Signature Selection for Kernel Malware Based on Cluster Analysis

Chen Zhi-feng; Li Qing-bao; Zhang Ping; Feng Pei-jun

doi:10.11999/JEIT150387

Volume 37 Issue 12

Jan. 2016

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2015 > 37(12): 2821-2829

Chen Zhi-feng, Li Qing-bao, Zhang Ping, Feng Pei-jun. Signature Selection for Kernel Malware Based on Cluster Analysis[J]. Journal of Electronics & Information Technology, 2015, 37(12): 2821-2829. doi: 10.11999/JEIT150387

Citation:

Chen Zhi-feng, Li Qing-bao, Zhang Ping, Feng Pei-jun. Signature Selection for Kernel Malware Based on Cluster Analysis[J]. Journal of Electronics & Information Technology, 2015, 37(12): 2821-2829. doi: 10.11999/JEIT150387

Citation:

PDF( 519 KB)

Signature Selection for Kernel Malware Based on Cluster Analysis

doi: 10.11999/JEIT150387

Funds:

The National Science and Technology Major Project of China (2013JH00103)

Received Date: 2015-04-02
Rev Recd Date: 2015-07-30
Publish Date: 2015-12-19

Abstract

Abstract

As current kernel malware detection method based on data signature exists the problem that its efficiency decreases with the growth of the number of signatures, a signature selection method for kernel malware based on hierarchical cluster is presented. First, since current similarity calculation methods are difficult to be applied to data signature selection, a longest common subset based method and a 2-round Hash computation algorithm are introduced. Second, a longest common subset based hierarchical cluster algorithm is presented, thereby performing similar signature aggregation effectively. Finally, a signature selection algorithm based on inconsistent coefficient is designed to reduce the number of signatures. Experimental results show the effectiveness of the method, and performance evaluations indicate that algorithm runtime is acceptable.
- Data signature,
- Longest common subset,
- Hierarchical cluster,
- Signature selection,
- Kernel malware

FullText(HTML)

References(22)

References

Yin H, Song D, Egele M, et al.. Panorama: capturing system-wide information flow for malware detection and analysis[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, USA, 2007: 116-127.

王蕊, 冯登国, 杨轶, 等. 基于语义的恶意代码行为特征提取及检测方法[J]. 软件学报, 2012, 23(2): 378-393.

Wang Rui, Feng Deng-guo, Yang Yi, et al.. Semantics-based malware behavior signature extraction and detection method[J]. Journal of Software, 2012, 23(2): 378-393.

Nataraj L, Karthikeyan S, Jacob G, et al.. Malware images: visualization and automatic classification[C]. Proceedings of the 8th International Symposium on Visualization for Cyber Security, Pittsburg, PA, USA, 2011: 4-10.

Nataraj L, Yegneswaran V, Porras P, et al.. A comparative assessment of malware classification using binary texture analysis and dynamic analysis[C]. Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, Chicago, USA, 2011: 21-30.

韩晓光, 曲武, 姚宣霞, 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014, 35(8): 125-136.

Han Xiao-guang, Qu Wu, Yao Xuan-xia, et al.. Research on malicious code variants detection based on texture fingerprint [J]. Journal of Communications, 2014, 35(8): 125-136.

Ding Yun-xin, Dai Wei, Yan Sheng-li, et al.. Control flow- based opcode behavior analysis for malware detection[J]. Computer Security, 2014, 44: 65-74.

Wang X and Karri R. NumChecker: detecting kernel control- flow modifying rootkits by using hardware performance counters[C]. Proceedings of the 50th Annual Design Automation Conference, Austin, TX, USA, 2013: 79-86.

Debbabi M, Desharnais J, et al.. Static detection of malicious code in executable programs[J]. Intermational Journal of Requirement Engineering, 2001(184-189): 79-86.

Baliga A, Ganapathy V, and Iftode L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 8(5): 670-684.

Zhu F. Integrity-based kernel malware detection[D]. [Ph.D. dissertation], Florida International University, 2014.

Rhee J, Riley R, Lin Z Q, et al.. Data-centric OS kernel malware characterization[J]. IEEE Transactions on Information Forensics and Security, 2014, 9(1): 72-87.

Tumer D, Entwisle S, Fossi M, et al.. Symantec Internet security thread report 2014[R]. Symantec Corporation, 2014.

陈季梦, 陈佳俊, 刘杰, 等. 基于结构相似度的大规模社交网络聚类算法[J]. 电子与信息学报, 2015, 37(2): 449-454.

Chen Ji-meng, Chen Jia-jun, Liu Jie, et al.. Clustering algorithms for large-scale social networks based on structural similarity[J]. Journal of Electronics Information Technology, 2015, 37(2): 449-454.

Ciprian O, George C, and Gheorghe S. Malware clustering using suffix trees[J]. Journal of Computer Virology Hacking Techniques, 2014, DOI: 10.1007/s11416-014-0227-6.

戚树慧. 基于指令分析的恶意代码分类与检测研究[D]. [硕士论文], 杭州电子科技大学, 2012.

Qi Shu-hui. Research into malware classification and detection based on instruction analysis[D]. [Master dissertation], Hangzhou Dianzi University, 2012.

罗养霞, 房鼎益. 基于聚类分析的软件胎记特征选择[J]. 电子学报, 2013, 41(12): 2334-2338.

Luo Yang-xia and Fang Ding-yi. Feature selection for software birthmark based on cluster analysis[J]. Acta Electronica Sinica, 2013, 41(12): 2334-2338.

Bailey M, Oberheide J, Andersen J, et al.. Automated classification and analysis of internet malware[C]. Proceedings of the 10th Symposium on Recent Advances in Intrusion Detection, Gold Coast, Australia, 2007: 178-197.

Relative Articles

Supplements(0)

Cited By

Proportional views