Abstract
In this paper, we develop a real-time algorithm to detect malicious portable executable (PE) files. The proposed algorithm consists of feature extraction, vector quantization, and a classifier named Attribute-Biased Classifier (ABC). We have collected a large data set of malicious PE files from the Honeynet project in the EG-CERT and VirusSign to train and test the proposed system. We first apply a feature extraction algorithm to remove redundant features. Then the most effective features are mapped into two vector quantizers. Finally, the output of the two quantizers are given to the proposed ABC classifier to identify a PE file. The results show that our algorithm is able to detect malicious PE file with 99.3% detection rate, 97% accuracy, 0.998 AUC, and less than 1% false positive rate. In addition, our algorithm consumes a fraction of seconds to test a portable executable file.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Symantec Corporation: Symantec Internet Security Threat Report. Technical report, vol. 71 (2012)
The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World. Technical report (2011)
Zhong, Y., Yamaki, H., Takakura, H.: A Malware Classification Method based on Similarity of Function Structure. In: IEEE/IPSJ 12th International Symposium on Applications and the Internet, pp. 256ā261 (2012)
McGraw, G.M.G.: Attacking malicious code: report to the infosec research council. IEEE Softw.Ā 17, 33ā41 (2002)
Filiol, E.: Malware pattern scanning schemes secure against blackbox analysis. J. Comput. Virol.Ā 2, 35ā50 (2006)
Filiol, E., Jacob, G., Liard, M.L.: Evaluation methodology and theoretical model for antiviral behavioural detection strategies. J. Comput. Virol.Ā 3, 27ā37 (2007)
Song, Y., Locasto, M., Stavrou, A., Keromytis, A., Stolfo, S.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 541ā551 (2007)
Schultz, M., Eskin, E., Zadok, E.: Data mining methods for detection of new malicious executables. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 38ā49 (2001)
Wang, J.H., Deng, P., Fan, Y., Jaw, L., Liu, Y.: Virus detection using data mining techniques. In: Proceedings of IEEE International Conference on Data Mining (2003)
Kolter, J., Maloof, M.: Learning to detect malicious executables in the wild. In: Proceedings of Knowledge Discovery and Data Mining ( KDD), pp. 470ā478 (2004)
Perdisci, R., Lanzi, A., Lee, W.: McBoost: Boosting Scalability in Malware Collection and Analysis Using Statistical Classification of Executables. In: Annual Computer Security Applications Conference (ACSAC), pp. 301ā310. IEEE Press, USA (2008)
Ye, Y., Wang, D., Li, T., Ye, D.: IMDS: Intelligent malware detection system. In: Proccedings of ACM International Conference on Knowlege Discovery and Data Mining, SIGKDD (2007)
Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An intelligent PE-malware detection system based on association mining. Journal in Computer VirologyĀ 4, 323ā334 (2008)
EG-CERT, http://www.egcert.eg/cert/
VirusSign, http://freelist.virussign.com/freelist
Fawcett, T.: ROC Graphs: Notes and Practical Considerations for Researchers. Technical report, HP Laboratories (2004)
Pietrek, M.: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format (1994)
Ding, C., Peng, H.: Minimum redundancy feature selection from microarray gene expression data. Journal of Bioinformatics and Computational BiologyĀ 3, 185ā205 (2005)
Gray, R.M.: Vector quantization. IEEE ASSP Mag., 4ā29 (1984)
Gersho, A., Gray, R.M.: Vector quantization and signal compression. Kluwer Academic Publishers (1991)
Linde, Y., Buzo, A., Gray, R.M.: An algorithm for vector quantizer design. IEEE Transactions on CommunicationsĀ 28, 84ā95 (1980)
Specht, D.F.: Probabilistic Neural Networks for Classification, Mapping, or Associative Memory. In: IEEE International Conference on Neural Networks, vol.Ā I, pp. 525ā532 (1998)
Marcoa, V.R., Younga, D.M., Turnerb, D.W.: The Euclidean distance classifier: an alternative to the linear discriminant function. Communications in Statistics - Simulation and ComputationĀ 16, 485ā505 (1987)
AVG Antivirus, http://free.avg.com/
Panda Antivirus, http://www.pandasecurity.com/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Sayed, S., Darwish, R.R., Salem, S.A. (2014). A Real-Time Approach for Detecting Malicious Executables. In: SwiÄ tek, J., Grzech, A., SwiÄ tek, P., Tomczak, J. (eds) Advances in Systems Science. Advances in Intelligent Systems and Computing, vol 240. Springer, Cham. https://doi.org/10.1007/978-3-319-01857-7_34
Download citation
DOI: https://doi.org/10.1007/978-3-319-01857-7_34
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-01856-0
Online ISBN: 978-3-319-01857-7
eBook Packages: EngineeringEngineering (R0)