A graph-based framework for malicious software detection and classification utilizing temporal-graphs
Abstract
In this paper we present a graph-based framework that, utilizing relations between groups of System-calls, detects whether an unknown software sample is malicious or benign, and classifies a malicious software to one of a set of known malware families. In our approach we propose a novel graph representation of dependency graphs by capturing their structural evolution over time constructing sequential graph instances, the so-called Temporal Graphs. The partitions of the temporal evolution of a graph defined by specific time-slots, results to different types of graphs representations based upon the information we capture across the capturing of its evolution. The proposed graph-based framework utilizes the proposed types of temporal graphs computing similarity metrics over various graph characteristics in order to conduct the malware detection and classification procedures. Finally, we evaluate the detection rates and the classification ability of our proposed graph-based framework conducting a series of experiments over a set of known malware samples pre-classified into malware families.
References
[1]
B. Alsulami, A. Srinivasan, H. Dong and S. Mancoridis, Lightweight behavioral malware detection for windows platforms, in: International Conference on Malicious and Unwanted Software (MALWARE), IEEE, 2017, pp. 75–81.
[2]
L. Aneja and S. Babbar, Research trends in malware detection on Android devices, in: International Conference on Recent Developments in Science, Engineering and Technology, Springer, 2017, pp. 629–642.
[3]
D. Babic, D. Reynaud and D. Song, Malware analysis with tree automata inference, in: Proceedings of the 23rd International Conference on Computer Aided Verification (CAV’11), 2011, pp. 116–131.
[4]
S. Basole, F. Di Troia and M. Stamp, Multifamily malware models, Journal of Computer Virology and Hacking Techniques 1(14) (2020).
[5]
M.L. Bernardi, M. Cimitile, D. Distante, F. Martinelli and F. Mercaldo, Dynamic malware detection and phylogeny analysis using process mining, International Journal of Information Security 1(28) (2018).
[6]
A. Bulazel and B. Yener, A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web, in: Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium, ACM, 2017, pp. 1–21.
[7]
R. Canzanese, M. Kam and S. Mancoridis, Toward an automatic, online behavioral malware classification system, in: 2013 IEEE 7th International Conference on Self-Adaptive and Self-Organizing Systems, IEEE, 2013, pp. 111–120.
[8]
A. Damodaran, F. Di Troia, C.A. Visaggio, T.H. Austin and M. Stamp, A comparison of static, dynamic, and hybrid analysis for malware detection, Journal of Computer Virology and Hacking Techniques 13(1) (2017), 1–12.
[9]
B. David, E. Filiol and K. Gallienne, Structural analysis of binary executable headers for malware detection optimization, Journal of Computer Virology and Hacking Techniques 13(2) (2017), 87–93.
[10]
Y. Ding, X. Xia, S. Chen and Y. Li, A malware detection method based on family behavior graph, in: Computers and Security, Vol. 73, Elsevier, 2018, pp. 73–86.
[11]
E.M. Dovom, A. Azmoodeh, A. Dehghantanha, D.E. Newton, R.M. Parizi and H. Karimipour, Fuzzy pattern tree for edge malware detection and categorization in IoT, Journal of Systems Architecture 97 (2019), 1–7.
[12]
M. Elingiusti, L. Aniello, L. Querzoni and R. Baldoni, Malware detection: A survey and taxonomy of current techniques, Cyber Threat Intelligence (2018), 169–191.
[13]
R. Eskandari, M. Shajari and M.M. Ghahfarokhi, ERES: An extended regular expression signature for polymorphic worm detection, Journal of Computer Virology and Hacking Techniques 15(3) (2019), 177–194.
[14]
M. Farrokhmanesh and A. Hamzeh, A novel method for malware detection using audio signal processing techniques, in: 2016 Artificial Intelligence and Robotics (IRANOPEN), IEEE, 2016, pp. 85–91.
