AOS: An optimized sandbox method used in behavior-based malware detection

Malware (malicious software) has been widely spread through our computers in the world that many antivirus vendors use signature-based method to detect them. However, the update rate of the virus signature database can never catch up the creation rate of the new malware variants. Using CSS (Crystal Security Sandbox) that monitors the Windows Portable Executable (PE) file execution and generates a sanitized intermediate result for classifying the malware is an emerging research in malware detection. Although the sanitized intermediate result is sufficient to depict the behaviors of malware, it is still a bit too long, too redundant, and too tedious to deal with efficiently. Therefore we compress and sieve the sanitized intermediate result to derive 90% fewer brief expressions which not only reduce the size of data, but also maintain above 93% accuracy rate and less 7 % error rate.

[1]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[2]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[3]  Kouichi Sakurai,et al.  A behavior based malware detection scheme for avoiding false positive , 2010, 2010 6th IEEE Workshop on Secure Network Protocols.

[4]  Alva Erwin,et al.  Analysis of Machine learning Techniques Used in Behavior-Based Malware Detection , 2010, 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies.

[5]  Jain-Shing Wu,et al.  Holography: A Hardware Virtualization Tool for Malware Analysis , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[6]  Carsten Willems,et al.  A Malware Instruction Set for Behavior-Based Analysis , 2010, Sicherheit.

[7]  Engin Kirda,et al.  Insights into current malware behavior , 2009 .