A comparison of static, dynamic, and hybrid analysis for malware detection

In this research, we compare malware detection techniques based on static, dynamic, and hybrid analysis. Specifically, we train Hidden Markov Models (HMMs) on both static and dynamic feature sets and compare the resulting detection rates over a substantial number of malware families. We also consider hybrid cases, where dynamic analysis is used in the training phase, with static techniques used in the detection phase, and vice versa. In our experiments, a fully dynamic approach generally yields the best detection rates. We discuss the implications of this research for malware detection based on hybrid techniques.

[1]  Tao Li,et al.  An intelligent PE-malware detection system based on association mining , 2008, Journal in Computer Virology.

[2]  Douglas S. Reeves,et al.  Fast malware classification by automated behavioral graph matching , 2010, CSIIRW '10.

[3]  Xuxian Jiang,et al.  Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory , 2010, RAID.

[4]  Mark Stamp,et al.  Chi-squared distance and metamorphic virus detection , 2013, Journal of Computer Virology and Hacking Techniques.

[5]  Douglas S. Reeves,et al.  Deriving common malware behavior through graph clustering , 2011, ASIACCS '11.

[6]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[7]  John Aycock Computer Viruses and Malware (Advances in Information Security) , 2006 .

[8]  Ivan Sorokin,et al.  Comparing files using structural entropy , 2011, Journal in Computer Virology.

[9]  Mark Stamp,et al.  Compression-based analysis of metamorphic malware , 2015, Int. J. Secur. Networks.

[10]  Curtis B. Storlie,et al.  Graph-based malware detection using dynamic analysis , 2011, Journal in Computer Virology.

[11]  Mark Stamp,et al.  Opcode graph similarity and metamorphic detection , 2012, Journal in Computer Virology.

[12]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.

[13]  Anusha Damodaran Combining Dynamic and Static Analysis for Malware Detection , 2015 .

[14]  Ki Wook Sohn,et al.  Toward extracting malware features for classification using static and dynamic analysis , 2012, 2012 8th International Conference on Computing and Networking Technology (INC, ICCIS and ICMIC).

[15]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[16]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[17]  Mark Stamp,et al.  Singular value decomposition and metamorphic detection , 2015, Journal of Computer Virology and Hacking Techniques.

[18]  Sattar Hashemi,et al.  To Incorporate Sequential Dynamic Features in Malware Detection Engines , 2012, 2012 European Intelligence and Security Informatics Conference.

[19]  Mark Stamp,et al.  Simple substitution distance and metamorphic detection , 2013, Journal of Computer Virology and Hacking Techniques.

[20]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[21]  John Aycock,et al.  Computer Viruses and Malware , 2006, Advances in Information Security.

[22]  Mark Stamp,et al.  Profile hidden Markov models and metamorphic virus detection , 2009, Journal in Computer Virology.

[23]  Mark Goadrich,et al.  The relationship between Precision-Recall and ROC curves , 2006, ICML.

[24]  Jianyong Dai,et al.  Efficient Virus Detection Using Dynamic Instruction Sequences , 2009, J. Comput..

[25]  Tanuvir Singh,et al.  Support Vector Machines and Metamorphic Malware Detection , 2015 .

[26]  Mark Stamp,et al.  A Revealing Introduction to Hidden Markov Models , 2017 .

[27]  Muhammad Zubair Shafiq,et al.  Using spatio-temporal information in API calls with machine learning algorithms for malware detection , 2009, AISec '09.

[28]  Mark Stamp,et al.  Eigenvalue analysis for metamorphic detection , 2014, Journal of Computer Virology and Hacking Techniques.

[29]  Sattar Hashemi,et al.  HDM-Analyser: a hybrid analysis approach based on data mining techniques for malware detection , 2013, Journal of Computer Virology and Hacking Techniques.

[30]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[31]  Jie He,et al.  Analyzing Malware by Abstracting the Frequent Itemsets in API Call Sequences , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[32]  Mark Stamp,et al.  Structural entropy and metamorphic malware , 2013, Journal of Computer Virology and Hacking Techniques.

[33]  Ludovic Mé,et al.  Code obfuscation techniques for metamorphic viruses , 2008, Journal in Computer Virology.

[34]  Prasad Deshpande Metamorphic Detection Using Function Call Graph Analysis , 2013 .

[35]  Sattar Hashemi,et al.  A graph mining approach for detecting unknown malwares , 2012, J. Vis. Lang. Comput..

[36]  Andrew P. Bradley,et al.  The use of the area under the ROC curve in the evaluation of machine learning algorithms , 1997, Pattern Recognit..

[37]  H TodericiAnnie,et al.  Chi-squared distance and metamorphic virus detection , 2013 .

[38]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[39]  Juan Caballero,et al.  Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting , 2013, DIMVA.

[40]  Mark Stamp,et al.  Hidden Markov models for malware classification , 2015, Journal of Computer Virology and Hacking Techniques.

[41]  Srinivas Mukkamala,et al.  Malware detection using assembly and API call sequences , 2011, Journal in Computer Virology.

[42]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[43]  Zoubin Ghahramani,et al.  An Introduction to Hidden Markov Models and Bayesian Networks , 2001, Int. J. Pattern Recognit. Artif. Intell..