[15]
V. Garg and R.K. Yadav, Malware detection based on API calls frequency, in: 2019 4th International Conference on Information Systems and Computer Networks, (ISCON), IEEE, 2019, pp. 400–404.
[16]
V. Ghanaei, C.S. Iliopoulos and R.E. Overill, Statistical approach towards malware classification and detection, in: 2016 SAI Computing Conference (SAI), IEEE, 2016, pp. 1093–1099.
[17]
L.S. Grini, A. Shalaginov and K. Franke, Study of soft computing methods for large-scale multinomial malware types and families detection, in: Recent Developments and the New Direction in Soft-Computing Foundations and Applications, Springer, 2018, pp. 337–350.
[18]
K. Grosse, N. Papernot, P. Manoharan, M. Backes and P. McDaniel, Adversarial examples for malware detection, in: European Symposium on Research in Computer Security, Springer, Cham, 2017, pp. 62–79.
[19]
H. Hashemi, A. Azmoodeh, A. Hamzeh and S. Hashemi, Graph embedding as a new approach for unknown malware detection, Journal of Computer Virology and Hacking Techniques 13(3) (2017), 153–166.
[20]
H. Hashemi and A. Hamzeh, Visual malware detection using local malicious pattern, Journal of Computer Virology and Hacking Techniques 15(1) (2019), 1–14.
[21]
M. Hassen and P.K. Chan, Scalable function call graph-based malware classification, in: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, ACM, 2017, pp. 239–248.
[22]
X. Hu, T. Chiueh and K.G. Shin, Large-scale malware indexing using function-call graphs, in: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09), 2009, pp. 611–620.
[23]
R. Islam, R. Tian, L. Batten and S. Versteeg, Classification of malware based on string and function feature selection, in: Proceedings of the Cybercrime and Trustworthy Computing and Workshop (CTC’10), 2010, pp. 9–17.
[24]
G. Jacob, H. Debar and E. Filiol, Behavioral detection of malware: From a survey towards an established taxonomy, Journal in computer Virology 4(3) (2008), 251–266.
[25]
T.S. John, T. Thomas, Emmanuel and S. Graph, Convolutional networks for Android malware detection with system call graphs, in: ISEA Conference on Security and Privacy (ISEA-ISAP), IEEE, 2020, pp. 162–170.
[26]
H. Kim, J. Kim, Y. Kim, I. Kim, K.J. Kim and H. Kim, Improvement of malware detection and classification using API call sequence alignment and visualization, Cluster Computing 22(1) (2019), 921–929.
[27]
B. Kolosnjaji, G. Eraisha, G. Webster, A. Zarras and C. Eckert, Empowering convolutional networks for malware classification and analysis, in: Neural Networks (IJCNN), 2017 International Joint Conference on, IEEE, 2017, pp. 3838–3845.
[28]
A.V. Kozachok and V.I. Kozachok, Construction and evaluation of the new heuristic malware detection mechanism based on executable files static analysis, Journal of Computer Virology and Hacking Techniques 14(3) (2018), 225–231.
[29]
A. Kumar, K.S. Kuppusamy and G. Aghila, A learning model to detect maliciousness of portable executable using integrated feature set, Journal of King Saud University-Computer and Information Sciences 31(2) (2019), 252–265.
[30]
A.M. Lajevardi, S. Parsa and M.J. Amiri, Markhor: malware detection using fuzzy similarity of system call dependency sequences, Journal of Computer Virology and Hacking Techniques 1(10) (2021).
[31]
C.H. Lin, H.K. Pao and J.W. Liao, Efficient dynamic malware analysis using virtual time control mechanics, Computers and Security 73 (2018), 359–373.
[32]
J. Liu, P. Dai Xie, M.Z. Liu and Y.J. Wang, Having an insight into malware phylogeny: Building persistent phylogeny tree of families, IEICE TRANSACTIONS on Information and Systems 101(4) (2018), 1199–1202.
[33]
J. Liu, Y. Wang, P. Dai Xie and Y.J. Wang, Inferring phylogenetic network of malware families based on splits graph, IEICE TRANSACTIONS on Information and Systems 100(6) (2017), 1368–1371.
[34]
A. Makandar and A. Patrot, Trojan malware image pattern classification, in: Proceedings of International Conference on Cognition and Recognition, Springer, Singapore, 2018, pp. 253–262.
[35]
K. Mathur and S. Hiranwal, A survey on techniques in detection and analyzing malware executables, Journal of Advanced Research in Computer Science and Software Engineering 3 (2013), 22–428.
[36]
J. Ming, D. Xu and D. Wu, MalwareHunt: Semantics-based malware diffing speedup by normalized basic block memoization, Journal of Computer Virology and Hacking Techniques 13(3) (2017), 167–178.
[37]
A. Mohaisen, A.G. West, A. Mankin and O. Alrawi, Chatter: Classifying malware families using system event ordering, in: 2014 IEEE Conference on Communications and Network, Security, IEEE, 2014, pp. 283–291.
[38]
J. Moubarak, M. Chamoun and E. Filiol, Comparative study of recent MEA malware phylogeny, in: Computer and Communication Systems (ICCCS), 2017 2nd International Conference on, IEEE, 2017, pp. 16–20.
[39]
A. Mpanti, S.D. Nikolopoulos and I. Polenakis, A graph-based model for malicious software detection exploiting domination relations between system-call groups, in: Proceedings of the 19th Int’l Conference on Computer Systems and Technologies, ACM, 2018.
[40]
S.D. Mukesh, J.A. Raval and H. Upadhyay, Real-time framework for malware detection using machine learning technique, in: International Conference on Information and Communication Technology for Intelligent Systems, Springer, 2017, pp. 173–182.
[41]
U. Narra, F. Di Troia, V.A. Corrado, T.H. Austin and M. Stamp, Clustering versus SVM for malware detection, Journal of Computer Virology and Hacking Techniques 12(4) (2016), 213–224.
[42]
L. Nataraj, S. Karthikeyan, G. Jacob and B.S. Manjunath, Malware images: Visualization and automatic classification, in: Proceedings of the 8th Int’l Symposium on Visualization for Cyber Security (VizSec’11), 2011, pp. 4–11.
[43]
L. Nataraj, S. Karthikeyan, G. Jacob and B.S. Manjunath, A comparative assessment of malware classification using binary texture analysis and dynamic analysis, in: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, 2011, pp. 21–30.
[44]
S.D. Nikolopoulos and I. Polenakis, A graph-based model for malicious code detection exploiting dependencies of system-call groups, in: Proceedings of the 16th International Conference on Computer Systems and Technologies, 2015, pp. 228–235.
[45]
S.D. Nikolopoulos and I. Polenakis, A graph-based model for malware detection and classification using system-call groups, Journal of Computer Virology and Hacking Techniques 13(1) (2017), 29–46.
[46]
Y. Park, D. Reeves, V. Mulukutla and B. Sundaravel, Fast malware classification by automated behavioral graph matching, in: Proceedings of the 6th ACM Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW’10), 2010, pp. 45–49.
[47]
A. Pektaş and T. Acarman, Classification of malware families based on runtime behaviors, Journal of information security and applications 37 (2017), 91–100.
[48]
B.B. Rad, M. Maslin and I. Suhaimi, Camouflage in malware: From encryption to metamorphism, Journal of Computer Science and Network Security 12 (2012), 74–83.
[49]
T. Rezaei and A. Hamze, An efficient approach for malware detection using PE header specifications, in: 2020 6th International Conference on Web Research (ICWR), IEEE, 2020, pp. 234–239.
[50]
K. Rieck, H. Thorsten, W. Carsten, D. Patrick and P. Laskov, Learning and classification of malware behavior, in: Proceedings of the 5th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA’08), 2008, pp. 108–125.
