TY - GEN
T1 - Extraction of statistically significant malware behaviors
AU - Palahan, Sirinda
AU - Babic, Domagoj
AU - Chaudhuri, Swarat
AU - Kifer, Daniel
N1 - Copyright:
Copyright 2014 Elsevier B.V., All rights reserved.
PY - 2013
Y1 - 2013
N2 - Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate - now over 100 thousand new variants each day - there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).
AB - Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate - now over 100 thousand new variants each day - there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).
UR - http://www.scopus.com/inward/record.url?scp=84893321191&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84893321191&partnerID=8YFLogxK
U2 - 10.1145/2523649.2523659
DO - 10.1145/2523649.2523659
M3 - Conference contribution
AN - SCOPUS:84893321191
SN - 9781450320153
T3 - ACM International Conference Proceeding Series
SP - 69
EP - 78
BT - Proceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013
T2 - 29th Annual Computer Security Applications Conference, ACSAC 2013
Y2 - 9 December 2013 through 13 December 2013
ER -