Zero-day malware detection based on supervised learning algorithms of API call signatures

Alazab, Mamoun, Venkatraman, Sitalakshmi, Watters, Paul and Alazab, Moutaz 2011, Zero-day malware detection based on supervised learning algorithms of API call signatures, in AusDM 11 : Proceedings of the Ninth Australasian Data Mining Conference, Australian Computer Society, Ballarat, Vic., pp. 171-182.

Attached Files
Name Description MIMEType Size Downloads

Title Zero-day malware detection based on supervised learning algorithms of API call signatures
Author(s) Alazab, Mamoun
Venkatraman, Sitalakshmi
Watters, Paul
Alazab, Moutaz
Conference name Australasian Data Mining Conference (9th : 2011 : Ballarat, Vic.)
Conference location Ballarat, Australia
Conference dates 1-2 Dec. 2011
Title of proceedings AusDM 11 : Proceedings of the Ninth Australasian Data Mining Conference
Editor(s) Vamplew, P.
Stranieri, A.
Ong, K.-L.
Christen, P.
Kennedy, P. J.
Publication date 2011
Conference series Australasian Data Mining Conference
Start page 171
End page 182
Total pages 12
Publisher Australian Computer Society
Place of publication Ballarat, Vic.
Keyword(s) malware
intrusion detection
obfuscation
API
Summary Zero-day or unknown malware are created using code obfuscation techniques that can modify the parent code to produce offspring copies which have the same functionality but with different signatures. Current techniques reported in literature lack the capability of detecting zero-day malware with the required accuracy and efficiency. In this paper, we have proposed and evaluated a novel method of employing several data mining techniques to detect and classify zero-day malware with high levels of accuracy and efficiency based on the frequency of Windows API calls. This paper describes the methodology employed for the collection of large data sets to train the classifiers, and analyses the performance results of the various data mining algorithms adopted for the study using a fully automated tool developed in this research to conduct the various experimental investigations and evaluation. Through the performance results of these algorithms from our experimental analysis, we are able to evaluate and discuss the advantages of one data mining algorithm over the other for accurately detecting zero-day malware successfully. The data mining framework employed in this research learns through analysing the behavior of existing malicious and benign codes in large datasets. We have employed robust classifiers, namely Naïve Bayes (NB) Algorithm, k−Nearest Neighbor (kNN) Algorithm, Sequential Minimal Optimization (SMO) Algorithm with 4 differents kernels (SMO - Normalized PolyKernel, SMO – PolyKernel, SMO – Puk, and SMO- Radial Basis Function (RBF)), Backpropagation Neural Networks Algorithm, and J48 decision tree and have evaluated their performance. Overall, the automated data mining system implemented for this study has achieved high true positive (TP) rate of more than 98.5%, and low false positive (FP) rate of less than 0.025, which has not been achieved in literature so far. This is much higher than the required commercial acceptance level indicating that our novel technique is a major leap forward in detecting zero-day malware. This paper also offers future directions for researchers in exploring different aspects of obfuscations that are affecting the IT world today.
ISBN 9781921770029
ISSN 1445-1336
Language eng
Field of Research 089999 Information and Computing Sciences not elsewhere classified
Socio Economic Objective 970108 Expanding Knowledge in the Information and Computing Sciences
HERDC Research category E1 Full written paper - refereed
Copyright notice ©2011, Australian Computer Society
Persistent URL http://hdl.handle.net/10536/DRO/DU:30044854

Document type: Conference Paper
Collection: School of Information Technology
Connect to link resolver
 
Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved.

Versions
Version Filter Type
Access Statistics: 179 Abstract Views, 5 File Downloads  -  Detailed Statistics
Created: Tue, 01 May 2012, 11:02:35 EST

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.