YAN Hanbing, ZHOU Hao, ZHANG Honggang. Automatic Malware Classification via PRICoLBP[J]. Chinese Journal of Electronics, 2018, 27(4): 852-859. doi: 10.1049/cje.2018.05.001
Citation: YAN Hanbing, ZHOU Hao, ZHANG Honggang. Automatic Malware Classification via PRICoLBP[J]. Chinese Journal of Electronics, 2018, 27(4): 852-859. doi: 10.1049/cje.2018.05.001

Automatic Malware Classification via PRICoLBP

doi: 10.1049/cje.2018.05.001
Funds:  This work is supported by the National Natural Science Foundation of China (No.U1736218).
More Information
  • Corresponding author: ZHOU Hao (corresponding author) is now an undergraduate student of the Pattern Recognition & Intelligence System (PRIS) Laboratory at Beijing University of Posts and Telecommunications. His main research interests include cybersecurity, computer vision and pattern recognition. (Email:zhouhao0925@126.com)
  • Received Date: 2016-05-10
  • Rev Recd Date: 2017-01-04
  • Publish Date: 2018-07-10
  • Creating effective features is a critical issue in malware analysis. It requires a proper tradeoff between discriminative power and invariance. Previous studies have shown that it is fairly effective to design features based on the binary code. However, the current existing binary-based features seldom take into consideration the problem of obfuscation, such as relocated sections, incomplete code and redundant operations. In this paper, we propose a novel Pairwise rotation invariant co-occurrence local binary pattern (PRICoLBP) feature, and further extend it to incorporate the Term frequency-inverse document frequency (TFIDF) transform. Different from other static analysis techniques, our method not only achieves better linear separability, but also appears to be more resilient to obfuscation. In addition, we evaluate PRICoLBPTFIDF comprehensively on three datasets from different perspectives, e.g., classification performance, classifier selection and performance against obfuscation. What's more, we compare our PRICoLBP-TFIDF method with other techniques, and demonstrate that PRICoLBP-TFIDF is quite an efficient and effective tradeoff between discriminative power and invariance.
  • loading
  • M.G. Schultz, E. Eskin, E. Zadok, et al., "Data mining methods for detection of new malicious executables", Proc. of IEEE Symposium on Security and Privacy, pp.38-49, 2001.
    M. Christodorescu, S. Jha and C. Kruegel, "Mining specifications of malicious behavior", Proceedings of the 1st India Software Engineering Conference, ACM, pp.5-14, 2008.
    A. Shabtai, R. Moskovitch, C. Feher, et al., "Detecting unknown malicious code by applying classification techniques on opcode patterns", Security Informatics, Vol.1, No.1, pp.1-22, 2012.
    J. Kinable and O. Kostakis, "Malware classification based on call graph clustering", Journal in Computer Virology, Vol.7, No.4, pp.233-245, 2011.
    D. Kong and G. Yan, "Discriminant malware distance learning on structural information for automated malware classification", Proc. of the 19th ACM SIGKDD Int. Conf. on Knowledge Discovery and Data Mining, ACM, pp.1357-1365, 2013.
    L. Nataraj, S. Karthikeyan, G. Jacob, et al., "Malware images:visualization and automatic classification", Proceedings of the 8th International Symposium on Visualization for Cyber Security, ACM, p.4, 2011.
    L. Nataraj, S. Karthikeyan and B.S. Manjunath, "SATTVA:SpArsiTy inspired classificaTion of malware VAriants", Proceedings of the 3rd ACM Workshop on Information Hiding and Multimedia Security, ACM, pp.135-140, 2015.
    L. Nataraj and B.S. Manjunath, "SPAM:Signal processing to analyze malware", IEEE Signal Processing Magazine, Vol.33, No.2, pp.105-117, 2016.
    K. Rieck, P. Trinius, C. Willems, et al., "Automatic analysis of malware behavior using machine learning", Journal of Computer Security, Vol.19, No.4, pp.639-668, 2011.
    Z. Kolter and A. Maloof, "Learning to detect malicious executables in the wild", Proc. of the Tenth ACM SIGKDD Int. Conf. on Knowledge Discovery and Data Mining, pp.470-478, 2004.
    Hansen S.S., T. Larsen, M. Stevanovic, et al., "An approach for detection and family classification of malware based on behavioral analysis", 2016 International Conference on Computing, Networking and Communications (ICNC), Hawaii, USA, IEEE, pp.1-5, 2016.
    S. Pirscoveanu, S. Hansen, M. Larsen, et al., "Analysis of malware behavior:Type classification using machine learning", 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), IEEE, pp.1-7, 2015.
    S. Hansen, T. Larsen, M. Stevanovic, et al., "An approach for detection and family classification of malware based on behavioral analysis", 2016 Int. Conf. on Computing, Networking and Communications, IEEE, Hawaii, USA, pp.1-5, 2016.
    Graziano M., D. Canali, L. Bilge, et al, "Needles in a haystack:Mining information from public dynamic analysis sandboxes for malware intelligence", USENIX Security, pp.1057-1072, 2015.
    Z. Rafique, P. Chen, C. Huygens, et al., "Evolutionary algorithms for classification of malware families through different network behaviors", Proceedings of the 2014 Annual Conference on Genetic and Evolutionary Computation, ACM, pp.1167-1174, 2014.
    L. Nataraj, "Malware Images", available at http://vision.ece.ucsb.edu/~lakshman/malwareimages/album/, 2016-3-7.
    X. Qi, R. Xiao, G. Li, et al., "Pairwise rotation invariant co-occurrence local binary pattern", IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol.36, No.11, pp.2199-2213, 2014.
    T. Ojala, M. Pietikinen and T. Menp, "Multiresolution grayscale and rotation invariant texture classification with local binary patterns", IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol.24, No.7, pp.971-987, 2002.
    T. Joachims, "A probabilistic analysis of the rocchio algorithm with TFIDF for text categorization", International Conference on Machine Learning, pp.143-151, 1996.
    "Microsoft malware classification challenge", available at https://www.kaggle.com/c/malware-classification/, 2016-3-7.
    Antiy Labs, "Antiy Dataset", available at http://www.antiy.net/, 2016-3-7.
  • 加载中

Catalog

    通讯作者: 陈斌, bchen63@163.com
    • 1. 

      沈阳化工大学材料科学与工程学院 沈阳 110142

    1. 本站搜索
    2. 百度学术搜索
    3. 万方数据库搜索
    4. CNKI搜索

    Article Metrics

    Article views (134) PDF downloads(200) Cited by()
    Proportional views
    Related

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return