancing the Detection of Metamorphic Malware using Call Graphs , 2015 .

[3]  Yong Chen,et al.  Automatic malware categorization using cluster ensemble , 2010, KDD.

[4]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[5]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[6]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[7]  Mark Stamp,et al.  Hidden Markov models for malware classification , 2015, Journal of Computer Virology and Hacking Techniques.

[8]  N. Balakrishnan,et al.  Behavior-based Malware analysis using profile hidden Markov models , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[9]  Tomohiro Yamamura,et al.  A Driver Behavior Recognition Method Based on a Driver Model Framework , 2000 .

[10]  Muhammad Abdul Qadir,et al.  Using hidden markov model for dynamic malware analysis: First impressions , 2015, 2015 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD).

[11]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  Kenli Li,et al.  Performance Analysis and Optimization for SpMV on GPU Using Probabilistic Modeling , 2015, IEEE Transactions on Parallel and Distributed Systems.

[13]  D. Haussler,et al.  Hidden Markov models in computational biology. Applications to protein modeling. , 1993, Journal of molecular biology.

[14]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[15]  L. Rabiner,et al.  An introduction to hidden Markov models , 1986, IEEE ASSP Magazine.

[16]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[17]  David R. Kaeli,et al.  GPU-Accelerated HMM for Speech Recognition , 2014, 2014 43rd International Conference on Parallel Processing Workshops.

[18]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[19]  Mark Stamp,et al.  Profile hidden Markov models and metamorphic virus detection , 2009, Journal in Computer Virology.

[20]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[21]  Mário A. T. Figueiredo,et al.  Similarity-based classification of sequences using hidden Markov models , 2004, Pattern Recognit..

[22]  Kenli Li,et al.  Hybrid particle swarm optimization for parameter estimation of Muskingum model , 2014, Neural Computing and Applications.

[23]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[24]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[25]  Muhammad Abdul Qadir,et al.  Similarity-Based Malware Classification Using Hidden Markov Model , 2015, 2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec).

[26]  Stephen R. Garner,et al.  WEKA: The Waikato Environment for Knowledge Analysis , 1996 .

[27]  Md. Rafiqul Islam,et al.  Classification of malware based on integrated static and dynamic features , 2013, J. Netw. Comput. Appl..

[28]  Mark Stamp,et al.  Exploring Hidden Markov Models for Virus Analysis: A Semantic Approach , 2013, 2013 46th Hawaii International Conference on System Sciences.

[29]  Xiaojun Wu,et al.  Multiple sequence alignment using the Hidden Markov Model trained by an improved quantum-behaved particle swarm optimization , 2012, Inf. Sci..