skip to main content
10.1145/2590296.2590319acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Malware detection with quantitative data flow graphs

Published: 04 June 2014 Publication History

Abstract

We propose a novel behavioral malware detection approach based on a generic system-wide quantitative data flow model. We base our data flow analysis on the incremental construction of aggregated quantitative data flow graphs. These graphs represent communication between different system entities such as processes, sockets, files or system registries. We demonstrate the feasibility of our approach through a prototypical instantiation and implementation for the Windows operating system. Our experiments yield encouraging results: in our data set of samples from common malware families and popular non-malicious applications, our approach has a detection rate of 96% and a false positive rate of less than 1.6%. In comparison with closely related data flow based approaches, we achieve similar detection effectiveness with considerably better performance: an average full system analysis takes less than one second.

References

[1]
S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC), 3(3):186--205, 2000.
[2]
U. Bayer. Large-Scale Dynamic Malware Analysis. PhD thesis, Technische Universitat Wien, 2009.
[3]
J.-M. Borello and L. Me. Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology, pages 211--220, 2008.
[4]
M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proceedings of the 1st India Software Engineering Conference, pages 5--14, 2008.
[5]
M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant. Semantics-Aware Malware Detection. 2005 IEEE Symposium on Security and Privacy (S&P'05), pages 32--46, 2005.
[6]
G. Creech and J. Hu. A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. Computers, IEEE Transactions on, pages 1--1, 2013.
[7]
M. Egele, T. Scholte, E. Kirda, and C. Kruegel. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), page 6, 2012.
[8]
K. O. Elish, D. Yao, and B. G. Ryder. User-centric dependence analysis for identifying malicious mobile apps. In Workshop on Mobile Security Technologies, 2012.
[9]
S. Forrest, S. Hofmeyr, a. Somayaji, and T. Longstaff. A sense of self for Unix processes. Proceedings of Symposium on Security and Privacy, pages 120--128, 1996.
[10]
M. Fredrikson, M. Christodorescu, J. Giffin, and S. Jhas. A declarative framework for intrusion analysis. In Cyber Situational Awareness, pages 179--200. 2010.
[11]
M. Fredrikson, M. Christodorescu, and S. Jha. Dynamic behavior matching: A complexity analysis and new approximation algorithms. Automated Deduction-CADE-23, pages 252--267, 2011.
[12]
M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. 2010 IEEE Symposium on Security and Privacy, pages 45--60, 2010.
[13]
A. K. Ghosh, A. Schwartzbard, and M. Schatz. Learning program behavior profiles for intrusion detection. In Proceedings of the 1st Conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1, pages 6--6, 1999.
[14]
S. T. King and P. M. Chen. Backtracking intrusions. In ACM SIGOPS Operating Systems Review, pages 223--236, 2003.
[15]
E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th Conference on USENIX Security Symposium, 2006.
[16]
C. Kolbitsch and P. Comparetti. Effective and Efficient Malware Detection at the End Host. USENIX, 2009.
[17]
A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: Using system-centric models for malware protection. In Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 399--412, 2010.
[18]
J. Lee, K. Jeong, and H. Lee. Detecting metamorphic malwares using code graphs. Proceedings of the 2010 ACM Symposium on Applied Computing, 2010.
[19]
W. Lee, S. J. Stolfo, and P. K. Chan. Learning patterns from unix process execution traces for intrusion detection. In AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, pages 50--56, 1997.
[20]
P. O'Kane, S. Sezer, and K. McLaughlin. Obfuscation: The hidden malware. Security Privacy, IEEE, 2011.
[21]
Y. Park and D. Reeves. Deriving common malware behavior through graph clustering. Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011.
[22]
Y. Park, D. S. Reeves, and M. Stamp. Deriving common malware behavior through graph clustering. Computers & Security, 2013.
[23]
M. Preda, M. Christodorescu, S. Jha, and S. Debray. A semantics-based approach to malware detection. ACM SIGPLAN Notices, pages 1--12, 2007.
[24]
T. Raffetseder, C. Krugel, and E. Kirda. Detecting system emulators. In Information Security, pages 1--18. 2007.
[25]
K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using machine learning. Journal of Computer Security, pages 639--668, 2011.
[26]
C. Rossow, C. Dietrich, and H. Bos. Large-scale analysis of malware downloaders. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 42--61. 2013.
[27]
M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In NDSS, 2008.
[28]
Symantec. Malware database, Nov. 2013.
[29]
P. Szor. The Art of Computer Virus Research and Defense. 2005.
[30]
C. Wressnegger, G. Schwenk, D. Arp, and K. Rieck. A close look on n-grams in intrusion detection: anomaly detection vs. classification. In Proceedings of the 2013 ACM workshop on Artificial intelligence and security, pages 67--76, 2013.
[31]
T. Wuchner and A. Pretschner. Data loss prevention based on data-driven usage control. In Software Reliability Engineering (ISSRE), 2012 IEEE 23rd International Symposium on, pages 151--160, Nov 2012.
[32]
H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 116--127, 2007.
[33]
I. You and K. Yim. Malware obfuscation techniques: A brief survey. In Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on, pages 297--300, 2010.

