Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.4.785

Malicious Code Detection using the Effective Preprocessing Method Based on Native API  

Bae, Seong-Jae (Korea University)
Cho, Jae-Ik (Korea University)
Shon, Tae-Shik (Ajou University)
Moon, Jong-Sub (Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.4, 2012 , pp. 785-796 More about this Journal
Abstract
In this paper, we propose an effective Behavior-based detection technique using the frequency of system calls to detect malicious code, when the number of training data is fewer than the number of properties on system calls. In this study, we collect the Native APIs which are Windows kernel data generated by running program code. Then we adopt the normalized freqeuncy of Native APIs as the basic properties. In addition, the basic properties are transformed to new properties by GLDA(Generalized Linear Discriminant Analysis) that is an effective method to discriminate between malicious code and normal code, although the number of training data is fewer than the number of properties. To detect the malicious code, kNN(k-Nearest Neighbor) classification, one of the bayesian classification technique, was used in this paper. We compared the proposed detection method with the other methods on collected Native APIs to verify efficiency of proposed method. It is presented that proposed detection method has a lower false positive rate than other methods on the threshold value when detection rate is 100%.
Keywords
Malicious code; Intrusion detection system; GLDA;
Citations & Related Records
연도 인용수 순위
  • Reference
1 C. Kruegel and T. Toth, "Using decision trees to improve signature-based intrusion detection," In Proceedings of the 6th International Workshop on the Recent Advances in Intrusion Detection, LNCS vol. 2820, pp. 173-191, Sep. 2003.
2 A.K. Ghosh, A. Schwatzbard, and M. Shatz, "Learning program behavior profiles for intrusion detection," Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring, vol. 1, Apr. 1999.
3 S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, "A sense of self for unix processes," Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120-128, May 1996.
4 S.J. Raudys and A.K. Jain, "Small sample size effects in statistical pattern recognition: recommendations for practitioners," IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 13, no. 3, pp.252-264, Mar. 1991.   DOI   ScienceOn
5 N. Ye, X. Li, Q. Chen, S. Emran, and M. Xu, "Probabilistic techniques for intrusion detection based on computer audit data," IEEE Transactions on System, vol. 32, no. 4, pp.266-274, Jul. 2001.
6 M. Wang, C. Zhang, and J. Yu, "Native api based windows anomaly intrusion detection method using svm," Proceedings of the IEEE International Conference on sensor Networks, Ubiquitous and Trustworthy Computing, vol 1, Jun. 2006.
7 N. Park, Y. Kim, and B. Noh, "A behavior based detection for malicious code using obfuscation technique," Journal of the Korea Institute of Information Security and Cryptology, vol. 16, no. 3, Jun. 2006.
8 C. Warrender, S. Forrest, and B. Pearlmutter, "Detecting intrusions using system calls: alternative data models," 1999 IEEE Symposium on Security and Privacy, pp. 133-145, May 1999.
9 Q. Qian and M. Xin, "Research on hidden markov model for system call anomaly detection," PAISI 2007, LNCS vol. 4430, pp. 152-159, Apr. 2007.
10 S. Radosavac and J.S. Baras, "Detection and classification of network intrusions using hidden markov models," 2003 Conference on Information Sciences and System, Mar. 2003.
11 S. Cho and H. Park, "Efficient anomaly detection by modeling privilege flows using hidden Markov model," Elsevier Computers and security, vol. 22, no. 1, pp. 45-55, Jan. 2003.   DOI   ScienceOn
12 T. Kang, J. Cho, M. Chung and J. Moon, "Malware detection via hybrid analysis for api calls," Journal of the Korea Institute of Information Security and Cryptology, vol. 17, no. 6, pp. 89-98, Dec. 2007.
13 Y. Liao and V. Vemuri, "Use of k-nearest neighbor classifier for intrusion detection," Elsevier Computers and Seucurity, vol. 21, no. 5, pp. 439-448, Oct. 2002.
14 S. Rawat, V.P. Gulati, A.K. Pujari, and V. Vemuri, "Intrusion detection using text processing techniques with a binary-weighted cosine metric," Journal of Information Assurance and Security, pp. 43-50, 2006.
15 A. Sharma, A. Pujari, and K. Paliwal, "Intrusion detection using text processing techniques with a kernel based similarity measure," Elsevier Computers and Security, vol.26, no.7-8, pp. 488-495, Dec. 2007.   DOI   ScienceOn
16 G. Nebbett, "Windows nt/2000 native api reference," Macmillan Technical Publishing, 2000.
17 D. Buckely, I. Altas, and J. Howarth, "A real time intrusion detection system for the windows environment," IADIS, 2007.
18 I. Jolliffe, "Principal component analysis," Encyclopedia of Statistics in Behavioral Science, 2002.
19 G.J. McLachlan, "Discriminant analysis and statistical pattern recognition," John Wiley & Sons, Inc., 2005.
20 D.Q. Dai and P.C Yuen, "Regularized discriminant analysis and its application to face recognition," Pattern Recognition, vol. 36, pp. 845-847, 2003.   DOI   ScienceOn
21 R.P.W. Duin, "Small sample size generalization," Proc. Ninth Scandinavian conf. Image Analysis, vol. 2, pp. 957-964, Jun. 1995.
22 J. Ye, R. Janardan, C. Park, and H. Park, "An optimization criterion for generalized discriminant analysis on undersampled problems," IEEE Transactions on Pattern Recognition Analysis and Machine Intelligence, vol. 26, no. 8, Aug. 2004.
23 A. Papoulis, "Probability random variables and stochastic processes," 3rd Ed., MCgraw- HILL, 1991.
24 E. Parzen, "On the estimation of a probability density function and mode," Ann.Math, Stat. vol. 33, no. 3, pp. 1065-1076, Sep. 1962.   DOI   ScienceOn
25 Offensive Computing, http://www.offensivecomputing.net
26 Kaspersky lab, http://www.viruslist.com
27 G. Hoglund and J. Butler, "Rootkits: subverting the windows kernel," Pearson Education Inc., 2006.
28 Machine Learning Project at the University of Waikato in New Zealand, http://www.cs.waikato.ac.nz/ml/