Name
Title | ||
|---|---|---|
In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS |
Abstract | ||
|---|---|---|
Run-time behavior of processes - running on an end-host - is being actively used to dynamically detect malware. Most of these detection schemes build model of run-time behavior of a process on the basis of its data flow and/or sequence of system calls. These novel techniques have shown promising results but an efficient and effective technique must meet the following performance metrics: (1) high detection accuracy, (2) low false alarm rate, (3) small detection time, and (4) the technique should be resilient to run-time evasion attempts. To meet these challenges, a novel concept of genetic footprint is proposed, by mining the information in the kernel process control blocks (PCB) of a process, that can be used to detect malicious processes at run time. The genetic footprint consists of selected parameters - maintained inside the PCB of a kernel for each running process - that define the semantics and behavior of an executing process. A systematic forensic study of the execution traces of benign and malware processes is performed to identify discriminatory parameters of a PCB (task_struct is PCB in case of Linux OS). As a result, 16 out of 118 task structure parameters are short listed using the time series analysis. A statistical analysis is done to corroborate the features of the genetic footprint and to select suitable machine learning classifiers to detect malware. The scheme has been evaluated on a dataset that consists of 105 benign processes and 114 recently collected malware processes for Linux. The results of experiments show that the presented scheme achieves a detection accuracy of 96% with 0% false alarm rate in less than 100ms of the start of a malicious activity. Last but not least, the presented technique utilizes partial knowledge that is available at a given time while the process is still executing; as a result, the kernel of OS can devise mitigation strategies. It is also shown that the presented technique is robust to well known run-time evasion attempts. |
Year | DOI | Venue |
|---|---|---|
2013 | 10.1016/j.ins.2011.09.016 | Inf. Sci. |
Keywords | Field | DocType |
genetic footprint,detection accuracy,in-execution dynamic malware analysis,run-time behavior,benign process,malicious process,mining information,effective technique,high detection accuracy,malware process,linux os,detection scheme,kernel process control block,operating system,time series analysis,intrusion detection system,genetics,statistical analysis,process control,false alarm rate,data flow,machine learning | Data mining,Computer science,Real-time computing,Artificial intelligence,Intrusion detection system,Malware analysis,Data flow diagram,Kernel (linear algebra),Work in process,Process control,Constant false alarm rate,Malware,Machine learning | Journal |
Volume | ISSN | Citations |
231, | 0020-0255 | 11 |
PageRank | References | Authors |
0.79 | 40 | 3 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Farrukh Shahzad | 1 | 55 | 4.00 |
| Muhammad Shahzad | 2 | 728 | 44.77 |
| Muddassar Farooq | 3 | 1221 | 83.47 |