[51]
A. Sami, B. Yadegari, H. Rahimi, N. Peiravian, S. Hashemi and A. Hamze, Malware detection based on mining API calls, in: Proceedings of the 2010 ACM Symposium on Applied Computing, 2010, pp. 1020–1025.
[52]
A. Saracino, D. Sgandurra, G. Dini and F. Martinelli, Madam: Effective and efficient behavior-based Android malware detection and prevention, IEEE Transactions on Dependable and Secure Computing 15(1) (2018), 83–97.
[53]
G. Severi, T. Leek and B. Dolan-Gavitt, Malrec: Compact full-trace malware recording for retrospective deep analysis, in: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2018, pp. 3–23.
[54]
M. Sikorski and A. Honig, Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software, No Starch Press, 2012.
[55]
A. Souri and R. Hosseini, A state-of-the-art survey of malware detection approaches using data mining techniques, Human-centric Computing and Information Sciences 8(1) (2018), 3.
[56]
J. Suaboot, Z. Tari, A. Mahmood, A.Y. Zomaya and W. Li, Sub-curve HMM: A malware detection approach based on partial analysis of API call sequences, Computers & Security 92 (2020), 101773.
[57]
G. Sun and Q. Qian, Deep learning and visualization for identifying malware families, IEEE Transactions on Dependable and Secure Computing (2018).
[58]
Y.S. Sun, C.C. Chen, S.W. Hsiao and M.C. Chen, ANTSdroid: Automatic malware family behaviour generation and analysis for Android apps, in: Australasian Conference on Information Security and Privacy, Springer, 2018, pp. 796–804.
[59]
T. Wüchner, M. Ochoa and A. Pretschner, Malware detection with quantitative data flow graphs, in: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, 2014, pp. 271–282.
[60]
T. Wüchner, M. Ochoa and A. Pretschner, Robust and effective malware detection through quantitative data flow graph metrics, in: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, Cham, 2015, pp. 98–118.
[61]
F. Xiao, Z. Lin, Y. Sun and Y. Ma, Malware detection based on deep learning of behavior graphs, Mathematical Problems in Engineering (2019).
[62]
F. Xiao, Y. Sun, D. Du, X. Li and M. Luo, A novel malware classification method based on crucial behaviour, Mathematical Problems in Engineering (2020).
[63]
I. You and K. Yim, Malware obfuscation techniques: A brief survey, in: Proceedings of the 5th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA’10), 2010, pp. 297–300.
[64]
Y. Zhong, H. Yamaki and H. Takakura, A malware classification method based on similarity of function structure, in: 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet, IEEE, 2012, pp. 256–261.
Index Terms
- A graph-based framework for malicious software detection and classification utilizing temporal-graphs
Index terms have been assigned to the content through auto-classification.
Recommendations
A Graph-based Model for Malicious Software Detection Exploiting Domination Relations between System-call Groups
CompSysTech '18: Proceedings of the 19th International Conference on Computer Systems and TechnologiesIn this paper, we propose a graph-based algorithmic technique for malware detection, utilizing the System-call Dependency Graphs (ScDG) obtained through taint analysis traces. We leverage the grouping of system-calls into system-call groups with respect ...
Malicious Software Detection utilizing Temporal-Graphs
CompSysTech '19: Proceedings of the 20th International Conference on Computer Systems and TechnologiesIn this work we propose a graph-based model that, utilizing relations between groups of System-calls, distinguishes malicious from benign software samples utilizing a behavioral graph representing their interaction with the operating system. More ...
Detection and Classification of Malicious Software based on Regional Matching of Temporal Graphs
CompSysTech '21: Proceedings of the 22nd International Conference on Computer Systems and TechnologiesIn this paper we present an integrated graph-based framework that utilizes relations between groups of System-calls, in order to detect whether an unknown software sample is malicious or benign, and to a further extent to classify it to a known malware ...
Comments
Information & Contributors
Information
Published In
© 2021 – IOS Press. All rights reserved.
Publisher
IOS Press
Netherlands
Publication History
Published: 01 January 2021
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 14 Jan 2025