Skip to main content
SpringerLink
Log in

A Real-Time Approach for Detecting Malicious Executables

  • Conference paper
Advances in Systems Science

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 240))

Abstract

In this paper, we develop a real-time algorithm to detect malicious portable executable (PE) files. The proposed algorithm consists of feature extraction, vector quantization, and a classifier named Attribute-Biased Classifier (ABC). We have collected a large data set of malicious PE files from the Honeynet project in the EG-CERT and VirusSign to train and test the proposed system. We first apply a feature extraction algorithm to remove redundant features. Then the most effective features are mapped into two vector quantizers. Finally, the output of the two quantizers are given to the proposed ABC classifier to identify a PE file. The results show that our algorithm is able to detect malicious PE file with 99.3% detection rate, 97% accuracy, 0.998 AUC, and less than 1% false positive rate. In addition, our algorithm consumes a fraction of seconds to test a portable executable file.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Symantec Corporation: Symantec Internet Security Threat Report. Technical report, vol. 71 (2012)

    Google ScholarĀ 

  2. The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World. Technical report (2011)

    Google ScholarĀ 

  3. Zhong, Y., Yamaki, H., Takakura, H.: A Malware Classification Method based on Similarity of Function Structure. In: IEEE/IPSJ 12th International Symposium on Applications and the Internet, pp. 256ā€“261 (2012)

    Google ScholarĀ 

  4. McGraw, G.M.G.: Attacking malicious code: report to the infosec research council. IEEE Softw.Ā 17, 33ā€“41 (2002)

    ArticleĀ  Google ScholarĀ 

  5. Filiol, E.: Malware pattern scanning schemes secure against blackbox analysis. J. Comput. Virol.Ā 2, 35ā€“50 (2006)

    ArticleĀ  Google ScholarĀ 

  6. Filiol, E., Jacob, G., Liard, M.L.: Evaluation methodology and theoretical model for antiviral behavioural detection strategies. J. Comput. Virol.Ā 3, 27ā€“37 (2007)

    Google ScholarĀ 

  7. Song, Y., Locasto, M., Stavrou, A., Keromytis, A., Stolfo, S.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 541ā€“551 (2007)

    Google ScholarĀ 

  8. Schultz, M., Eskin, E., Zadok, E.: Data mining methods for detection of new malicious executables. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 38ā€“49 (2001)

    Google ScholarĀ 

  9. Wang, J.H., Deng, P., Fan, Y., Jaw, L., Liu, Y.: Virus detection using data mining techniques. In: Proceedings of IEEE International Conference on Data Mining (2003)

    Google ScholarĀ 

  10. Kolter, J., Maloof, M.: Learning to detect malicious executables in the wild. In: Proceedings of Knowledge Discovery and Data Mining ( KDD), pp. 470ā€“478 (2004)

    Google ScholarĀ 

  11. Perdisci, R., Lanzi, A., Lee, W.: McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables. In: Annual Computer Security Applications Conference (ACSAC), pp. 301ā€“310. IEEE Press, USA (2008)

    Google ScholarĀ 

  12. Ye, Y., Wang, D., Li, T., Ye, D.: IMDS: Intelligent malware detection system. In: Proccedings of ACM International Conference on Knowlege Discovery and Data Mining, SIGKDD (2007)

    Google ScholarĀ 

  13. Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An intelligent PE-malware detection system based on association mining. Journal in Computer VirologyĀ 4, 323ā€“334 (2008)

    ArticleĀ  Google ScholarĀ 

  14. EG-CERT, http://www.egcert.eg/cert/

  15. VirusSign, http://freelist.virussign.com/freelist

  16. Fawcett, T.: ROC Graphs: Notes and Practical Considerations for Researchers. Technical report, HP Laboratories (2004)

    Google ScholarĀ 

  17. Pietrek, M.: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format (1994)

    Google ScholarĀ 

  18. Ding, C., Peng, H.: Minimum redundancy feature selection from microarray gene expression data. Journal of Bioinformatics and Computational BiologyĀ 3, 185ā€“205 (2005)

    ArticleĀ  Google ScholarĀ 

  19. Gray, R.M.: Vector quantization. IEEE ASSP Mag., 4ā€“29 (1984)

    Google ScholarĀ 

  20. Gersho, A., Gray, R.M.: Vector quantization and signal compression. Kluwer Academic Publishers (1991)

    Google ScholarĀ 

  21. Linde, Y., Buzo, A., Gray, R.M.: An algorithm for vector quantizer design. IEEE Transactions on CommunicationsĀ 28, 84ā€“95 (1980)

    ArticleĀ  Google ScholarĀ 

  22. Specht, D.F.: Probabilistic Neural Networks for Classification, Mapping, or Associative Memory. In: IEEE International Conference on Neural Networks, vol.Ā I, pp. 525ā€“532 (1998)

    Google ScholarĀ 

  23. Marcoa, V.R., Younga, D.M., Turnerb, D.W.: The Euclidean distance classifier: an alternative to the linear discriminant function. Communications in Statistics - Simulation and ComputationĀ 16, 485ā€“505 (1987)

    ArticleĀ  Google ScholarĀ 

  24. AVG Antivirus, http://free.avg.com/

  25. Panda Antivirus, http://www.pandasecurity.com/

Download references

Author information

Authors and Affiliations

  1. Department of Electronics, Communications, and Computers Engineering, Helwan University, Cairo, Egypt

    Samir SayedĀ &Ā Sameh A. Salem

  2. Department of Mechanical Engineering, Mechatronics, Helwan University, Cairo, Egypt

    Rania R. Darwish

  3. Department of Electronic and Electrical Engineering, University College London, London, UK

    Samir Sayed

  4. Egyptian Computer Emergency Response TeamĀ (EG-CERT), National Telecom Regulatory Authority (NTRA), Cairo, Egypt

    Samir Sayed

Authors
  1. Samir Sayed
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  2. Rania R. Darwish
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  3. Sameh A. Salem
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

Corresponding author

Correspondence to Samir Sayed .

Editor information

Editors and Affiliations

  1. Institute of Informatics, Wroclaw University of Technology, Wrocław, Poland

    Jerzy Swiątek

  2. Institute of Informatics, Wroclaw University of Technology, Wrocław, Poland

    Adam Grzech

  3. Institute of Informatics, Wroclaw University of Technology, Wrocław, Poland

    Paweł Swiątek

  4. Institute of Informatics, Wroclaw University of Technology, Wrocław, Poland

    Jakub M. Tomczak

Rights and permissions

Reprints and permissions

Copyright information

Ā© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Sayed, S., Darwish, R.R., Salem, S.A. (2014). A Real-Time Approach for Detecting Malicious Executables. In: Swiątek, J., Grzech, A., Swiątek, P., Tomczak, J. (eds) Advances in Systems Science. Advances in Intelligent Systems and Computing, vol 240. Springer, Cham. https://doi.org/10.1007/978-3-319-01857-7_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-01857-7_34

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-01856-0

  • Online ISBN: 978-3-319-01857-7

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation