Abstract
We propose a novel two step dimensionality reduction approach based on correlation using machine learning techniques for identifying unseen malicious Executable Linkable Files (ELF). System calls used as features are dynamically extracted in a sandbox environment. The extended version of symmetric uncertainty (X-SU) proposed by us, ranks feature by determining Feature–Class correlation using entropy, information gain and further eliminate the redundant features by estimating Feature–Feature correlation using weighted probabilistic information gain. Three learning algorithms (J48, Adaboost and Random Forest) are employed to generate prediction models, from the system call traces. Optimal feature vector constructed using minimum feature length (27 no.) resulted in over all classification accuracy of 99.40% with very less false alarm to identify unknown malicious specimens.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T., et al.: A sense of self for Unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)
Breiman, L.: Random forests. Machine Learning 45(1), 5–32 (2001)
Yu, L., Liu, H.: Feature Selection for High-Dimensional Data: A Fast Correlation-Based Filter Solution. In: ICML, pp. 856–863 (2003)
Wang, X., Yu, W., Champion, A., Fu, X., Xuan, D.: Detecting Worms via Mining Dynamic Program Execution. In: Proceedings of Third International Conference on Security and Privacy in Communication Networks and the Workshops, SecureComm, pp. 412–421 (2007)
Mehdi, B., Tanwani, A.K., Farooq, M.: IMAD: In-execution Malware Analysis And Detection. In: Proceedings of the Generic and Evolutionary Conference, pp. 1553–1560 (2009)
Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 121–141. Springer, Heidelberg (2009)
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA Data Mining Software: An Update. SIGKDD Explorations 11(1) (2009)
Mehdi, B., Ahmed, F., Khayyam, S.A., Farooq, M.: Towards a Theory of Generalizing System Call Representation For In–Execution malware Detection. In: Proceedings of the IEEE International Conference on Communication, pp. 1553–1560 (2010)
Shahzad, F., Bhatti, S., Shahzad, M., Farooq, M.: In-Execution Malware Detection using Task Structures of Linux Process. In: IEEE International Conference on Communication, pp. 1–6 (2011)
Shahzad, F., Farooq, M.: Elf-miner: Using structural knowledge and data mining methods to detect new (linux) malicious executables. Knowledge and Information Systems, 1–24 (2011)
Shahzad, F., Shahzad, M., Farooq, M.: In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS. Inf. Sci. 231, 45–63 (2013)
Asmitha, K.A., Vinod, P.: A machine learning approach for linux malware detection. In: 2014 International Conference on Issues and Challenges in Intelligent Computing Techniques (ICICT), pp. 830–835. IEEE (2014)
Hall, E.F.M.A., Holmes, G., Kirkby, R., Pfahringer, B.: WEKA - A Machine Learning Workbench for Data Mining. In: The Data Mining and Knowledge Discovery Handbook, pp. 1305–1314 (2005)
Moskovitch, R., Stopel, D., Feher, C., Nissim, N., Japkowicz, N., Elovici, Y.: Unknown malcode detection and the imbalance problem. Journal in Computer Virology 5(4), 295–308 (2009)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2008)
Vasudevan, A., Yerraballi, R.: Cobra: Finegrained Malware Analysis using Stealth Localized Executions. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)
VX Heavens Virus Collection, http://vx.netlux.org (last accessed on January 20, 2014)
Strace tool, http://sourceforge.net/projects/strace/ (last accessed on February 17, 2014)
Server Security Survey Report (2013), https://www.bit9.com/research/2013-server-security-survey-report/ (last accessed on January 4, 2014)
Global Threat Intelligence Report (2013), http://www.solutionary.com/research/threat-reports/annual-threat-report/ (last accessed on January 3, 2014)
Open source automated malware analysis system, http://www.cuckoosandbox.org/ (last accessed on January 18, 2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Asmitha, K.A., Vinod, P. (2014). Linux Malware Detection Using eXtended–Symmetric Uncertainty. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2014. Lecture Notes in Computer Science, vol 8804. Springer, Cham. https://doi.org/10.1007/978-3-319-12060-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-12060-7_21
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12059-1
Online ISBN: 978-3-319-12060-7
eBook Packages: Computer ScienceComputer Science (R0)