An approach for detection and family classification of malware based on behavioral analysis

Steven Strandlund Hansen, Thor Mark Tampus Larsen, Matija Stevanovic, Jens Myrup Pedersen

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

27 Citations (Scopus)

Abstract

Malware, i.e., malicious software, represents one of the main cyber security threats today. Over the last decade malware has been evolving in terms of the complexity of malicious software and the diversity of attack vectors. As a result modern malware is characterized by sophisticated obfuscation techniques, which hinder the classical static analysis approach. Furthermore, the increased amount of malware that emerges every day, renders a manual approach inefficient. This study tackles the problem of analyzing, detecting and classifying the vast amount of malware in a scalable, efficient and accurate manner. We propose a novel approach for detecting malware and classifying it to either known or novel, i.e., previously unseen malware family. The approach relies on Random Forests classifier for performing both malware detection and family classification. Furthermore, the proposed approach employs novel feature representations for malware classification, that significantly reduces the feature space, while achieving encouraging predictive performance. The approach was evaluated using behavioral traces of over 270,000 malware samples and 837 samples of benign software. The behavioral traces were obtained using a modified version of Cuckoo sandbox, that was able to harvest behavioral traces of the analyzed samples in a time-efficient manner. The proposed system achieves high malware detection rate and promising predictive performance in the family classification, opening the possibility of coping with the use of obfuscation and the growing number of malware.
Original languageEnglish
Title of host publication2016 International Conference on Computing, Networking and Communications (ICNC)
Number of pages5
PublisherIEEE
Publication dateFeb 2016
ISBN (Electronic)978-1-4673-8579-4
DOIs
Publication statusPublished - Feb 2016
EventInternational Conference on Computing, Networking and Communications (ICNC) 2016 - Sheraton Kauai Resort 2440 Hoonani Rd, Poipu Beach Kuaui, HI, USA, Kuaui, United States
Duration: 15 Feb 201618 Feb 2016
http://www.conf-icnc.org/2016/

Conference

ConferenceInternational Conference on Computing, Networking and Communications (ICNC) 2016
LocationSheraton Kauai Resort 2440 Hoonani Rd, Poipu Beach Kuaui, HI, USA
CountryUnited States
CityKuaui
Period15/02/201618/02/2016
Internet address

Fingerprint

Malware
Static analysis
Classifiers

Keywords

  • Dynamic Analysis
  • Family Classification
  • Feature Selection
  • Malware
  • Malware Detection
  • Random Forests

Cite this

Hansen, S. S., Larsen, T. M. T., Stevanovic, M., & Pedersen, J. M. (2016). An approach for detection and family classification of malware based on behavioral analysis. In 2016 International Conference on Computing, Networking and Communications (ICNC) IEEE. https://doi.org/10.1109/ICCNC.2016.7440587
Hansen, Steven Strandlund ; Larsen, Thor Mark Tampus ; Stevanovic, Matija ; Pedersen, Jens Myrup. / An approach for detection and family classification of malware based on behavioral analysis. 2016 International Conference on Computing, Networking and Communications (ICNC). IEEE, 2016.
@inproceedings{361f6278162748b4bf0d6916abd73e7c,
title = "An approach for detection and family classification of malware based on behavioral analysis",
abstract = "Malware, i.e., malicious software, represents one of the main cyber security threats today. Over the last decade malware has been evolving in terms of the complexity of malicious software and the diversity of attack vectors. As a result modern malware is characterized by sophisticated obfuscation techniques, which hinder the classical static analysis approach. Furthermore, the increased amount of malware that emerges every day, renders a manual approach inefficient. This study tackles the problem of analyzing, detecting and classifying the vast amount of malware in a scalable, efficient and accurate manner. We propose a novel approach for detecting malware and classifying it to either known or novel, i.e., previously unseen malware family. The approach relies on Random Forests classifier for performing both malware detection and family classification. Furthermore, the proposed approach employs novel feature representations for malware classification, that significantly reduces the feature space, while achieving encouraging predictive performance. The approach was evaluated using behavioral traces of over 270,000 malware samples and 837 samples of benign software. The behavioral traces were obtained using a modified version of Cuckoo sandbox, that was able to harvest behavioral traces of the analyzed samples in a time-efficient manner. The proposed system achieves high malware detection rate and promising predictive performance in the family classification, opening the possibility of coping with the use of obfuscation and the growing number of malware.",
keywords = "Dynamic Analysis, Family Classification, Feature Selection, Malware, Malware Detection, Random Forests",
author = "Hansen, {Steven Strandlund} and Larsen, {Thor Mark Tampus} and Matija Stevanovic and Pedersen, {Jens Myrup}",
year = "2016",
month = "2",
doi = "10.1109/ICCNC.2016.7440587",
language = "English",
booktitle = "2016 International Conference on Computing, Networking and Communications (ICNC)",
publisher = "IEEE",
address = "United States",

