research-article

A comparative assessment of malware classification using binary texture analysis and dynamic analysis

Authors:

Lakshmanan Nataraj,

Vinod Yegneswaran,

Phillip Porras,

Jian ZhangAuthors Info & Claims

AISec '11: Proceedings of the 4th ACM workshop on Security and artificial intelligence

Pages 21 - 30

https://doi.org/10.1145/2046684.2046689

Published: 21 October 2011 Publication History

Abstract

AI techniques play an important role in automated malware classification. Several machine-learning methods have been applied to classify or cluster malware into families, based on different features derived from dynamic review of the malware. While these approaches demonstrate promise, they are themselves subject to a growing array of counter measures that increase the cost of capturing these binary features. Further, feature extraction requires a time investment per binary that does not scale well to the daily volume of binary instances being reported by those who diligently collect malware. Recently, a new type of feature extraction, used by a classification approach called binary-texture analysis, was introduced in [16]. We compare this approach to existing malware classification approaches previously published. We find that, while binary texture analysis is capable of providing comparable classification accuracy to that of contemporary dynamic techniques, it can deliver these results 4000 times faster than dynamic techniques. Also surprisingly, the texture-based approach seems resilient to contemporary packing strategies, and can robustly classify a large corpus of malware with both packed and unpacked samples. We present our experimental results from three independent malware corpora, comprised of over 100 thousand malware samples. These results suggest that binary-texture analysis could be a useful and efficient complement to dynamic analysis.

References

[1]

GIST Code. http://people.csail.mit.edu/torralba/code/spatialenvelope.

[2]

Multi-dimensional Scaling, DR Toolbox. http://homepage.tudelft.nl/19j49/.

[3]

Virustotal.com. http://www.virustotal.com.

[4]

VX Heavens. http://vx.netlux.org.

[5]

M. Bailey, J. Oberheide, J. Andersen, Z. Mao, and F. Jahanian. Automated classification and analysis of internet malware. In RAID, 2007.

Digital Library

[6]

U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proceedings of NDSS, 2009.

[7]

E. Carrera and G. Erdelyi. Digital genome mapping and advanced binary malware analysis. In Proceedings of Virus Bulletin Conference, 2004.

[8]

M. Douze, H. Jegou, H. Sandhawalia, L. Amsaleg, and C. Schmid. Evaluation of gist descriptors fro web-scale image search. In Proceedings of CIVR, 2009.

Digital Library

[9]

X. Hu, T. cker Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Proceedings of CCS, 2009.

Digital Library

[10]

J. Jang, D. Brumley, and S. Venkataraman. Bitshred: Fast, scalable malware triage. Technical report, Cylab, Carnegie Mellon University, 2010.

[11]

E. Karim, A. Walenstein, and A. Lakhotia. Malware phylogeny generation using permutations of code. European Research Journal on Computer Virology, 1(2), November 2005.

[12]

C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proceedings of Usenix Security, 2009.

Digital Library

[13]

T. Lee and J. Mody. Behavioral classification. In EICAR, 2006.

[14]

P. Li, L. Liu, D. Gao, and M. K. Reiter. On challenges in evaluating malware clustering. In Proceedings of RAID, 2010.

Digital Library

[15]

L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, and J. Mitchell. A layered architecture for detecting malicious behaviors. In Proceedings of RAID, 2008.

Digital Library

[16]

L. Nataraj, S. Karthikeyan, G. Jacob, and B. Manjunath. Malware images: Visualization and autmoatic classification. In Proceedings of VizSec, 2011.

Digital Library

[17]

Norman Sandbox. http://sandbox.norman.no.

[18]

A. Olivia and A. Torralba. Modeling the shape of a scene: a holistic representation of the spatial envelope. Intl. Journal of Computer Vision, 42(3):145--175, 2001.

Digital Library

[19]

Y. Park, D. Reeves, V. Mulukutla, and B. Sundaravel. Fast malware classification by automated behavioral graph matching. In Proceedings of CSIIRW, 2010.

Digital Library

[20]

K. Rieck, T. Holz, C. Willems, P. Dussel, and P. Laskov. Learning and classification of malware behavior. In Proceedings of DIMVA, 2008.

Digital Library

[21]

K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using machine learning. Technical report, University of Mannheim, 2009.

[22]

M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proceedings of NDSS, 2008.

[23]

D. Takahashi. Symantec identified 286m malware threats in 2010. http://venturebeat.com/2011/04/04/symantecidentified- 286m-malware-threats-in-2010/, 2010.

[24]

R. Tian, L. Batten, R. Islam, and S. Versteeg. An automated classification system based on strings and of trojan and virus families. In Proceedings of MALWARE, 2009.

[25]

A. Torralba, K. Murphy, W. Freeman, and M. Rubin. Context-based vision systems for place and object recognition. In Proceedings of ICCV, 2003.

Digital Library

[26]

U.Bayer, C.Kruegel, and E.Kirda. Ttanalyze: A tool for analyzing malware. In EICAR, 2006.

[27]

A. Walenstein, M. Hayes, and A. Lakhotia. Phylogenetic Comparisons of Malware. Virus Bulletin Conference, 2007.

[28]

S. Wehner. Analyzing worms and network traffic using compression. Journal of Computer Security, 15(3):303--320, 2007.

[29]

G. Wicherski. pehash: A novel approach to fast malware clustering. In Proceedings of LEET, 2009.

Digital Library

[30]

C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy (Vol. 5, No. 2), March/April 2007.

