Malware Analysis by Combining Multiple Detectors and Observation Windows

Malware developers continually attempt to modify the execution pattern of malicious code hiding it inside apparent normal applications, which makes its detection and classification challenging. This article proposes an ensemble detector, which exploits the capabilities of the main analysis algorithm...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:IEEE transactions on computers Ročník 71; číslo 6; s. 1276 - 1290
Hlavný autor: Ficco, Massimo
Médium: Journal Article
Jazyk:English
Vydavateľské údaje: New York IEEE 01.06.2022
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Predmet:
Algorithms
API sequence
correlation
deep learning
Detection algorithms
Detectors
diversity of detection algorithms
ensemble detector
Feature extraction
Malware
malware activation
Malware detection
malware evasion
mean-time-to-detect
memory dump
observation windows
Resilience
Sensors
Smartphones
Switches
Training
training time
Windows (intervals)
ISSN:0018-9340, 1557-9956
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:Malware developers continually attempt to modify the execution pattern of malicious code hiding it inside apparent normal applications, which makes its detection and classification challenging. This article proposes an ensemble detector, which exploits the capabilities of the main analysis algorithms proposed in the literature designed to offer greater resilience to specific evasion techniques. In particular, the article presents different methods to optimally combine both generic and specialized detectors during the analysis process, which can be used to increase the unpredictability of the detection strategy, as well as improve the detection rate in presence of unknown malware families and provide better detection performance in the absence of a constant re-training of detector needed to cope with the evolution of malware. The paper also presents an alpha-count mechanism that explores how the length of the observation time window can affect the detection accuracy and speed of different combinations of detectors during the malware analysis. An extended experimental campaign has been conducted on both an open-source sandbox and an Android smartphone with different malware datasets. A trade-off among performance, training time, and mean-time-to-detect is presented. Finally, a comparison with other ensemble detectors is also presented.
Bibliografia:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0018-9340
1557-9956
DOI:10.1109/TC.2021.3082002