Detecting Activity of Malicious Software

Abstract

Detection of rapidly evolving malware requires classification techniques that can effectively and efficiently detect zero-day attacks. Such detection is based on a robust model of benign behavior and deviations from that model are used to detect malicious behavior. In this project, we propose a low-complexity host-based technique that uses deviations in static file attributes to detect malicious executables. We first develop simple statistical models of static file attributes from the empirical data derived from hundreds of malicious and benign executables. Deviations among the attribute models of benign and malware executables are then quantified using information-theoretic (Kullback-Leibler-based) divergence measures. This quantification reveals distinguishing attributes that are considerably divergent between benign and malware executables, and therefore can be used for detection. We use Support Vector Machines, a machine learning approach, to detect malicious samples from benign ones based on these distinguishing attributes. We then use the benign attribute models as priors in cross-correlation and loglikelihood frameworks to classify malicious executables. Our results indicate that the proposed detectors, while having significantly lower complexity than existing detectors, provide reasonably high detection accuracy.