Malware Classification and Novelty Detection Using PE Header Information Nasser Salim CS529 – Final Project April, 2011.

Slides:



Advertisements
Similar presentations
1 Machine Learning: Lecture 10 Unsupervised Learning (Based on Chapter 9 of Nilsson, N., Introduction to Machine Learning, 1996)
Advertisements

Fast and Precise In-Browser JavaScript Malware Detection
A Real-Time for Classification of Moving Objects
Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Automated malware classification based on network behavior
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Tyson Condie.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
Presented by Tienwei Tsai July, 2005
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.
AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.
Chapter 9 – Classification and Regression Trees
Bug Localization with Machine Learning Techniques Wujie Zheng
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.
Programming language. Definition Programming language is a formal language designed to communicate instructions to a computer. Programming languages can.
CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.
Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)
Advanced Persistent Threats (APT) Sasha Browning.
Ensemble Learning for Low-level Hardware-supported Malware Detection
By: Georg Wicherski Presenting: Rasika Bindoo. Introduction Data collection not a problem anymore because of honeypots. Honeypots suffer from a drawback.
CS378 Final Project The Netflix Data Set Class Project Ideas and Guidelines.
Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:
SEMINAR - SCALABLE, BEHAVIOR-BASED MALWARE CLUSTERING GUIDES : BOJAN KOLOSNJAJI, MOHAMMAD REZA NOROUZIAN, GEORGE WEBSTER PRESENTER RAMAKANT AGRAWAL.
SUPERVISED AND UNSUPERVISED LEARNING Presentation by Ege Saygıner CENG 784.
ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
V k equals the vector difference between the object and the block across the first and last frames in the image sequence or more formally: Toward Learning.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
October 20-23rd, 2015 Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features Joshua Saxe, Dr. Konstantin Berlin Invincea.
Introduction to Machine Learning, its potential usage in network area,
Computer safety Filip Hruby.
Experience Report: System Log Analysis for Anomaly Detection
Learning to Detect and Classify Malicious Executables in the Wild by J
MALWARE.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Malware and Computer Maintenance
Chapter 1. Basic Static Techniques
Session 7: Face Detection (cont.)
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
Decision Trees (suggested time: 30 min)
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
A Trojan is a computer program that contains the malicious code and it misleads users and user's computer. It aims to designed to perform something is.
Dipartimento di Ingegneria «Enzo Ferrari»,
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
Flavio Toffalini, Ivan Homoliak, Athul Harilal,
CS548 Fall 2017 Decision Trees / Random Forest Showcase by Yimin Lin, Youqiao Ma, Ran Lin, Shaoju Wu, Bhon Bunnag Showcasing work by Cano,
Advanced Services Cyber Security 101 © ABB February, | Slide 1.
Executive Director and Endowed Chair
SEG 4630 E-Commerce Data Mining — Final Review —
Executive Director and Endowed Chair
A survey of network anomaly detection techniques
Adversarial Evasion-Resilient Hardware Malware Detectors
Anindya Maiti, Murtuza Jadliwala, Jibo He Igor Bilogrevic
iSRD Spam Review Detection with Imbalanced Data Distributions
PROJECTS SUMMARY PRESNETED BY HARISH KUMAR JANUARY 10,2018.
CSCI N317 Computation for Scientific Applications Unit Weka
Nearest Neighbors CSC 576: Data Mining.
Microarray Data Set The microarray data set we are dealing with is represented as a 2d numerical array.
Jia-Bin Huang Virginia Tech
Rohan Yadav and Charles Yuan (rohany) (chenhuiy)
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Presentation transcript:

Malware Classification and Novelty Detection Using PE Header Information Nasser Salim CS529 – Final Project April, 2011

Motivation Malware is becoming exponentially more prolific over time. ”Report: Targeted Attacks Evolve, New Malware Variants Spike By 100 Percent” (2010) ”Malware variants giving anti-virus firms a tough time” (2008) ”Malware variants may have hit half-million mark” (2008) ”When you are getting thousands of samples a day, you cannot just rely on human analysts, you need automation.”

