Pubs / Extraction of Statistically Significant Malware Behaviors

Extraction of Statistically Significant Malware Behaviors


  author = {Sirinda Palahan and Domagoj Babi\'c and Swarat Chaudhuri and
    Daniel Kifer},
  title = {{Extraction of Statistically Significant Malware
  booktitle = {ACSAC'13: The 29th Computer Security Applications
  year = {2013},
  location = {New Orleans, Louisiana, USA}

Abstract: Traditionally, analysis of malicious software is only a semi-automated process, often requiring a skilled human analyst. As new malware appears at an increasingly alarming rate --- now over 100 thousand new variants each day --- there is a need for automated techniques for identifying suspicious behavior in programs. In this paper, we propose a method for extracting statistically significant malicious behaviors from a system call dependency graph (obtained by running a binary executable in a sandbox). Our approach is based on a new method for measuring the statistical significance of sub-graphs. Given a training set of graphs from two classes (e.g., goodware and malware system call dependency graphs), our method can assign p-values to subgraphs of new graph instances even if those subgraphs have not appeared before in the training data (thus possibly capturing new behaviors or disguised versions of existing behaviors).

Page last modified on October 14, 2013, at 05:54 PM