A packed malware variants detection method based on weighted dynamic behaviour feature clustering
Article
Figures
Metrics
Preview PDF
Reference
Related
Cited by
Materials
Abstract:
In order to avoid malware detection, attackers often use packing techniques to encrypt or compress malware binaries, which makes it difficult for security analysts and malware detectors based on traditional static analysis to use reverse tools, such as disassembly tools, to statically analyze malware before it runs. Currently, to detect packed malware, dynamic analysis methods are mainly used. However, due to the limitation of the types of packing tools and packed samples, as well as the confusion noise caused by malware packers, traditional machine learning based detection methods have insufficient accuracy. In this paper, to filter the packing behavior, the system call behavior features of packed malware are extracted and analyzed, and then sensitive behaviors are identified and filtered out. Next, the feature dimensions of system call behaviours are reduced by weighting to improve the contribution of each feature. Finally, these behaviours are analyzed by using density-based clustering, realizing the detection of unknown variants of packed malware and the update of the detection model. The experimental results show that the proposed packed malware variants detection method based on weighted clustering of sensitive behavior features achieves 3.9 % false alter rate and significantly reduces the false alter rate compared with that of some other machine learning-based detection methods.
