Abstract
As more vulnerabilities are being discovered every year [17], malware constantly evolves forcing improvements and updates of security and malware detection mechanisms. Malware is used directly on the attacked systems, thus anti-virus solutions tend to neutralize malware by not letting it launch or even being stored in the system. However, if malware is launched it is important to stop it as soon as the maliciousness of a new process has been detected. Following the results from [8] in this paper we show, that it is possible to detect running malware before it becomes malicious. We propose a novel malware detection approach that is capable of detecting Windows malware on the earliest stage of execution. The accuracy of more than 99% has been achieved by finding distinctive low-level behavior patterns generated before malware reaches it’s entry point. We also study the ability of our approach to detect malware after it reaches it’s entry point and to distinguish between benign executables and 10 malware families.
The research leading to these results has received funding from the Center for Cyber and Information Security, under budget allocation from the Ministry of Justice and Public Security of Norway.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Change history
26 August 2020
Some errors were present in the originally published Chapter 4. The following modifications were made:
Page 67, line 16 has been corrected to: “switching from BEP behavior to AEP it is relatively low”.
Page 67, line 22 has been corrected to: “selects more features for AEP data than for BEP data”.
Notes
- 1.
In this paper, by Entry Point, we mean the first executed instruction from the main module of executable.
References
Virusshare.com. http://virusshare.com/. Accessed 09 Mar 2020
Weka: Data mining software in java (2019). http://www.cs.waikato.ac.nz/ml/weka/. Accessed Mar 2019
Aaraj, N., Raghunathan, A., Jha, N.K.: Dynamic binary instrumentation-based framework for malware defense. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 64–87. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_4
AVTEST: The independent IT-Security Institute: Malware (2020). https://nvd.nist.gov/vuln/search/statistics?form_type=Basic&results_type=statistics&search_type=all
Bahador, M.B., Abadi, M., Tajoddin, A.: HPCMalHunter: behavioral malware detection using hardware performance counters and singular value decomposition. In: 2014 4th International eConference on Computer and Knowledge Engineering (ICCKE), pp. 703–708. IEEE (2014). https://doi.org/10.1109/iccke.2014.6993402
Bahador, M.B., Abadi, M., Tajoddin, A.: HLMD: a signature-based approach to hardware-level behavioral malware detection and classification. J. Supercomput. 75(8), 5551–5582 (2019). https://doi.org/10.1007/s11227-019-02810-z
Banin, S., Dyrkolbotn, G.O.: Multinomial malware classification via low-level features. Digit. Investig. 26, S107–S117 (2018). https://doi.org/10.1016/j.diin.2018.04.019
Banin, S., Dyrkolbotn, G.O.: Correlating high- and low-level features: In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 149–167. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_9
Banin, S., Shalaginov, A., Franke, K.: Memory access patterns for malware detection. Norsk informasjonssikkerhetskonferanse (NISK), pp. 96–107 (2016)
Burnap, P., French, R., Turner, F., Jones, K.: Malware classification using self organising feature maps and machine activity data. Comput. Secur. 73, 399–410 (2018). https://doi.org/10.1016/j.cose.2017.11.016
Hall, M.A.: Correlation-based feature subset selection for machine learning. Ph.D. thesis, University of Waikato, Hamilton, New Zealand (1998)
IntelPin: A dynamic binary instrumentation tool (2020)
Khasawneh, K.N., Ozsoy, M., Donovick, C., Abu-Ghazaleh, N., Ponomarev, D.: Ensemble learning for low-level hardware-supported malware detection. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 3–25. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_1
Khasawneh, K.N., Ozsoy, M., Donovick, C., Ghazaleh, N.A., Ponomarev, D.V.: EnsembleHMD: accurate hardware malware detectors with specialized ensemble classifiers. IEEE Trans. Dependable Secur. Comput. (2018). https://doi.org/10.1109/tdsc.2018.2801858
Kononenko, I., Kukar, M.: Machine Learning and Data Mining: Introduction to Principles and Algorithms. Horwood Publishing, Cambridge (2007)
NetMarkeshare: Operating system market share (2020). https://netmarketshare.com/operating-system-market-share.aspx
NIST: National vulnerability database (2020). https://nvd.nist.gov/vuln/search/statistics?form_type=Basic&results_type=statistics&search_type=all
NIST: National vulnerability database: windows (2020). https://nvd.nist.gov/vuln/search/statistics?form_type=Advanced&results_type=statistics&query=Windows&search_type=all
Ozsoy, M., Donovick, C., Gorelik, I., Abu-Ghazaleh, N., Ponomarev, D.: Malware-aware processors: a framework for efficient online malware detection. In: 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA), pp. 651–661. IEEE (2015). https://doi.org/10.1109/hpca.2015.7056070
Ozsoy, M., Khasawneh, K.N., Donovick, C., Gorelik, I., Abu-Ghazaleh, N., Ponomarev, D.: Hardware-based malware detection using low-level architectural features. IEEE Trans. Comput. 65(11), 3332–3344 (2016). https://doi.org/10.1109/tc.2016.2540634
Peng, H., Long, F., Ding, C.: Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy. IEEE Trans. Pattern Anal. Mach. Intell. 27(8), 1226–1238 (2005)
PortableApps.com: Portableapps.com (2020). https://portableapps.com/apps
Reuters: Ukraine’s power outage was a cyber attack: Ukrenergo (2017). https://www.reuters.com/article/us-ukraine-cyber-attack-energy/ukraines-power-outage-was-a-cyber-attack-ukrenergo-idUSKBN1521BA
Shalaginov, A., Banin, S., Dehghantanha, A., Franke, K.: Machine learning aided static malware analysis: a survey and tutorial. In: Dehghantanha, A., Conti, M., Dargahi, T. (eds.) Cyber Threat Intelligence. AIS, vol. 70, pp. 7–45. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73951-9_2
Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software. No Starch Press, San Francisco (2012)
The Verge: The Petya ransomware is starting to look like a cyberattack in disguise (2017). https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russia
VirusTotal: VirusTotal-free online virus, malware and URL scanner (2012). https://www.virustotal.com/en
Yosifovich, P.: Windows Internals, Part 1 (Developer Reference). Microsoft Press, Redmond (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix a Classification Results: Normalized Dataset
Here we present classification results for the normalized dataset using features from BEP (Tables 7 and 8).
Appendix BClassification Results: Combined Feature Set
Here we present classification results achieved with combined feature set (Tables 9 and 10).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Banin, S., Dyrkolbotn, G.O. (2020). Detection of Running Malware Before it Becomes Malicious. In: Aoki, K., Kanaoka, A. (eds) Advances in Information and Computer Security. IWSEC 2020. Lecture Notes in Computer Science(), vol 12231. Springer, Cham. https://doi.org/10.1007/978-3-030-58208-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-58208-1_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58207-4
Online ISBN: 978-3-030-58208-1
eBook Packages: Computer ScienceComputer Science (R0)