Digital Library

[31]

Y. Ye, T. Li, Y. Chen, and Q. Jiang. Automatic malware categorization using cluster ensemble. In Proceedings of KDD, 2010.

Digital Library

[32]

J. Zhang, P. Porras, and V. Yegneswaran. Host-rx: Automated malware diagnosis based on probabilistic behavior models. Technical report, SRI International, 2009.

Cited By

Wu WPeng HZhu HZhang D(2024)CSMC: A Secure and Efficient Visualized Malware Classification Method Inspired by Compressed SensingSensors10.3390/s2413425324:13(4253)Online publication date: 30-Jun-2024
https://doi.org/10.3390/s24134253
Abdulazeez FAhmed IHammad B(2024)Examining the Performance of Various Pretrained Convolutional Neural Network Models in Malware DetectionApplied Sciences10.3390/app1406261414:6(2614)Online publication date: 20-Mar-2024
https://doi.org/10.3390/app14062614
Sasikala LShanmuganathan C(2024)Effective Malware Classification using Fine-tuned CNN Architecture: An Image-Based Approach2024 2nd International Conference on Networking and Communications (ICNWC)10.1109/ICNWC60771.2024.10537444(1-6)Online publication date: 2-Apr-2024
https://doi.org/10.1109/ICNWC60771.2024.10537444
Show More Cited By

Index Terms

A comparative assessment of malware classification using binary texture analysis and dynamic analysis
1. Computing methodologies
  1. Artificial intelligence
    1. Computer vision
      1. Computer vision tasks
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

Although malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of ...
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Malware categorization using dynamic mnemonic frequency analysis with redundancy filtering

The battle between malware developers and security analysts continues, and the number of malware and malware variants keeps increasing every year. Automated malware generation tools and various detection evasion techniques are also developed every year. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

AISec '11: Proceedings of the 4th ACM workshop on Security and artificial intelligence

October 2011

124 pages

ISBN:9781450310031

DOI:10.1145/2046684

General Chair:
Yan Chen
Northwestern University, USA
,
Program Chairs:
Alvaro A. Cárdenas
Fujitsu Laboratories of America, USA
,
Rachel Greenstadt
Drexel University, USA
,
Ben Rubinstein
Microsoft Research, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 21, 2011

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 94 of 231 submissions, 41%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

154
Total Citations
View Citations
1,613
Total Downloads

Downloads (Last 12 months)78
Downloads (Last 6 weeks)6

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wu WPeng HZhu HZhang D(2024)CSMC: A Secure and Efficient Visualized Malware Classification Method Inspired by Compressed SensingSensors10.3390/s2413425324:13(4253)Online publication date: 30-Jun-2024
https://doi.org/10.3390/s24134253
Abdulazeez FAhmed IHammad B(2024)Examining the Performance of Various Pretrained Convolutional Neural Network Models in Malware DetectionApplied Sciences10.3390/app1406261414:6(2614)Online publication date: 20-Mar-2024
https://doi.org/10.3390/app14062614
Sasikala LShanmuganathan C(2024)Effective Malware Classification using Fine-tuned CNN Architecture: An Image-Based Approach2024 2nd International Conference on Networking and Communications (ICNWC)10.1109/ICNWC60771.2024.10537444(1-6)Online publication date: 2-Apr-2024
https://doi.org/10.1109/ICNWC60771.2024.10537444
Ahmed IHammad BJamil N(2024)A Comparative Performance Analysis of Malware Detection Algorithms Based on Various Texture Features and ClassifiersIEEE Access10.1109/ACCESS.2024.335495912(11500-11519)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3354959
Wang FShi XYang FSong RLi QTan ZWang C(2024)MalSortJournal of Information Security and Applications10.1016/j.jisa.2024.10378483:COnline publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1016/j.jisa.2024.103784
Li SWang JWang SSong Y(2024)PAFE: A Lightweight Visualization-based Fast Malware Classification MethodHeliyon10.1016/j.heliyon.2024.e35965(e35965)Online publication date: Aug-2024
https://doi.org/10.1016/j.heliyon.2024.e35965
Singh SKrishnan DVazirani VRavi VAlsuhibany S(2024)Deep hybrid approach with sequential feature extraction and classification for robust malware detectionEgyptian Informatics Journal10.1016/j.eij.2024.10053927(100539)Online publication date: Sep-2024
https://doi.org/10.1016/j.eij.2024.100539
Alharbi FKashyap G(2024)Empowering Network Security through Advanced Analysis of Malware Samples: Leveraging System Metrics and Network Log Data for Informed Decision-MakingInternational Journal of Networked and Distributed Computing10.1007/s44227-024-00032-112:2(250-264)Online publication date: 11-Jun-2024
https://doi.org/10.1007/s44227-024-00032-1
Deng LYu CWen HXin MSun YSun LZhu H(2024)Few-Shot Malware Classification via Attention-Based Transductive Learning NetworkMobile Networks and Applications10.1007/s11036-024-02383-zOnline publication date: 28-Aug-2024
https://doi.org/10.1007/s11036-024-02383-z
Asmitha KPuthuvath VRafidha Rehiman KAnanth S(2024)Deep learning vs. adversarial noise: a battle in malware image analysisCluster Computing10.1007/s10586-024-04397-427:7(9191-9220)Online publication date: 17-Apr-2024
https://doi.org/10.1007/s10586-024-04397-4
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents