Polymorphic malware detection using Hierarchical Hidden Markov Model

Muhaya, Fahad Bin, Khan, Muhammad Khurram and Xiang, Yang 2011, Polymorphic malware detection using Hierarchical Hidden Markov Model, in DASC 2011 : Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, IEEE Computer Society Conference Publishing Services (CPS), [Piscataway, N.J.], pp. 151-155.

Attached Files
Name Description MIMEType Size Downloads

Title Polymorphic malware detection using Hierarchical Hidden Markov Model
Author(s) Muhaya, Fahad Bin
Khan, Muhammad Khurram
Xiang, Yang
Conference name IEEE International Conference on Dependable, Autonomic and Secure Computing (9th : 2011 : Sydney, N.S.W.)
Conference location Sydney, N.S.W.
Conference dates 12-14 Dec. 2011
Title of proceedings DASC 2011 : Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing
Editor(s) [Unknown]
Publication date 2011
Conference series International Conference on Dependable, Autonomic and Secure Computing
Start page 151
End page 155
Total pages 5
Publisher IEEE Computer Society Conference Publishing Services (CPS)
Place of publication [Piscataway, N.J.]
Keyword(s) botnet
malware
network security
hierarchical hidden Markov model
Summary Binary signatures have been widely used to detect malicious software on the current Internet. However, this approach is unable to achieve the accurate identification of polymorphic malware variants, which can be easily generated by the malware authors using code generation engines. Code generation engines randomly produce varying code sequences but perform the same desired malicious functions. Previous research used flow graph and signature tree to identify polymorphic malware families. The key difficulty of previous research is the generation of precisely defined state machine models from polymorphic variants. This paper proposes a novel approach, using Hierarchical Hidden Markov Model (HHMM), to provide accurate inductive inference of the malware family. This model can capture the features of self-similar and hierarchical structure of polymorphic malware family signature sequences. To demonstrate the effectiveness and efficiency of this approach, we evaluate it with real malware samples. Using more than 15,000 real malware, we find our approach can achieve high true positives, low false positives, and low computational cost.
ISBN 0769546129
9780769546124
Language eng
Field of Research 080503 Networking and Communications
Socio Economic Objective 890201 Application Software Packages (excl. Computer Games)
HERDC Research category E1 Full written paper - refereed
HERDC collection year 2011
Copyright notice ©2011, IEEE
Persistent URL http://hdl.handle.net/10536/DRO/DU:30044844

Document type: Conference Paper
Collection: School of Information Technology
Connect to link resolver
 
Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved.

Versions
Version Filter Type
Access Statistics: 75 Abstract Views, 4 File Downloads  -  Detailed Statistics
Created: Tue, 01 May 2012, 11:01:58 EST

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.