Three-phase Behavior-based Detection and Classification of Known and Unknown Malware
碩士 === 國立交通大學 === 網路工程研究所 === 101 === In recent years, many anti-malware solutions have been proposed. To improve both detection accuracy and time efficiency for known and even unknown malware, we propose a three-phase behavior-based malware detection and classification approach, with a fast detecto...
Main Authors: | , |
---|---|
Other Authors: | |
Format: | Others |
Language: | en_US |
Published: |
2013
|
Online Access: | http://ndltd.ncl.edu.tw/handle/82426559073938778368 |
id |
ndltd-TW-101NCTU5726024 |
---|---|
record_format |
oai_dc |
spelling |
ndltd-TW-101NCTU57260242016-05-22T04:33:53Z http://ndltd.ncl.edu.tw/handle/82426559073938778368 Three-phase Behavior-based Detection and Classification of Known and Unknown Malware 利用三階段行為分析來偵測和分類已知與未知的惡意程式 Hsu, Peng-Kai 徐鵬凱 碩士 國立交通大學 網路工程研究所 101 In recent years, many anti-malware solutions have been proposed. To improve both detection accuracy and time efficiency for known and even unknown malware, we propose a three-phase behavior-based malware detection and classification approach, with a fast detector in the 1st-phase to filter most programs, a slow detector in the 2nd-phase, and then a classifier at the 3rd to tell the malware type. The fast detector runs programs in a sandbox to extract external behaviors fed into a trained artificial neural network (ANN) to evaluate their maliciousness, while the slow detector extracts and matches internal behaviors, i.e., the longest common substring (LCS) of system call sequences, fed into a trained Bayesian model to calculate their maliciousness. In the 3rd-phase, we define malware type vectors consisting of internal behaviors, and calculate the cosine similarity to classify malware. The experimental results show that the integrated 2-phase detection performs significantly better than any 1-phase detection alone in both detection accuracy and time efficiency. The proposed 2-phase detection scheme can achieve 3.6% in FNR and 6.8% in FPR. Besides, this approach can distinguish the known types malware from unknown samples with an accuracy of 85.8%. Lin, Ying-Dar 林盈達 2013 學位論文 ; thesis 36 en_US |
collection |
NDLTD |
language |
en_US |
format |
Others
|
sources |
NDLTD |
description |
碩士 === 國立交通大學 === 網路工程研究所 === 101 === In recent years, many anti-malware solutions have been proposed. To improve both detection accuracy and time efficiency for known and even unknown malware, we propose a three-phase behavior-based malware detection and classification approach, with a fast detector in the 1st-phase to filter most programs, a slow detector in the 2nd-phase, and then a classifier at the 3rd to tell the malware type. The fast detector runs programs in a sandbox to extract external behaviors fed into a trained artificial neural network (ANN) to evaluate their maliciousness, while the slow detector extracts and matches internal behaviors, i.e., the longest common substring (LCS) of system call sequences, fed into a trained Bayesian model to calculate their maliciousness. In the 3rd-phase, we define malware type vectors consisting of internal behaviors, and calculate the cosine similarity to classify malware. The experimental results show that the integrated 2-phase detection performs significantly better than any 1-phase detection alone in both detection accuracy and time efficiency. The proposed 2-phase detection scheme can achieve 3.6% in FNR and 6.8% in FPR. Besides, this approach can distinguish the known types malware from unknown samples with an accuracy of 85.8%.
|
author2 |
Lin, Ying-Dar |
author_facet |
Lin, Ying-Dar Hsu, Peng-Kai 徐鵬凱 |
author |
Hsu, Peng-Kai 徐鵬凱 |
spellingShingle |
Hsu, Peng-Kai 徐鵬凱 Three-phase Behavior-based Detection and Classification of Known and Unknown Malware |
author_sort |
Hsu, Peng-Kai |
title |
Three-phase Behavior-based Detection and Classification of Known and Unknown Malware |
title_short |
Three-phase Behavior-based Detection and Classification of Known and Unknown Malware |
title_full |
Three-phase Behavior-based Detection and Classification of Known and Unknown Malware |
title_fullStr |
Three-phase Behavior-based Detection and Classification of Known and Unknown Malware |
title_full_unstemmed |
Three-phase Behavior-based Detection and Classification of Known and Unknown Malware |
title_sort |
three-phase behavior-based detection and classification of known and unknown malware |
publishDate |
2013 |
url |
http://ndltd.ncl.edu.tw/handle/82426559073938778368 |
work_keys_str_mv |
AT hsupengkai threephasebehaviorbaseddetectionandclassificationofknownandunknownmalware AT xúpéngkǎi threephasebehaviorbaseddetectionandclassificationofknownandunknownmalware AT hsupengkai lìyòngsānjiēduànxíngwèifēnxīláizhēncèhéfēnlèiyǐzhīyǔwèizhīdeèyìchéngshì AT xúpéngkǎi lìyòngsānjiēduànxíngwèifēnxīláizhēncèhéfēnlèiyǐzhīyǔwèizhīdeèyìchéngshì |
_version_ |
1718274875245723648 |