PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime - Citegraph

Paper Info

Title
PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime

Abstract
In this paper, we present an accurate and realtime PE-Miner framework that automatically extracts distinguishing features from portable executables (PE) to detect zero-day (i.e. previously unknown) malware. The distinguishing features are extracted using the structural information standardized by the Microsoft Windows operating system for executables, DLLs and object files. We follow a threefold research methodology: (1) identify a set of structural features for PE files which is computable in realtime, (2) use an efficient preprocessor for removing redundancy in the features' set, and (3) select an efficient data mining algorithm for final classification between benign and malicious executables. We have evaluated PE-Miner on two malware collections, VX Heavens and Malfease datasets which contain about 11 and 5 thousand malicious PE files respectively. The results of our experiments show that PE-Miner achieves more than 99% detection rate with less than 0.5% false alarm rate for distinguishing between benign and malicious executables. PE-Miner has low processing overheads and takes only 0.244 seconds on the average to scan a given PE file. Finally, we evaluate the robustness and reliability of PE-Miner under several regression tests. Our results show that the extracted features are robust to different packing techniques and PE-Miner is also resilient to majority of crafty evasion strategies.

Year	DOI	Venue
2009	10.1007/978-3-642-04342-0_7	RAID
Keywords	Field	DocType
distinguishing feature,portable executables,efficient data mining algorithm,malicious pe,pe file,false alarm rate,detection rate,efficient preprocessor,realtime pe-miner framework,detect malicious executables,mining structural information,malicious executables,operating system,data mining,regression testing	Data mining,Microsoft Windows,Computer science,Computer security,Regression testing,Robustness (computer science),Preprocessor,Redundancy (engineering),Constant false alarm rate,Malware,Executable	Conference
Volume	ISSN	Citations
5758	0302-9743	55
PageRank	References	Authors
2.31	7	4

Authors (4 rows)

Cited by (55 rows)

References (7 rows)

Name	Order	Citations	PageRank
M. Zubair Shafiq	1	546	43.41
S. Momina Tabish	2	119	6.05
Fauzan Mirza	3	85	5.32
Muddassar Farooq	4	1221	83.47

1