Determining malicious executable distinguishing attributes and low-complexity detection |
| |
Authors: | Hassan Khan Fauzan Mirza Syed Ali Khayam |
| |
Affiliation: | (1) Department of Computer Science, The University of Texas at Dallas, 2700 Waterview Pkwy, #5116, Richardson, TX 75080, USA;(2) Department of Computer Science, The University of Texas at Dallas, Box 830688, EC 31, Richardson, TX 75083-0688, USA |
| |
Abstract: | Detection of rapidly evolving malware requires classification techniques that can effectively and efficiently detect zero-day
attacks. Such detection is based on a robust model of benign behavior and deviations from that model are used to detect malicious
behavior. In this paper we propose a low-complexity host-based technique that uses deviations in static file attributes to
detect malicious executables. We first develop simple statistical models of static file attributes derived from the empirical
data of thousands of benign executables. Deviations among the attribute models of benign and malware executables are then
quantified using information-theoretic (Kullback-Leibler-based) divergence measures. This quantification reveals distinguishing
attributes that are considerably divergent between benign and malware executables and therefore can be used for detection.
We use the benign models of divergent attributes in cross-correlation and log-likelihood frameworks to classify malicious
executables. Our results, using over 4,000 malicious file samples, indicate that the proposed detector provides reasonably
high detection accuracy, while having significantly lower complexity than existing detectors. |
| |
Keywords: | |
本文献已被 SpringerLink 等数据库收录! |
|