HDM-Analyser: a hybrid analysis approach based on data mining techniques for malware detection

  • PDF / 786,329 Bytes
  • 17 Pages / 595.276 x 790.866 pts Page_size
  • 35 Downloads / 293 Views

DOWNLOAD

REPORT


ORIGINAL PAPER

HDM-Analyser: a hybrid analysis approach based on data mining techniques for malware detection Mojtaba Eskandari · Zeinab Khorshidpour · Sattar Hashemi

Received: 22 May 2012 / Accepted: 29 January 2013 / Published online: 17 February 2013 © Springer-Verlag France 2013

Abstract Today’s security threats like malware are more sophisticated and targeted than ever, and they are growing at an unprecedented rate. To deal with them, various approaches are introduced. One of them is Signature-based detection, which is an effective method and widely used to detect malware; however, there is a substantial problem in detecting new instances. In other words, it is solely useful for the second malware attack. Due to the rapid proliferation of malware and the desperate need for human effort to extract some kinds of signature, this approach is a tedious solution; thus, an intelligent malware detection system is required to deal with new malware threats. Most of intelligent detection systems utilise some data mining techniques in order to distinguish malware from sane programs. One of the pivotal phases of these systems is extracting features from malware samples and benign ones in order to make at least a learning model. This phase is called “Malware Analysis” which plays a significant role in these systems. Since API call sequence is an effective feature for realising unknown malware, this paper is focused on extracting this feature from executable files. There are two major kinds of approach to analyse an executable file. The first type of analysis is “Static Analysis” which analyses a program in source code level. The second one is “Dynamic Analysis” that extracts features by observing program’s activities such as system requests during its execution time. Static analysis has to traverse the program’s execution path in order to find called APIs. Because it does M. Eskandari (B) · Z. Khorshidpour · S. Hashemi Department of Computer Science and Engineering, Shiraz University, Shiraz, Iran e-mail: [email protected] Z. Khorshidpour e-mail: [email protected] S. Hashemi e-mail: [email protected]

not have sufficient information about decision making points in the given executable file, it is not able to extract the real sequence of called APIs. Although dynamic analysis does not have this drawback, it suffers from execution overhead. Thus, the feature extraction phase takes noticeable time. In this paper, a novel hybrid approach, HDM-Analyser, is presented which takes advantages of dynamic and static analysis methods for rising speed while preserving the accuracy in a reasonable level. HDM-Analyser is able to predict the majority of decision making points by utilising the statistical information which is gathered by dynamic analysis; therefore, there is no execution overhead. The main contribution of this paper is taking accuracy advantage of the dynamic analysis and incorporating it into static analysis in order to augment the accuracy of static analysis. In fact, the execution over