Cited By

View all
  • (2024)A Construction Method for Grade Protection System Based on STRIDE Threat ModelingApplied Mathematics and Nonlinear Sciences10.2478/amns-2024-14889:1Online publication date: 13-Jun-2024
  • (2024)A Comprehensive Analysis of Explainable AI for Malware HuntingACM Computing Surveys10.1145/367737456:12(1-40)Online publication date: 11-Jul-2024
  • (2024)Improving Windows Malware Detection Using the Random Forest Algorithm and Multi-View AnalysisInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402450008634:06(909-939)Online publication date: 13-Apr-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications security
June 2014
556 pages
ISBN:9781450328005
DOI:10.1145/2590296
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. behavioral malware analysis
  2. data flow tracking
  3. intrusion detection
  4. malware detection
  5. quantitative data flows

Qualifiers

  • Research-article

Funding Sources

Conference

ASIA CCS '14
Sponsor:

Acceptance Rates

ASIA CCS '14 Paper Acceptance Rate 50 of 255 submissions, 20%;
Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)24
  • Downloads (Last 6 weeks)3
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Construction Method for Grade Protection System Based on STRIDE Threat ModelingApplied Mathematics and Nonlinear Sciences10.2478/amns-2024-14889:1Online publication date: 13-Jun-2024
  • (2024)A Comprehensive Analysis of Explainable AI for Malware HuntingACM Computing Surveys10.1145/367737456:12(1-40)Online publication date: 11-Jul-2024
  • (2024)Improving Windows Malware Detection Using the Random Forest Algorithm and Multi-View AnalysisInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402450008634:06(909-939)Online publication date: 13-Apr-2024
  • (2024)GAGE: Genetic Algorithm-Based Graph Explainer for Malware Analysis2024 IEEE 40th International Conference on Data Engineering (ICDE)10.1109/ICDE60146.2024.00179(2258-2270)Online publication date: 13-May-2024
  • (2024)Malware Detection Using Control Flow Graphs2024 2nd International Conference on Device Intelligence, Computing and Communication Technologies (DICCT)10.1109/DICCT61038.2024.10532908(216-220)Online publication date: 15-Mar-2024
  • (2023)Metamorphic Malware and ObfuscationSecurity and Communication Networks10.1155/2023/82277512023Online publication date: 1-Jan-2023
  • (2023)Using deep graph learning to improve dynamic analysis-based malware detection in PE filesJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00505-xOnline publication date: 20-Oct-2023
  • (2023)A review on graph-based approaches for network security monitoring and botnet detectionInternational Journal of Information Security10.1007/s10207-023-00742-723:1(119-140)Online publication date: 30-Aug-2023
  • (2022)Malware Classification Method Using API Call CategorizationProceedings of the 2022 International Conference on Engineering and Information Technology for Sustainable Industry10.1145/3557738.3557851(1-6)Online publication date: 21-Sep-2022
  • (2022)Machine Learning Approach for Malware Analysis and Detection2022 2nd International Conference on Innovative Sustainable Computational Technologies (CISCT)10.1109/CISCT55310.2022.10046632(1-7)Online publication date: 23-Dec-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media