TY - GEN
T1 - A scalable approach for malware detection through bounded feature space behavior modeling
AU - Chandramohan, Mahinthan
AU - Tan, Hee Beng Kuan
AU - Briand, Lionel C.
AU - Shar, Lwin Khin
AU - Padmanabhuni, Bindu Madhavi
PY - 2013
Y1 - 2013
N2 - In recent years, malware (malicious software) has greatly evolved and has become very sophisticated. The evolution of malware makes it difficult to detect using traditional signature-based malware detectors. Thus, researchers have proposed various behavior-based malware detection techniques to mitigate this problem. However, there are still serious shortcomings, related to scalability and computational complexity, in existing malware behavior modeling techniques. This raises questions about the practical applicability of these techniques. This paper proposes and evaluates a bounded feature space behavior modeling (BOFM) framework for scalable malware detection. BOFM models the interactions between software (which can be malware or benign) and security-critical OS resources in a scalable manner. Information collected at run-time according to this model is then used by machine learning algorithms to learn how to accurately classify software as malware or benign. One of the key problems with simple malware behavior modeling (e.g., n-gram model) is that the number of malware features (i.e., signatures) grows proportional to the size of execution traces, with a resulting malware feature space that is so large that it makes the detection process very challenging. On the other hand, in BOFM, the malware feature space is bounded by an upper limit N, a constant, and the results of our experiments show that its computation time and memory usage are vastly lower than in currently reported, malware detection techniques, while preserving or even improving their high detection accuracy.
AB - In recent years, malware (malicious software) has greatly evolved and has become very sophisticated. The evolution of malware makes it difficult to detect using traditional signature-based malware detectors. Thus, researchers have proposed various behavior-based malware detection techniques to mitigate this problem. However, there are still serious shortcomings, related to scalability and computational complexity, in existing malware behavior modeling techniques. This raises questions about the practical applicability of these techniques. This paper proposes and evaluates a bounded feature space behavior modeling (BOFM) framework for scalable malware detection. BOFM models the interactions between software (which can be malware or benign) and security-critical OS resources in a scalable manner. Information collected at run-time according to this model is then used by machine learning algorithms to learn how to accurately classify software as malware or benign. One of the key problems with simple malware behavior modeling (e.g., n-gram model) is that the number of malware features (i.e., signatures) grows proportional to the size of execution traces, with a resulting malware feature space that is so large that it makes the detection process very challenging. On the other hand, in BOFM, the malware feature space is bounded by an upper limit N, a constant, and the results of our experiments show that its computation time and memory usage are vastly lower than in currently reported, malware detection techniques, while preserving or even improving their high detection accuracy.
KW - Malware behavior modeling
KW - Malware detection
UR - http://www.scopus.com/inward/record.url?scp=84893627625&partnerID=8YFLogxK
U2 - 10.1109/ASE.2013.6693090
DO - 10.1109/ASE.2013.6693090
M3 - Conference contribution
AN - SCOPUS:84893627625
SN - 9781479902156
T3 - 2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013 - Proceedings
SP - 312
EP - 322
BT - 2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013 - Proceedings
T2 - 2013 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013
Y2 - 11 November 2013 through 15 November 2013
ER -