IMDS: Intelligent Malware Detection System - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

IMDS: Intelligent Malware Detection System

Description:

... associative mining to detect malicious code among large scale of executables ... Polymorphic malicious executable scanner by API sequence analysis. ... – PowerPoint PPT presentation

Number of Views:198
Avg rating:3.0/5.0
Slides: 11
Provided by: dwa2
Category:

less

Transcript and Presenter's Notes

Title: IMDS: Intelligent Malware Detection System


1
IMDS Intelligent Malware Detection System

  • Yanfang Ye
  • Dingding Wang

  • Tao Li

  • Dongyi Ye

2
Motivation
Watch Out! Virus!
  • Threat to the security of computer systems
  • Signature based anti-virus systems fail to
  • detect polymorphic or new malware
  • Some data mining techniques have shown
  • promising results on small collection of
  • malicious executables

Polymorphic or New X
Signature based detection
Our goal Develop more effective and efficient
data mining solutions to large collection of
malicious executables
OOA mining based classification
3
Data Collection and Preprocessing
  • PE viruses are in the majority of viruses rising
    in recent years
  • 17366 malicious executables provided by
    Anti-virus Laboratory of KingSoft Corporation
  • 12214 benign executables gathered from Windows
    system files
  • Develop a PE parser to construct API execution
    sequences

4
System Architecture
OOA_Fast_FP_Growth algorithm
Association rule based classification
5
Objective Oriented Association Mining
  • OOA Mining -- model association patterns relating
    to a users objective
  • e.g. Obj1 (Group Malicious)
  • Algorithms OOA_Apriori, OOA_FP-Growth 1
  • OOA_Fast_FP-Growth algorithm4 -- A modification
    of OOA_FP-Growth2,3
  • Paths are directed, thus, fewer pointers are
    needed and less memory space is required
  • Each node is the sequence number of an item,
    which is determined by the support count of the
    item
  • Example
  • (Kernel32.dll, OpenProcessCopyFileACloseHa
    ndleGetVersionExAGetModuleFileNameAWriteFile)
  • Obj (Group Malicious) (os
    0.29, oc 0.99)
  • Associative Classification
  • CBA5 -- build on rules with high support
    and confidence

6
Experimental results (1)
  • Efficiency

Running time of different OOA mining
algorithms (sample 3393 malicious / 2217
benign)
Efficiency of different scanners (sample 500
malicious / 1500 benign)
N Norton AntiVirus MMcAfee DDr.Web KKasper
sky SAVE 6 Static Analyzer of Vicious
Exe- cutables
  • False positives of different scanners
  • (1000 benign files)

7
Experimental results (2)
  • Detection Ability

Polymorphic malware detection
Unknown malware detection
8
Experimental results (3)
  • Detection accuracy with different data mining
    solutions

Results by using different classifiers. TP, TN,
FP, FN, DR, and ACY refer to True Positive, True
Negative, False Positive, False Negative,
Detection Rate, and Accuracy, respectively
9
Conclusion
  • Summary
  • IMDS is an integrated system for malware
    detection, which consists of PE parser, OOA rule
    generator and rule based classifier
  • It is the first try to apply associative mining
    to detect malicious code among large scale of
    executables
  • The effectiveness and efficiency of IMDS
    outperform many widely-used anti-virus software
    and other data mining based malware detection
    methods
  • Future Work
  • Conduct further study to take sequence into
    consideration

10
Selected References
  • 1 Y.Shen, Q.Yang, and Z.Zhang.
    Objective-oriented utility-based association
    mining. In Proceedings of ICDM02.
  • 2 J. Han and M. Kamber. Data mining Concepts
    and techniques, 2nd edition. Morgan Kaufmann,
    2006.
  • 3 J. Han, J. Pei, and Y. Yin. Mining frequent
    patterns without candidate generation. In
    Proceedings of SIGMOD, pages 1.12, May 2000.
  • 4 M. Fan and C. Li. Mining frequent patterns in
    an FP-tree without conditional FP-tree
    generation. Journal of Computer Research and
    Development, 401216.1222, 2003.
  • 5 B. Liu, W. Hsu, and Y. Ma. Integrating
    classification and association rule mining. In
    Proceedings of KDD98.
  • 6 A. Sung, J. Xu, P. Chavez, and S. Mukkamala.
    Static analyzer of vicious executables (SAVE). In
    Proceedings of the 20th Annual Computer Security
    Applications Conference, 2004.
  • 7 J. Xu, A. Sung, P. Chavez, and S. Mukkamala.
    Polymorphic malicious executable scanner by API
    sequence analysis. In Proceedings of the
    International Conference on Hybrid Intelligent
    Systems, 2004.
  • 8 J. Wang, P. Deng, Y. Fan, L. Jaw, and Y. Liu.
    Virus detection using data mining techniques. In
    Proceedings of IEEE International Conference on
    Data Mining, 2003.
Write a Comment
User Comments (0)
About PowerShow.com