Premium
A layered classification for malicious function identification and malware detection
Author(s) -
Liu Ting,
Guan Xiaohong,
Qu Yu,
Sun Yanan
Publication year - 2011
Publication title -
concurrency and computation: practice and experience
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.309
H-Index - 67
eISSN - 1532-0634
pISSN - 1532-0626
DOI - 10.1002/cpe.1896
Subject(s) - malware , computer science , naive bayes classifier , classifier (uml) , decision tree , machine learning , artificial intelligence , boosting (machine learning) , data mining , support vector machine , pattern recognition (psychology) , computer security
SUMMARY Millions of new malicious programs are produced by the mature industry of malware production. These programs have tremendous challenges on the signature‐based antivirus products. Machine learning techniques are applicable for detecting unknown malicious programs without knowing their signatures. In this paper, a layered classification method is developed to detect malwares with a two‐layer framework. The low‐level‐classifier is employed to identify whether the programs perform any malicious functions according to the API‐calls of the programs; the up‐level‐classifier is applied to detect malwares according to the function identification. A hybrid structure called Type‐Function, constituting of the classification results of low‐level‐classifier and up‐level‐classifier, is proposed to describe the malware. This method is compared with Naive Bayes, decision tree, and boosting using a comprehensive test dataset containing 16,135 malwares and 1800 benign programs. The experiments demonstrate that our method outperforms other algorithms in terms of detection accuracy. Moreover, the Type‐Function structure is proved as an unprejudiced and effective method for malware description. Copyright © 2011 John Wiley & Sons, Ltd.