Combined dynamic multi-feature and rule-based behavior for accurate malware detection
Malware have become the scourge of the century, as they are continuously evolving and becoming more complex with increasing damages. Therefore, an adequate protection against such threats is vital. Behavior-based malware detection techniques have shown to be effective at overcoming the weaknesses of...
Main Authors: | , , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
Hindawi - SAGE Publishing
2019-11-01
|
Series: | International Journal of Distributed Sensor Networks |
Online Access: | https://doi.org/10.1177/1550147719889907 |
_version_ | 1797756984948162560 |
---|---|
author | Mohamed Belaoued Abdelaziz Boukellal Mohamed Amir Koalal Abdelouahid Derhab Smaine Mazouzi Farrukh Aslam Khan |
author_facet | Mohamed Belaoued Abdelaziz Boukellal Mohamed Amir Koalal Abdelouahid Derhab Smaine Mazouzi Farrukh Aslam Khan |
author_sort | Mohamed Belaoued |
collection | DOAJ |
description | Malware have become the scourge of the century, as they are continuously evolving and becoming more complex with increasing damages. Therefore, an adequate protection against such threats is vital. Behavior-based malware detection techniques have shown to be effective at overcoming the weaknesses of the signature-based ones. However, they are known for their high false alarms, which is still a very challenging problem. In this article, we address this shortcoming by proposing a rule-based behavioral malware detection system, which inherits the advantages of both signature and behavior-based approaches. We apply the proposed detection system on a combined set of three types of dynamic features, namely, (1) list of application programming interface calls; (2) application programming interface sequences; and (3) network traffic, which represents the IP addresses and domain names used by malware to connect to remote command-and-control servers. Feature selection and construction techniques, that is, term frequency–inverse document frequency and longest common subsequence, are performed on the three extracted features to generate new set of features, which are used to build behavioral Yet Another Recursive Acronym rules. The proposed malware detection approach is able to achieve an accuracy of 97.22% and a false positive rate of 4.69%. |
first_indexed | 2024-03-12T18:09:27Z |
format | Article |
id | doaj.art-807f2bc5fb0c4011821dfb727acaa38a |
institution | Directory Open Access Journal |
issn | 1550-1477 |
language | English |
last_indexed | 2024-03-12T18:09:27Z |
publishDate | 2019-11-01 |
publisher | Hindawi - SAGE Publishing |
record_format | Article |
series | International Journal of Distributed Sensor Networks |
spelling | doaj.art-807f2bc5fb0c4011821dfb727acaa38a2023-08-02T09:17:47ZengHindawi - SAGE PublishingInternational Journal of Distributed Sensor Networks1550-14772019-11-011510.1177/1550147719889907Combined dynamic multi-feature and rule-based behavior for accurate malware detectionMohamed Belaoued0Abdelaziz Boukellal1Mohamed Amir Koalal2Abdelouahid Derhab3Smaine Mazouzi4Farrukh Aslam Khan5LIRE Laboratory, Software Technologies and Information Systems Department, Constantine 2 University, Constantine, AlgeriaDepartment of Computer Science, Université 20 août 1955-Skikda, Skikda, AlgeriaDepartment of Computer Science, Université 20 août 1955-Skikda, Skikda, AlgeriaCenter of Excellence in Information Assurance (COEIA), King Saud University, Riyadh, Saudi ArabiaDepartment of Computer Science, Université 20 août 1955-Skikda, Skikda, AlgeriaCenter of Excellence in Information Assurance (COEIA), King Saud University, Riyadh, Saudi ArabiaMalware have become the scourge of the century, as they are continuously evolving and becoming more complex with increasing damages. Therefore, an adequate protection against such threats is vital. Behavior-based malware detection techniques have shown to be effective at overcoming the weaknesses of the signature-based ones. However, they are known for their high false alarms, which is still a very challenging problem. In this article, we address this shortcoming by proposing a rule-based behavioral malware detection system, which inherits the advantages of both signature and behavior-based approaches. We apply the proposed detection system on a combined set of three types of dynamic features, namely, (1) list of application programming interface calls; (2) application programming interface sequences; and (3) network traffic, which represents the IP addresses and domain names used by malware to connect to remote command-and-control servers. Feature selection and construction techniques, that is, term frequency–inverse document frequency and longest common subsequence, are performed on the three extracted features to generate new set of features, which are used to build behavioral Yet Another Recursive Acronym rules. The proposed malware detection approach is able to achieve an accuracy of 97.22% and a false positive rate of 4.69%.https://doi.org/10.1177/1550147719889907 |
spellingShingle | Mohamed Belaoued Abdelaziz Boukellal Mohamed Amir Koalal Abdelouahid Derhab Smaine Mazouzi Farrukh Aslam Khan Combined dynamic multi-feature and rule-based behavior for accurate malware detection International Journal of Distributed Sensor Networks |
title | Combined dynamic multi-feature and rule-based behavior for accurate malware detection |
title_full | Combined dynamic multi-feature and rule-based behavior for accurate malware detection |
title_fullStr | Combined dynamic multi-feature and rule-based behavior for accurate malware detection |
title_full_unstemmed | Combined dynamic multi-feature and rule-based behavior for accurate malware detection |
title_short | Combined dynamic multi-feature and rule-based behavior for accurate malware detection |
title_sort | combined dynamic multi feature and rule based behavior for accurate malware detection |
url | https://doi.org/10.1177/1550147719889907 |
work_keys_str_mv | AT mohamedbelaoued combineddynamicmultifeatureandrulebasedbehaviorforaccuratemalwaredetection AT abdelazizboukellal combineddynamicmultifeatureandrulebasedbehaviorforaccuratemalwaredetection AT mohamedamirkoalal combineddynamicmultifeatureandrulebasedbehaviorforaccuratemalwaredetection AT abdelouahidderhab combineddynamicmultifeatureandrulebasedbehaviorforaccuratemalwaredetection AT smainemazouzi combineddynamicmultifeatureandrulebasedbehaviorforaccuratemalwaredetection AT farrukhaslamkhan combineddynamicmultifeatureandrulebasedbehaviorforaccuratemalwaredetection |