Abstract:
Detection of rapidly evolving malware requires classification techniques
that can effectively and efficiently detect zero-day attacks. Such detection is based
on a robust model of benign behavior and deviations from that model are used to
detect malicious behavior. In this project, we propose a low-complexity host-based
technique that uses deviations in static file attributes to detect malicious
executables. We first develop simple statistical models of static file attributes from
the empirical data derived from hundreds of malicious and benign executables.
Deviations among the attribute models of benign and malware executables are then
quantified using information-theoretic (Kullback-Leibler-based) divergence
measures. This quantification reveals distinguishing attributes that are considerably
divergent between benign and malware executables, and therefore can be used for
detection. We use Support Vector Machines, a machine learning approach, to detect
malicious samples from benign ones based on these distinguishing attributes. We
then use the benign attribute models as priors in cross-correlation and loglikelihood
frameworks to classify malicious executables. Our results indicate that
the proposed detectors, while having significantly lower complexity than existing
detectors, provide reasonably high detection accuracy.
