The Journal of Korean Institute of Information Technology (한국정보기술학회논문지)

Korean Institute of Information Technology (한국정보기술학회)
권호 표지
DOI QR코드

DOI QR Code

Real-time Malware Detection Method Using Machine Learning

머신 러닝(Machine Learning)기법을 활용한 실시간 악성파일 탐지 기법

  • Received : 2017.10.16
  • Accepted : 2018.01.14
  • Published : 2018.03.31
⟨ Previous Next ⟩

Abstract

Recently, threat actors know that traditional security solutions are based on signatures that identify known threats, and so they create variants by altering the appearance of malware. Most commercial anti-virus and anti-malware products generally rely on signatures to detect malware and thus cannot detect unknown or zero-day malwares effectively. In order to solve this problem, we propose a non-signature-based machine learning technique for detecting malware. Our method uses a decision tree technique on the Information Gain (IG) of each feature extracted from executable files and it shows high accuracy at a low false positive rate. Since the recent rise of ransomware as a cybersecurity threat has become serious and widespread, we verify the effectiveness of our method by applying it to ransomware domain.

최근 위협 행위자들은 기존 보안 솔루션이 시그니처를 기반으로 알려진 위협을 식별한다는 사실을 인지하고 악성코드의 모양을 변형함으로써 변종을 생성한다. 상용 안티바이러스 및 안티 맬웨어 소프트웨어는 일반적으로 일련의 시그니처에 의존하므로 신종 악성코드를 탐지하기에는 적절하지 못한 단점을 가지고 있다. 이런 문제를 해결하기 위하여 본 논문에서는 악성코드를 탐지하기 위한 비시그니처 기반 머신 러닝 방법을 제안한다. 제안한 방법은 실행파일에서 추출된 각 특징의 정보이득(IG)을 계산한 결과에 결정 트리(Decision Tree) 기법을 사용하여 높은 탐지율과 낮은 오탐율을 확보한다. 또한 최근 심각한 사이버 위협으로 대두되고 있는 랜섬웨어에 본 연구에서 제안한 방식을 적용하고 그 결과를 제시함으로써 본 논문의 효율성을 증명하고자 한다.

Keywords

Acknowledgement

Supported by : 순천향대학교

References

  1. R. Lyda and J. Hamrock, "Using entropy analysis to find encrypted and packed malware", IEEE Security & Privacy, Vol. 5, No. 2, pp. 40-45, Apr. 2007.
  2. Microsoft. Microsoft PE and COFF Specification. Microsoft Corporation, Redmond, WA, revision 8.2, http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx. [Accessed: Jan. 01, 2010]
  3. T. Anselm and S. Arran, "Human-Readable Real-Time Classifications of Malicious Executables", Proceedings of the 10th Australian Information Security Management Conference, Dec. 2012.
  4. M. Z. Shafiq, S. M. Tabish, F. Mirza, and M. Farooq, "PE-Miner: Mining structural information to detect malicious executables in realtime", Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection (RAID ‟09), Berlin, Heidelberg, Springer-Verlag, pp. 121-141, Sep. 2009.
  5. M. Shafiq, S. Tabish, and M. Farooq, "PE-Probe: Leveraging Packer Detection and Structural Information to Detect Malicious Portable Executables", Proceedings of Virus Bulletin Conference, pp. 29-33, Jun. 2009.
  6. M. G. Schultz, E. Eskin, F. Zadok, and S. J. Stolfo, "Data mining methods for detection of new malicious executables", In: Security and Privacy, S&P 2001. Proceedings, IEEE Symposium on. IEEE, pp. 38-49, May 2001.
  7. J. Z. Kolter and M. A. Maloof, "Learning to detect malicious executables in the wild", Proceedings of the tenth ACM SIGKDD international conference on knowledge discovery and data mining (KDD '04), Seattle, WA, USA. ACM Press. pp. 470-478, 2004.
  8. M. obert, F. lint, T. Nir, B. Eugene, G. Marina, D. Shlomi, and E. Yuval, "Unknown malcode detection using opcode representation", in Intelligence and Security Informatics, D. Ortiz-Arroyo, H. L. Larsen, D. D. Zeng,D. Hicks, and G. Wagner, Eds., Vol. 5376 of Lecture Notes in Computer Science, pp. 204-215, 2008.
  9. M. Robert, S. Dima, F. Clint, N. Nir, J. Nathalie, and E. Yuval, "Unknown malcode detection and the imbalance problem", Journal in Computer Virology, Vol. 5, No. 4, pp. 295-308, Jul. 2009. https://doi.org/10.1007/s11416-009-0122-8
  10. S. Asaf, M. Robert, F. Clint, D. Shlomi, and E. Yuval, "Detecting unknown malicious code by applying classification techniques on OpCode patterns", Security Informatics, Vol. 1, No. 1, pp. 1-22, Feb. 2012. https://doi.org/10.1186/2190-8532-1-1
  11. J. Bai, J. Wang, and G. Zou, "A Malware Detection Scheme Based on Mining Format Information", The Scientific World Journal, pp. 1-11, May 2014.
  12. Belaoued and Mazouzi, "A Real-Time PEMalware Detection System Based on CHI-Square Test and PE-File Features", International Conference on Computer Science and its Applications, IFIPAICT, Vol. 456, pp. 416-425, 2015. DOI: 10.1007/978-3-319-19578-0_34
  13. G. Yan, N. Brown, and D. Kong, "Exploring discriminatory features for automated malware classification", International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, LNCS 7967, pp. 41-61, Jul. 2013.
  14. J. I. Park, H. B. Park, and S. S. Lee, "Study on Automatic Analysis Method Based On Malware Behavior", Proceedings of KIIT Summer Conference, pp. 311-312, Jun. 2017.
  15. A. Baranovich, "VX Heavens", http://vx.netlux.org. [Accessed: Jan. 01, 2012]
  16. D. Quist, "Offensive computing", http://www.offensivecomputing.net. [Accessed: Jan. 01, 2012]
  17. J. Han and M. Kamber, "Data Mining: Concepts and Techniques", Morgan Kaufmann, 2nd edition. 2006.
  18. R. Perdisci, A. Lanzi, and W. Lee, "Classification of packed executables for accurate computer virus detection", Pattern Recognition Letters, Vol. 29, No. 4, pp. 1941-1946, Jun. 2008. https://doi.org/10.1016/j.patrec.2008.06.016

Cited by

  1. 악성코드 패킹유형 자동분류 기술 연구 vol.28, pp.5, 2018, https://doi.org/10.13089/jkiisc.2018.28.5.1119
  2. Real-time Linux Malware Detection Using Machine Learning vol.17, pp.7, 2018, https://doi.org/10.14801/jkiit.2019.17.7.111
  3. 악성코드의 이미지 기반 딥러닝을 위한 전처리 방법 설계 및 개발 vol.23, pp.5, 2018, https://doi.org/10.9717/kmms.2020.23.5.650
  4. ImageDetox: Method for the Neutralization of Malicious Code Hidden in Image Files vol.12, pp.10, 2018, https://doi.org/10.3390/sym12101621