A hybrid model to detect malicious executables

Mohammad M. Masud; Latifur Khan; Bhavani Thuraisingham

doi:10.1109/ICC.2007.242

A hybrid model to detect malicious executables

Mohammad M. Masud, Latifur Khan, Bhavani Thuraisingham

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

46 Citations (Scopus)

Abstract

We present a hybrid data mining approach to detect malicious executables. In this approach we identify important features of the malicious and benign executables. These features are used by a classifier to learn a classification model that can distinguish between malicious and benign executables. We construct a novel combination of three different kinds of features: binary n-grams, assembly n-grams, and library function calls. Binary features are extracted from the binary executables, whereas assembly features are extracted from the disassembled executables. The function call features are extracted from the program headers. We also propose an efficient and scalable feature extraction technique. We apply our model on a large corpus of real benign and malicious executables. We extract the abovementioned features from the data and train a classifier using Support Vector Machine. This classifier achieves a very high accuracy and low false positive rate in detecting malicious executables. Our model is compared with other feature-based approaches, and found to be more efficient in terms of detection accuracy and false alarm rate.

Original language	English
Title of host publication	2007 IEEE International Conference on Communications, ICC'07
Pages	1443-1448
Number of pages	6
DOIs	https://doi.org/10.1109/ICC.2007.242
Publication status	Published - Dec 1 2007
Externally published	Yes
Event	2007 IEEE International Conference on Communications, ICC'07 - Glasgow, Scotland, United Kingdom Duration: Jun 24 2007 → Jun 28 2007

Publication series

Name	IEEE International Conference on Communications
ISSN (Print)	0536-1486

Other

Other	2007 IEEE International Conference on Communications, ICC'07
Country/Territory	United Kingdom
City	Glasgow, Scotland
Period	6/24/07 → 6/28/07

Keywords

Disassembly
Feature extraction
Malicious executable
N-gram analysis

ASJC Scopus subject areas

Computer Networks and Communications
Electrical and Electronic Engineering

Access to Document

10.1109/ICC.2007.242

Cite this

Masud, MM, Khan, L & Thuraisingham, B 2007, A hybrid model to detect malicious executables. in 2007 IEEE International Conference on Communications, ICC'07., 4288913, IEEE International Conference on Communications, pp. 1443-1448, 2007 IEEE International Conference on Communications, ICC'07, Glasgow, Scotland, United Kingdom, 6/24/07. https://doi.org/10.1109/ICC.2007.242

@inproceedings{abd16e47a6c4493d99a9bd8ef5d15785,

title = "A hybrid model to detect malicious executables",

abstract = "We present a hybrid data mining approach to detect malicious executables. In this approach we identify important features of the malicious and benign executables. These features are used by a classifier to learn a classification model that can distinguish between malicious and benign executables. We construct a novel combination of three different kinds of features: binary n-grams, assembly n-grams, and library function calls. Binary features are extracted from the binary executables, whereas assembly features are extracted from the disassembled executables. The function call features are extracted from the program headers. We also propose an efficient and scalable feature extraction technique. We apply our model on a large corpus of real benign and malicious executables. We extract the abovementioned features from the data and train a classifier using Support Vector Machine. This classifier achieves a very high accuracy and low false positive rate in detecting malicious executables. Our model is compared with other feature-based approaches, and found to be more efficient in terms of detection accuracy and false alarm rate.",

keywords = "Disassembly, Feature extraction, Malicious executable, N-gram analysis",

author = "Masud, {Mohammad M.} and Latifur Khan and Bhavani Thuraisingham",

year = "2007",

month = dec,

day = "1",

doi = "10.1109/ICC.2007.242",

language = "English",

isbn = "1424403537",

series = "IEEE International Conference on Communications",

pages = "1443--1448",

booktitle = "2007 IEEE International Conference on Communications, ICC'07",

note = "2007 IEEE International Conference on Communications, ICC'07 ; Conference date: 24-06-2007 Through 28-06-2007",

}

TY - GEN

T1 - A hybrid model to detect malicious executables

AU - Masud, Mohammad M.

AU - Khan, Latifur

AU - Thuraisingham, Bhavani

PY - 2007/12/1

Y1 - 2007/12/1

N2 - We present a hybrid data mining approach to detect malicious executables. In this approach we identify important features of the malicious and benign executables. These features are used by a classifier to learn a classification model that can distinguish between malicious and benign executables. We construct a novel combination of three different kinds of features: binary n-grams, assembly n-grams, and library function calls. Binary features are extracted from the binary executables, whereas assembly features are extracted from the disassembled executables. The function call features are extracted from the program headers. We also propose an efficient and scalable feature extraction technique. We apply our model on a large corpus of real benign and malicious executables. We extract the abovementioned features from the data and train a classifier using Support Vector Machine. This classifier achieves a very high accuracy and low false positive rate in detecting malicious executables. Our model is compared with other feature-based approaches, and found to be more efficient in terms of detection accuracy and false alarm rate.

AB - We present a hybrid data mining approach to detect malicious executables. In this approach we identify important features of the malicious and benign executables. These features are used by a classifier to learn a classification model that can distinguish between malicious and benign executables. We construct a novel combination of three different kinds of features: binary n-grams, assembly n-grams, and library function calls. Binary features are extracted from the binary executables, whereas assembly features are extracted from the disassembled executables. The function call features are extracted from the program headers. We also propose an efficient and scalable feature extraction technique. We apply our model on a large corpus of real benign and malicious executables. We extract the abovementioned features from the data and train a classifier using Support Vector Machine. This classifier achieves a very high accuracy and low false positive rate in detecting malicious executables. Our model is compared with other feature-based approaches, and found to be more efficient in terms of detection accuracy and false alarm rate.

KW - Disassembly

KW - Feature extraction

KW - Malicious executable

KW - N-gram analysis

UR - http://www.scopus.com/inward/record.url?scp=38549122470&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=38549122470&partnerID=8YFLogxK

U2 - 10.1109/ICC.2007.242

DO - 10.1109/ICC.2007.242

M3 - Conference contribution

AN - SCOPUS:38549122470

SN - 1424403537

SN - 9781424403530

T3 - IEEE International Conference on Communications

SP - 1443

EP - 1448

BT - 2007 IEEE International Conference on Communications, ICC'07

T2 - 2007 IEEE International Conference on Communications, ICC'07

Y2 - 24 June 2007 through 28 June 2007

ER -

A hybrid model to detect malicious executables

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this