Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Classification and Novelty Detection Using PE Header Information Nasser Salim CS529 – Final Project April, 2011.

Published byAlbert Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "Malware Classification and Novelty Detection Using PE Header Information Nasser Salim CS529 – Final Project April, 2011."— Presentation transcript:

1 Malware Classification and Novelty Detection Using PE Header Information Nasser Salim CS529 – Final Project April, 2011

2 Motivation Malware is becoming exponentially more prolific over time. ”Report: Targeted Attacks Evolve, New Malware Variants Spike By 100 Percent” www.darkreading.comwww.darkreading.com, (2010) ”Malware variants giving anti-virus firms a tough time” www.techrepublic.com, (2008)www.techrepublic.com ”Malware variants may have hit half-million mark”http://www.securityfocus.com/brief/655 (2008)http://www.securityfocus.com/brief/655 ”When you are getting thousands of samples a day, you cannot just rely on human analysts, you need automation.”

3 Detection Using Learning Riech et al. ”Automatic Analysis of Malware Behavior using Machine Learning.” (2009) Analysis using dynamic features collected from the runtime behavior of malware. Novelty detection using protypes of behavior features. Shafiq et al. ”PE-Miner: Realtime Mining of Structural Information to Detect Zero-Day Malicious Portable Executables.” (2009) Analysis using static features from the PE headers of malware. Achieved good results sorting malware into families (~.93 AUC) using decision trees.

4 Malware Countermeasures ”... more than 40% of the total malware samples reduce their malicious behavior under virtual machines or with a debugger attached, and they account for potentially 90% of the Internet attacks during certain periods.” Towards an Understanding of Anti- virtualization and Anti-debugging Behavior in Modern Malware (2010) ”...many packers will take steps to obfuscate a binary's import table by compressing or encrypting the list of functions and libraries that the binary depends upon.” Gray Hat Hacking: The Ethical Hacker’s Handbook (2008)

5 Project Goals Validation Do the detection methods from PE-Miner still work on newer malware? Extension If classification can be done so well using static features, can we also do novelty detection similar to Riech et al. ?

6 PE Header – Example of Features Continuous Features NumberOfSymbols SizeOfCode SizeOfStackReserve Discrete Features DLL flag LARGE_ADDRESS_AWARE flag MajorOperatingSystemVersion

7 Malware Data Sources Offensive Computing 10^5 malware samples updated frequently Unlabeled VX Heavens ~270,000 malware samples from 2010 Labeled according to malware family and variant Successor to the dataset used in PE-Miner

8 Malware Classes ClassNumber of Samples Backdoor50773 Dos/Nuker212 Constructor/VirTool974 Flooder566 Exploit/HackTool1371 Trojan163322 Virus3132 Worm11505 Used in PE-Miner

9 Malware Classes ClassNumber of Samples Backdoor50773 Dos/Nuker212 Constructor/VirTool974 Flooder566 Exploit/HackTool1371 Trojan163322 Virus3132 Worm11505 Hoax1128 Rootkit3179 Including Missing from PE-Miner * Too few samples from SpamTool, Spoofer

10 Malware Classes ClassNumber of Samples Backdoor50773 Dos/Nuker212 Constructor/VirTool974 Flooder566 Exploit/HackTool1371 Trojan163322 Virus3132 Worm11505 Hoax1128 Rootkit3179 Dropping the following from analysis

11 Feature Extraction Static feature extraction on O(10^5) is still slow and generates a lot of data. Sample down to O(10^3) for each class before extracting features. Used pefile parser built in Python. http://code.google.com/p/pefile/

12 Learning using Orange Orange – A lightweight machine learning toolkit for python. http://orange.biolab.si/ Used the C45 decision tree algorithm with 10 fold cross validation. C45 obtained the best results in PE-Miner. Mix of data types and scales makes metric based algorithms challenging.

13 Orange Code #!/usr/bin/python import orange, orngTest, orngStat, orngTree data = orange.ExampleTable("test_data") c45 = orange.C45Learner() c45.name = "C45" learners = [c45] results = orngTest.crossValidation (learners, data, folds=10) for i in xrange(len(learners)): print learners[i].name, " : ", print orngStat.CA(results)[i], ” : ”, print orngStat.AUC(results)[i]

14 Classification Results Still experimenting with tree pruning Classification accuracy > 65% AUC >.8 (PE-Miner achieved >.9)

15 Novelty Detection Using Leader Clustering (Online variant of K-Means) 1. Specify a distance threshold. 2. Try to find an existing cluster center with the smallest distance to the new sample that is less than the threshold. 3. If no cluster center exists, create a new cluster using the new sample as a center.

16 Metric Problem PE Data is a mix of data types and scales Try: Hamming Distance on only binary features Number of differences Turn some features into binary (i.e. Rather than number of symbols imported from a particular.dll, flag the usage of that.dll)

17 Evaluation of Novelty Detection For each class Hold out that class training data Train Leader algorithm with remaining data Add testing data including the held out class Measure the number of false positive and false negative novelty hits Average over all classes

18 Questions?

Download ppt "Malware Classification and Novelty Detection Using PE Header Information Nasser Salim CS529 – Final Project April, 2011."

Similar presentations

1 Machine Learning: Lecture 10 Unsupervised Learning (Based on Chapter 9 of Nilsson, N., Introduction to Machine Learning, 1996)

1 Machine Learning: Lecture 10 Unsupervised Learning (Based on Chapter 9 of Nilsson, N., Introduction to Machine Learning, 1996)
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
A Real-Time for Classification of Moving Objects 2006.6.1.

A Real-Time for Classification of Moving Objects
Beyond Anti-Virus by Dan Keller 1987- Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.

Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.

MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
CISC 879 - Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Tyson Condie.

Tyson Condie.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
Presented by Tienwei Tsai July, 2005

Presented by Tienwei Tsai July, 2005
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.
AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS. 2012. ANDROMALY: A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.

AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.
Chapter 9 – Classification and Regression Trees

Chapter 9 – Classification and Regression Trees
Bug Localization with Machine Learning Techniques Wujie Zheng

Bug Localization with Machine Learning Techniques Wujie Zheng
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Similar presentations

Ads by Google