A scalable approach for malware detection through bounded feature space behavior modeling

Mahinthan Chandramohan, Hee Beng Kuan Tan, Lionel C. Briand, Lwin Khin Shar, Bindu Madhavi Padmanabhuni

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

In recent years, malware (malicious software) has greatly evolved and has become very sophisticated. The evolution of malware makes it difficult to detect using traditional signature-based malware detectors. Thus, researchers have proposed various behavior-based malware detection techniques to mitigate this problem. However, there are still serious shortcomings, related to scalability and computational complexity, in existing malware behavior modeling techniques. This raises questions about the practical applicability of these techniques. This paper proposes and evaluates a bounded feature space behavior modeling (BOFM) framework for scalable malware detection. BOFM models the interactions between software (which can be malware or benign) and security-critical OS resources in a scalable manner. Information collected at run-time according to this model is then used by machine learning algorithms to learn how to accurately classify software as malware or benign. One of the key problems with simple malware behavior modeling (e.g., n-gram model) is that the number of malware features (i.e., signatures) grows proportional to the size of execution traces, with a resulting malware feature space that is so large that it makes the detection process very challenging. On the other hand, in BOFM, the malware feature space is bounded by an upper limit N, a constant, and the results of our experiments show that its computation time and memory usage are vastly lower than in currently reported, malware detection techniques, while preserving or even improving their high detection accuracy.

Original languageEnglish
Title of host publication2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013 - Proceedings
Pages312-322
Number of pages11
DOIs
Publication statusPublished - 2013
Externally publishedYes
Event2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013 - Palo Alto, CA, United States
Duration: 11 Nov 201315 Nov 2013

Publication series

Name2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013 - Proceedings

Conference

Conference2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013
Country/TerritoryUnited States
CityPalo Alto, CA
Period11/11/1315/11/13

Keywords

  • Malware behavior modeling
  • Malware detection

Fingerprint

Dive into the research topics of 'A scalable approach for malware detection through bounded feature space behavior modeling'. Together they form a unique fingerprint.

Cite this