}

Hansen, SS, Larsen, TMT, Stevanovic, M & Pedersen, JM 2016, An approach for detection and family classification of malware based on behavioral analysis. in 2016 International Conference on Computing, Networking and Communications (ICNC). IEEE, International Conference on Computing, Networking and Communications (ICNC) 2016, Kuaui, United States, 15/02/2016. https://doi.org/10.1109/ICCNC.2016.7440587

An approach for detection and family classification of malware based on behavioral analysis. / Hansen, Steven Strandlund; Larsen, Thor Mark Tampus; Stevanovic, Matija; Pedersen, Jens Myrup.

2016 International Conference on Computing, Networking and Communications (ICNC). IEEE, 2016.

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

TY - GEN

T1 - An approach for detection and family classification of malware based on behavioral analysis

AU - Hansen, Steven Strandlund

AU - Larsen, Thor Mark Tampus

AU - Stevanovic, Matija

AU - Pedersen, Jens Myrup

PY - 2016/2

Y1 - 2016/2

N2 - Malware, i.e., malicious software, represents one of the main cyber security threats today. Over the last decade malware has been evolving in terms of the complexity of malicious software and the diversity of attack vectors. As a result modern malware is characterized by sophisticated obfuscation techniques, which hinder the classical static analysis approach. Furthermore, the increased amount of malware that emerges every day, renders a manual approach inefficient. This study tackles the problem of analyzing, detecting and classifying the vast amount of malware in a scalable, efficient and accurate manner. We propose a novel approach for detecting malware and classifying it to either known or novel, i.e., previously unseen malware family. The approach relies on Random Forests classifier for performing both malware detection and family classification. Furthermore, the proposed approach employs novel feature representations for malware classification, that significantly reduces the feature space, while achieving encouraging predictive performance. The approach was evaluated using behavioral traces of over 270,000 malware samples and 837 samples of benign software. The behavioral traces were obtained using a modified version of Cuckoo sandbox, that was able to harvest behavioral traces of the analyzed samples in a time-efficient manner. The proposed system achieves high malware detection rate and promising predictive performance in the family classification, opening the possibility of coping with the use of obfuscation and the growing number of malware.

AB - Malware, i.e., malicious software, represents one of the main cyber security threats today. Over the last decade malware has been evolving in terms of the complexity of malicious software and the diversity of attack vectors. As a result modern malware is characterized by sophisticated obfuscation techniques, which hinder the classical static analysis approach. Furthermore, the increased amount of malware that emerges every day, renders a manual approach inefficient. This study tackles the problem of analyzing, detecting and classifying the vast amount of malware in a scalable, efficient and accurate manner. We propose a novel approach for detecting malware and classifying it to either known or novel, i.e., previously unseen malware family. The approach relies on Random Forests classifier for performing both malware detection and family classification. Furthermore, the proposed approach employs novel feature representations for malware classification, that significantly reduces the feature space, while achieving encouraging predictive performance. The approach was evaluated using behavioral traces of over 270,000 malware samples and 837 samples of benign software. The behavioral traces were obtained using a modified version of Cuckoo sandbox, that was able to harvest behavioral traces of the analyzed samples in a time-efficient manner. The proposed system achieves high malware detection rate and promising predictive performance in the family classification, opening the possibility of coping with the use of obfuscation and the growing number of malware.

KW - Dynamic Analysis

KW - Family Classification

KW - Feature Selection

KW - Malware

KW - Malware Detection

KW - Random Forests

U2 - 10.1109/ICCNC.2016.7440587

DO - 10.1109/ICCNC.2016.7440587

M3 - Article in proceeding

BT - 2016 International Conference on Computing, Networking and Communications (ICNC)

PB - IEEE

ER -

Hansen SS, Larsen TMT, Stevanovic M, Pedersen JM. An approach for detection and family classification of malware based on behavioral analysis. In 2016 International Conference on Computing, Networking and Communications (ICNC). IEEE. 2016 https://doi.org/10.1109/ICCNC.2016.7440587