ABSTRACT
Malware family classification is an age old problem that many Anti-Virus (AV) companies have tackled. There are two common techniques used for classification, signature based and behavior based. Signature based classification uses a common sequence of bytes that appears in the binary code to identify and detect a family of malware. Behavior based classification uses artifacts created by malware during execution for identification. In this paper we report on a unique dataset we obtained from our operations and classified using several machine learning techniques using the behavior-based approach. Our main class of malware we are interested in classifying is the popular Zeus malware. For its classification we identify 65 features that are unique and robust for identifying malware families. We show that artifacts like file system, registry, and network features can be used to identify distinct malware families with high accuracy - in some cases as high as 95 percent.
- --. mlpy - Machine Learning Python. http://mlpy.sourceforge.net/, March 2013.Google Scholar
- E. Alpaydin. Introduction to machine learning. MIT press, 2004. Google ScholarDigital Library
- M. Bailey, J. Oberheide, J. Andersen, Z. Mao, F. Jahanian, and J. Nazario. Automated classification and analysis of internet malware. In RAID, pages 178--197, 2007. Google ScholarDigital Library
- H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang. On the analysis of the zeus botnet crimeware toolkit. In PST, pages 31--38, 2010.Google ScholarCross Ref
- N. Falliere and E. Chien. Zeus: King of the Bots. Symantec Security Response (http://bit.ly/3VyFV1), November 2009.Google Scholar
- J. Kinable and O. Kostakis. Malware classification based on call graph clustering. Journal in computer virology, 7(4):233--245, 2011. Google ScholarDigital Library
- P. Kruss. Complete zeus source code has been leaked to the masses. http://bit.ly/lSsMrU, March 2011.Google Scholar
- T. Lee and J. J. Mody. Behavioral classification. In EICAR Conference, 2006.Google Scholar
- B. Nahorney and N. Falliere. Trojan.Zbot - Symantec report. http://bit.ly/9jQXfQ, February 2013.Google Scholar
- Y. Park, D. Reeves, V. Mulukutla, and B. Sundaravel. Fast malware classification by automated behavioral graph matching. In The Annual CSIIR Workshop, 2010. Google ScholarDigital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, N. Modadugu, et al. The ghost in the browser analysis of web-based malware. In HotBots, 2007. Google ScholarDigital Library
- M. Ramilli and M. Bishop. Multi-stage delivery of malware. In MALWARE, pages 91--97, 2010.Google ScholarCross Ref
- K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. Detection of Intrusions and Malware, and Vulnerability Assessment, pages 108--125, 2008. Google ScholarDigital Library
- K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using machine learning. Journal of Computer Security, 19(4):639--668, 2011. Google ScholarDigital Library
- I. Santos, X. Ugarte-Pedrero, B. Sanz, C. Laorden, and P. G. Bringas. Collective classification for packed executable identification. In ACM CEAS, pages 23--30, 2011. Google ScholarDigital Library
- R. Tian, L. Batten, R. Islam, and S. Versteeg. An automated classification system based on the strings of trojan and virus families. In MALWARE, pages 23--30, 2009.Google ScholarCross Ref
- R. Tian, L. Batten, and S. Versteeg. Function length as a tool for malware classification. In MALWARE, 2008.Google ScholarCross Ref
- H. Zhao, M. Xu, N. Zheng, J. Yao, and Q. Ho. Malicious executables classification based on behavioral factor analysis. In IC4E, pages 502--506. IEEE, 2010. Google ScholarDigital Library
Index Terms
- Unveiling Zeus: automated classification of malware samples
Recommendations
IMAD: in-execution malware analysis and detection
GECCO '09: Proceedings of the 11th Annual conference on Genetic and evolutionary computationThe sophistication of computer malware is becoming a serious threat to the information technology infrastructure, which is the backbone of modern e-commerce systems. We, therefore, advocate the need for developing sophisticated, efficient, and accurate ...
Toward an Automatic, Online Behavioral Malware Classification System
SASO '13: Proceedings of the 2013 IEEE 7th International Conference on Self-Adaptive and Self-Organizing SystemsMalware authors are increasingly using specialized toolkits and obfuscation techniques to modify existing malware and avoid detection by traditional antivirus software. The resulting proliferation of obfuscated malware variants poses a challenge to ...
Malware Detection Systems Based on API Log Data Mining
COMPSAC '15: Proceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference - Volume 03As information technology improves, the Internet is involved in every area in our daily life. When the mobile devices and cloud computing technology start to play important parts of our life, they have become more susceptible to attacks. In recent years,...
Comments