Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
IMDS: Intelligent Malware Detection System Yanfang Ye Dingding Wang Tao Li Dongyi Ye Motivation Watch Out! Virus! Threat to the security of computer systems Signature based anti-virus systems fail to detect polymorphic or new malware Some data mining techniques have shown promising results on small collection of malicious executables Polymorphic or New X Signature based detection Our goal: Develop more effective and efficient data mining solutions to large collection of malicious executables OOA mining based classification Data Collection and Preprocessing PE viruses are in the majority of viruses rising in recent years 17366 malicious executables provided by Anti-virus Laboratory of KingSoft Corporation 12214 benign executables gathered from Windows system files Develop a PE parser to construct API execution sequences System Architecture OOA_Fast_FP_Growth algorithm Association rule based classification Objective Oriented Association Mining OOA Mining -- model association patterns relating to a user’s objective e.g. Obj1 = (Group = Malicious) Algorithms: OOA_Apriori, OOA_FP-Growth [1] OOA_Fast_FP-Growth algorithm[4] -- A modification of OOA_FP-Growth[2,3] Paths are directed, thus, fewer pointers are needed and less memory space is required Each node is the sequence number of an item, which is determined by the support count of the item Example (Kernel32.dll, OpenProcess;CopyFileA;CloseHandle;GetVersionExA;GetModuleFileNameA;WriteFile) Obj = (Group = Malicious) (os = 0.29, oc = 0.99) Associative Classification CBA[5] -- build on rules with high support and confidence Experimental results (1) • Efficiency Running time of different OOA mining algorithms Efficiency of different scanners (sample: 3393 malicious / 2217 benign) (sample: 500 malicious / 1500 benign) N: Norton AntiVirus M:McAfee D:Dr.Web K:Kaspersky SAVE [6]: Static Analyzer of Vicious Executables False positives of different scanners (1000 benign files) Experimental results (2) • Detection Ability Polymorphic malware detection Unknown malware detection Experimental results (3) • Detection accuracy with different data mining solutions Results by using different classifiers. TP, TN, FP, FN, DR, and ACY refer to True Positive, True Negative, False Positive, False Negative, Detection Rate, and Accuracy, respectively Conclusion Summary IMDS is an integrated system for malware detection, which consists of PE parser, OOA rule generator and rule based classifier It is the first try to apply associative mining to detect malicious code among large scale of executables The effectiveness and efficiency of IMDS outperform many widely-used anti-virus software and other data mining based malware detection methods Future Work Conduct further study to take sequence into consideration Selected References • • • • • • • • [1] Y.Shen, Q.Yang, and Z.Zhang. Objective-oriented utility-based association mining. In Proceedings of ICDM’02. [2] J. Han and M. Kamber. Data mining: Concepts and techniques, 2 nd edition. Morgan Kaufmann, 2006. [3] J. Han, J. Pei, and Y. Yin. Mining frequent patterns without candidate generation. In Proceedings of SIGMOD, pages 1.12, May 2000. [4] M. Fan and C. Li. Mining frequent patterns in an FP-tree without conditional FP-tree generation. Journal of Computer Research and Development, 40:1216.1222, 2003. [5] B. Liu, W. Hsu, and Y. Ma. Integrating classification and association rule mining. In Proceedings of KDD’98. [6] A. Sung, J. Xu, P. Chavez, and S. Mukkamala. Static analyzer of vicious executables (SAVE). In Proceedings of the 20th Annual Computer Security Applications Conference, 2004. [7] J. Xu, A. Sung, P. Chavez, and S. Mukkamala. Polymorphic malicious executable scanner by API sequence analysis. In Proceedings of the International Conference on Hybrid Intelligent Systems, 2004. [8] J. Wang, P. Deng, Y. Fan, L. Jaw, and Y. Liu. Virus detection using data mining techniques. In Proceedings of IEEE International Conference on Data Mining, 2003.