Poster: Detecting malware through temporal function-based features

Eitan Menahem; Asaf Shabtai; Adi Levhar

doi:https://doi.org/10.1145/2508859.2512505

Poster: Detecting malware through temporal function-based features

Eitan Menahem, Asaf Shabtai, Adi Levhar

Department of Software and Information Systems Engineering

Ben-Gurion University of the Negev

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In order to evade detection by anti-virus software, malware writers use techniques, such as polymorphism, metamorphism and code re-writing. The result is that such malware contain a much larger fraction of "new" code, compared to benign programs, which tend to maximize code reuse. In this research we study this interesting property and show that by performing "archaeological" analysis of functions residing within binary files (i.e., estimating the functions' creation date), a new set of informative features can be derived. We show that these features provide a good indication for the existence of malicious code within binary files. Preliminary experiments of the proposed temporal function-based features with a set of over 12,000 files indicates that the proposed set of features can be useful for the detection of malicious files (accuracy of over 90% and AUC of 0.96).

Original language	American English
Title of host publication	CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security
Pages	1379-1381
Number of pages	3
DOIs	https://doi.org/10.1145/2508859.2512505
State	Published - 9 Dec 2013
Event	2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany Duration: 4 Nov 2013 → 8 Nov 2013

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security

Conference

Conference	2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
Country/Territory	Germany
City	Berlin
Period	4/11/13 → 8/11/13

Keywords

machine learning
malware detection
static analysis

All Science Journal Classification (ASJC) codes

Software
Computer Networks and Communications

Access to Document

https://doi.org/10.1145/2508859.2512505

Cite this

@inproceedings{56592111a45944f8b862827369f1ed4e,

title = "Poster: Detecting malware through temporal function-based features",

abstract = "In order to evade detection by anti-virus software, malware writers use techniques, such as polymorphism, metamorphism and code re-writing. The result is that such malware contain a much larger fraction of {"}new{"} code, compared to benign programs, which tend to maximize code reuse. In this research we study this interesting property and show that by performing {"}archaeological{"} analysis of functions residing within binary files (i.e., estimating the functions' creation date), a new set of informative features can be derived. We show that these features provide a good indication for the existence of malicious code within binary files. Preliminary experiments of the proposed temporal function-based features with a set of over 12,000 files indicates that the proposed set of features can be useful for the detection of malicious files (accuracy of over 90% and AUC of 0.96).",

keywords = "machine learning, malware detection, static analysis",

author = "Eitan Menahem and Asaf Shabtai and Adi Levhar",

year = "2013",

month = dec,

day = "9",

doi = "https://doi.org/10.1145/2508859.2512505",

language = "American English",

isbn = "9781450324779",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

pages = "1379--1381",

booktitle = "CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security",

note = "2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 ; Conference date: 04-11-2013 Through 08-11-2013",

}

Menahem, E, Shabtai, A & Levhar, A 2013, Poster: Detecting malware through temporal function-based features. in CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, pp. 1379-1381, 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4/11/13. https://doi.org/10.1145/2508859.2512505

Poster: Detecting malware through temporal function-based features. / Menahem, Eitan; Shabtai, Asaf; Levhar, Adi.
CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. 2013. p. 1379-1381 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Poster

T2 - 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013

AU - Menahem, Eitan

AU - Shabtai, Asaf

AU - Levhar, Adi

PY - 2013/12/9

Y1 - 2013/12/9

N2 - In order to evade detection by anti-virus software, malware writers use techniques, such as polymorphism, metamorphism and code re-writing. The result is that such malware contain a much larger fraction of "new" code, compared to benign programs, which tend to maximize code reuse. In this research we study this interesting property and show that by performing "archaeological" analysis of functions residing within binary files (i.e., estimating the functions' creation date), a new set of informative features can be derived. We show that these features provide a good indication for the existence of malicious code within binary files. Preliminary experiments of the proposed temporal function-based features with a set of over 12,000 files indicates that the proposed set of features can be useful for the detection of malicious files (accuracy of over 90% and AUC of 0.96).

AB - In order to evade detection by anti-virus software, malware writers use techniques, such as polymorphism, metamorphism and code re-writing. The result is that such malware contain a much larger fraction of "new" code, compared to benign programs, which tend to maximize code reuse. In this research we study this interesting property and show that by performing "archaeological" analysis of functions residing within binary files (i.e., estimating the functions' creation date), a new set of informative features can be derived. We show that these features provide a good indication for the existence of malicious code within binary files. Preliminary experiments of the proposed temporal function-based features with a set of over 12,000 files indicates that the proposed set of features can be useful for the detection of malicious files (accuracy of over 90% and AUC of 0.96).

KW - machine learning

KW - malware detection

KW - static analysis

UR - http://www.scopus.com/inward/record.url?scp=84889035083&partnerID=8YFLogxK

U2 - https://doi.org/10.1145/2508859.2512505

DO - https://doi.org/10.1145/2508859.2512505

M3 - Conference contribution

SN - 9781450324779

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1379

EP - 1381

BT - CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security

Y2 - 4 November 2013 through 8 November 2013

ER -

Poster: Detecting malware through temporal function-based features

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this