Abstract
In this research, we test three advanced malware scoring techniques that have shown promise in previous research, namely, Hidden Markov Models, Simple Substitution Distance, and Opcode Graph based detection. We then perform a careful robustness analysis by employing morphing strategies that cause each score to fail. We show that combining scores using a Support Vector Machine yields results that are significantly more robust than those obtained using any of the individual scores.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)
Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179–192 (2013)
Bradley, A.P.: The use of the area under the ROC curve in the evaluation of machine learning algorithms. J. Pattern Recognit. 30(7), 1145–1159 (1997)
Cristianini, N., Shawe-Taylor, J.: An Introduction to Support Vector Machines and Other Kernel-Based Learning Methods. Cambridge University Press, London (2000)
Cygwin. Cygwin utility files. http://www.cygwin.com/ (2015). Accessed 21 Sept 2015
Damodaran, A.: Combining dynamic and static analysis for malware detection. San Jose State University, Department of Computer Science, Master’s Projects, Paper 391. http://scholarworks.sjsu.edu/etd_projects/391 (2015). Accessed 21 Sept 2015
Deshpande, P.: Metamorphic detection using function call graph analysis. San Jose State University, Department of Computer Science, Master’s Projects, Paper 336. http://scholarworks.sjsu.edu/etd_projects/336 (2013). Accessed 21 Sept 2015
Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hacking Tech. 10(1), 53–65 (2014)
Harebot. http://www.pandasecurity.com/homeusers/security-info/220319/Harebot.M (2015). Accessed 21 Sept 2015
Introduction to Support Vector Machines. http://fourier.eng.hmc.edu/e161/lectures/svm (2015). Accessed 21 Sept 2015
Jakobsen, T.: A fast method for the cryptanalysis of substitution ciphers. Cryptologia 19, 265–274 (1995)
Jidigam, R.K., Austin, T.H., Stamp, M.: Singular value decomposition and metamorphic detection. J. Comput. Virol. Hacking Tech (2015). (To appear)
Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware. Int. J. Secur. Netw (2015). (To appear)
Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)
Lu, Y.B., Din, S.C., Zeng, C.F.: Using multi-feature and classifier ensembles to improve malware detection. J. C.C.I.T 32(2), 57–72 (2010)
Malicia Project. http://malicia-project.com/ (2015). Accessed 21 Sept 2015
Menahem, E., Shabtai, A., Rokach, L., Elovici, Y.: Improving malware detection by applying multi-inducer ensemble. Comput. Stat. Data Anal. 53(4), 1483–1494 (2009)
Nappa, A., Zubair Rafique, M., Caballero, J.: Driving in the cloud: an analysis of drive-by download operations and abuse reporting. In: Proceedings of the 10th Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Berlin (2013)
Ng, A.: Support vector machines. http://cs229.stanford.edu/notes/cs229-notes3.pdf (2015). Accessed 21 Sept 2015
Patel, M.: Similarity tests for metamorphic virus detection. San Jose State University, Department of Computer Science, Master’s Projects, Paper 175. http://scholarworks.sjsu.edu/etd_projects/175 (2011). Accessed 21 Sept 2015
Qin, Z., Chen, N., Zhang, Q., Di, Y.: Mobile phone viruses detection based on HMM. In: Proceedings of International Conference on Multimedia Information Networking and Security, pp. 516–519 (2011)
Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)
Security Shield. http://www.symantec.com/security_response/glossary/define.jsp?letter=s&word=security-shield. Accessed 21 Sep 2015
Shanmugam, G., Low, R., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)
Smart HDD. http://support.kaspersky.com/viruses/rogue?qid=208286454 (2015). Accessed 21 Sept 2015
Snakebyte. Next generation virus construction kit (NGVCK). http://vx.netlux.org/vx.php?id=tn02 (2000). Accessed 21 Sept 2015
Stamp, M.: A revealing introduction to hidden Markov models. http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf (2015). Accessed 21 Sept 2015
Support vector machines (SVM) introductory overview. http://www.statsoft.com/textbook/support-vector-machines (2015). Accessed 21 Sept 2015
Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2013)
Trojan.Zbot. http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99 (2015). Accessed 21 Sept 2015
Trojan.ZeroAccess. http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99 (2015). Accessed 21 Sept 2015
Win32/Winwebsec. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fWinwebsec (2015). Accessed 21 Sept 2015
Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)
Xin, K., Li, G., Qin, Z., Zhang, Q.: Malware detection in smartphones using hidden Markov model. In: Proceedings of International Conference on Multimedia Information Networking and Security, pp. 857–860 (2012)
Zhang, B., Yin, J., Hao, J., Zhang, D., Wang, S.: Malicious codes detection based on ensemble learning. In: Proceedings of Autonomic and Trusted Computing, 4th International Conference, pp. 468–477 (2007)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Singh, T., Di Troia, F., Corrado, V.A. et al. Support vector machines and malware detection. J Comput Virol Hack Tech 12, 203–212 (2016). https://doi.org/10.1007/s11416-015-0252-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-015-0252-0