PbMMD: A novel policy based multi-process malware detection

Abstract Contemporary malware makes wide use of techniques to evade popular detection approaches. Behavior-based detection is the most powerful approach to malware detection. This approach is based on system call sequences to model a malicious behavior. A recently immersed malware to defeat behavior-based detection approach is Multi-process malware. This malware is the consequence of multiple processes cooperating to fulfill a malicious task each of which performing a partition of main task and none of them shows an identifiable malicious behavior. In this paper, we have presented a new method called PbMMD for detecting Multi-process malware. In this method, we attempt to inspect the whole processes running on the system and discover collaborative processes by finding processes running along a common execution policy. Beforehand we have learned different execution policy by employing reinforcement algorithm. Finally we decide against a Multi-process malicious behavior by analyzing the cumulative behavior of identified collaborative processes.

[1]  Ethem Alpaydin,et al.  Introduction to machine learning , 2004, Adaptive computation and machine learning.

[2]  Robert Roth Stoll,et al.  Set theory and logic , 1963 .

[3]  Michail G. Lagoudakis,et al.  Reinforcement Learning as Classification: Leveraging Modern Classifiers , 2003, ICML.

[4]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[5]  Ubbo Visser,et al.  RLLib: C++ Library to Predict, Control, and Represent Learnable Knowledge Using On/Off Policy Reinforcement Learning , 2015, RoboCup.

[6]  Xin Xu,et al.  Sequential anomaly detection based on temporal-difference learning: Principles, models and case studies , 2010, Appl. Soft Comput..

[7]  Jian Cao,et al.  Combating the evasion mechanisms of social bots , 2016, Comput. Secur..

[8]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[9]  Jean-Yves Marion,et al.  On behavioral detection , 2009 .

[10]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[11]  L. Bergroth,et al.  A survey of longest common subsequence algorithms , 2000, Proceedings Seventh International Symposium on String Processing and Information Retrieval. SPIRE 2000.

[12]  Kang G. Shin,et al.  Behavioral detection of malware on mobile handsets , 2008, MobiSys '08.

[13]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[14]  John Langford,et al.  Relating reinforcement learning performance to classification performance , 2005, ICML '05.

[15]  Guofei Gu,et al.  Shadow attacks: automatically evading system-call-behavior based malware detection , 2011, Journal in Computer Virology.

[16]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[17]  Muttukrishnan Rajarajan,et al.  Employing Program Semantics for Malware Detection , 2015, IEEE Transactions on Information Forensics and Security.

[18]  Xin Xu,et al.  A Reinforcement Learning Approach for Host-Based Intrusion Detection Using Sequences of System Calls , 2005, ICIC.

[19]  Fei Wang,et al.  ENDMal: An anti-obfuscation and collaborative malware detection system using syscall sequences , 2013, Math. Comput. Model..

[20]  Qiang Li,et al.  A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches , 2014, ISPEC.

[21]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.

[22]  Qiaoping Zhang,et al.  A New and Efficient K-Medoid Algorithm for Spatial Clustering , 2005, ICCSA.

[23]  Yuanzhuo Wang,et al.  Privacy theft malware multi-process collaboration analysis , 2015, Secur. Commun. Networks.

[24]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[25]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[26]  G. Chow Tests of equality between sets of coefficients in two linear regressions (econometrics voi 28 , 1960 .

[27]  Marco Ramilli,et al.  Multiprocess malware , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[28]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[29]  Hervé Frezza-Buet,et al.  A C++ template-based reinforcement learning library: fitting the code to the mathematics , 2013, J. Mach. Learn. Res..

[30]  Thomas L. Madden,et al.  BLAST 2 Sequences, a new tool for comparing protein and nucleotide sequences. , 1999, FEMS microbiology letters.

[31]  Douglas S. Reeves,et al.  Fast malware classification by automated behavioral graph matching , 2010, CSIIRW '10.

[32]  Yishay Mansour,et al.  Policy Gradient Methods for Reinforcement Learning with Function Approximation , 1999, NIPS.

[33]  Evgenios Konstantinou,et al.  Metamorphic Virus: Analysis and Detection , 2008 .

[34]  Mark Stamp,et al.  Opcode graph similarity and metamorphic detection , 2012, Journal in Computer Virology.

[35]  Gad M. Landau,et al.  An Algorithm for Approximate Tandem Repeats , 2001, J. Comput. Biol..

[36]  Richard Mott Smith–Waterman Algorithm , 2005 .

[37]  Marco Ramilli,et al.  Multi-stage delivery of malware , 2010, 2010 5th International Conference on Malicious and Unwanted Software.