Detection Using Learning Riech et al. ”Automatic Analysis of Malware Behavior using Machine Learning.” (2009) Analysis using dynamic features collected from the runtime behavior of malware. Novelty detection using protypes of behavior features. Shafiq et al. ”PE-Miner: Realtime Mining of Structural Information to Detect Zero-Day Malicious Portable Executables.” (2009) Analysis using static features from the PE headers of malware. Achieved good results sorting malware into families (~.93 AUC) using decision trees.

Malware Countermeasures ”... more than 40% of the total malware samples reduce their malicious behavior under virtual machines or with a debugger attached, and they account for potentially 90% of the Internet attacks during certain periods.” Towards an Understanding of Anti- virtualization and Anti-debugging Behavior in Modern Malware (2010) ”...many packers will take steps to obfuscate a binary's import table by compressing or encrypting the list of functions and libraries that the binary depends upon.” Gray Hat Hacking: The Ethical Hacker’s Handbook (2008)

Project Goals Validation Do the detection methods from PE-Miner still work on newer malware? Extension If classification can be done so well using static features, can we also do novelty detection similar to Riech et al. ?

PE Header – Example of Features Continuous Features NumberOfSymbols SizeOfCode SizeOfStackReserve Discrete Features DLL flag LARGE_ADDRESS_AWARE flag MajorOperatingSystemVersion

Malware Data Sources Offensive Computing 10^5 malware samples updated frequently Unlabeled VX Heavens ~270,000 malware samples from 2010 Labeled according to malware family and variant Successor to the dataset used in PE-Miner

Malware Classes ClassNumber of Samples Backdoor50773 Dos/Nuker212 Constructor/VirTool974 Flooder566 Exploit/HackTool1371 Trojan Virus3132 Worm11505 Used in PE-Miner

Malware Classes ClassNumber of Samples Backdoor50773 Dos/Nuker212 Constructor/VirTool974 Flooder566 Exploit/HackTool1371 Trojan Virus3132 Worm11505 Hoax1128 Rootkit3179 Including Missing from PE-Miner * Too few samples from SpamTool, Spoofer

Malware Classes ClassNumber of Samples Backdoor50773 Dos/Nuker212 Constructor/VirTool974 Flooder566 Exploit/HackTool1371 Trojan Virus3132 Worm11505 Hoax1128 Rootkit3179 Dropping the following from analysis

Feature Extraction Static feature extraction on O(10^5) is still slow and generates a lot of data. Sample down to O(10^3) for each class before extracting features. Used pefile parser built in Python.

Learning using Orange Orange – A lightweight machine learning toolkit for python. Used the C45 decision tree algorithm with 10 fold cross validation. C45 obtained the best results in PE-Miner. Mix of data types and scales makes metric based algorithms challenging.

Orange Code #!/usr/bin/python import orange, orngTest, orngStat, orngTree data = orange.ExampleTable("test_data") c45 = orange.C45Learner() c45.name = "C45" learners = [c45] results = orngTest.crossValidation (learners, data, folds=10) for i in xrange(len(learners)): print learners[i].name, " : ", print orngStat.CA(results)[i], ” : ”, print orngStat.AUC(results)[i]

Classification Results Still experimenting with tree pruning Classification accuracy > 65% AUC >.8 (PE-Miner achieved >.9)

Novelty Detection Using Leader Clustering (Online variant of K-Means) 1. Specify a distance threshold. 2. Try to find an existing cluster center with the smallest distance to the new sample that is less than the threshold. 3. If no cluster center exists, create a new cluster using the new sample as a center.

Metric Problem PE Data is a mix of data types and scales Try: Hamming Distance on only binary features Number of differences Turn some features into binary (i.e. Rather than number of symbols imported from a particular.dll, flag the usage of that.dll)

Evaluation of Novelty Detection For each class Hold out that class training data Train Leader algorithm with remaining data Add testing data including the held out class Measure the number of false positive and false negative novelty hits Average over all classes

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.