ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Learning to detect malicious executables in the wild
Full text PdfPdf (217 KB)
Source International Conference on Knowledge Discovery and Data Mining archive
Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining table of contents
Seattle, WA, USA
SESSION: Industry/government track papers table of contents
Pages: 470 - 478  
Year of Publication: 2004
ISBN:1-58113-888-1
Authors
Jeremy Z. Kolter  Georgetown University, Washington, DC
Marcus A. Maloof  Georgetown University, Washington, DC
Sponsors
SIGMOD: ACM Special Interest Group on Management of Data
SIGKDD: ACM Special Interest Group on Knowledge Discovery in Data
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 14,   Downloads (12 Months): 120,   Citation Count: 15
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1014052.1014105
What is a DOI?

ABSTRACT

In this paper, we describe the development of a fielded application for detecting malicious executables in the wild. We gathered 1971 benign and 1651 malicious executables and encoded each as a training example using n-grams of byte codes as features. Such processing resulted in more than 255 million distinct n-grams. After selecting the most relevant n-grams for prediction, we evaluated a variety of inductive methods, including naive Bayes, decision trees, support vector machines, and boosting. Ultimately, boosted decision trees outperformed other methods with an area under the roc curve of 0.996. Results also suggest that our methodology will scale to larger collections of executables. To the best of our knowledge, ours is the only fielded application for this task developed using techniques from machine learning and data mining.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
David W. Aha , Dennis Kibler , Marc K. Albert, Instance-Based Learning Algorithms, Machine Learning, v.6 n.1, p.37-66, Jan. 1991  [doi>10.1023/A:1022689900470]
 
2
A. Aiken. MOSS: A system for detecting software plagiarism. Software, Department of Computer Science, University of California, Berkeley, http://www.cs.berkeley.edu/~aiken/moss.html, 1994.
 
3
Anonymous , Shipley, Maximum Security, Sams, Indianapolis, IN, 2000
 
4
Eric Bauer , Ron Kohavi, An Empirical Comparison of Voting Classification Algorithms: Bagging, Boosting, and Variants, Machine Learning, v.36 n.1-2, p.105-139, July-August 1999  [doi>10.1023/A:1007515423169]
5
Bernhard E. Boser , Isabelle M. Guyon , Vladimir N. Vapnik, A training algorithm for optimal margin classifiers, Proceedings of the fifth annual workshop on Computational learning theory, p.144-152, July 27-29, 1992, Pittsburgh, Pennsylvania, United States  [doi>10.1145/130385.130401]
 
6
L. Breiman. Arcing classifiers. The Annals of Statistics, 26:801--849, 1998.
 
7
M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In Proceedings of the Twelfth USENIX Security Symposium, Berkeley, CA, 2003. Advanced Computing Systems Association.
 
8
W. Cohen. Fast effective rule induction. In Proceedings of the Twelfth International Conference on Machine Learning, pages 115--123, San Francisco, CA, 1995. Morgan Kaufmann.
 
9
Thomas G. Dietterich, An Experimental Comparison of Three Methods for Constructing Ensembles of Decision Trees: Bagging, Boosting, and Randomization, Machine Learning, v.40 n.2, p.139-157, Aug. 2000  [doi>10.1023/A:1007607513941]
 
10
Pedro Domingos , Michael Pazzani, On the Optimality of the Simple Bayesian Classifier under Zero-One Loss, Machine Learning, v.29 n.2-3, p.103-130, Nov./Dec. 1997  [doi>10.1023/A:1007413511361]
11
Chris Drummond , Robert C. Holte, Explicitly representing expected cost: an alternative to ROC representation, Proceedings of the sixth ACM SIGKDD international conference on Knowledge discovery and data mining, p.198-207, August 20-23, 2000, Boston, Massachusetts, United States  [doi>10.1145/347090.347126]
12
Susan Dumais , John Platt , David Heckerman , Mehran Sahami, Inductive learning algorithms and representations for text categorization, Proceedings of the seventh international conference on Information and knowledge management, p.148-155, November 02-07, 1998, Bethesda, Maryland, United States  [doi>10.1145/288627.288651]
 
13
E. Durning-Lawrence. Bacon is Shake-speare. The John McBride Company, New York, NY, 1910.
 
14
Y. Freund and R. Schapire. Experiments with a new boosting algorithm. In Proceedings of the Thirteenth International Conference on Machine Learning, pages 148--156, San Francisco, CA, 1996. Morgan Kaufmann.
 
15
A. Gray, P. Sallis, and S. MacDonell. Software forensics: Extending authorship analysis techniques to computer programs. In Proceedings of the Third Biannual Conference of the International Association of Forensic Linguists, pages 1--8, Birmingham, UK, 1997. International Association of Forensic Linguists.
 
16
David A. Grossman , Ophir Frieder, Information Retrieval: Algorithms and Heuristics, Kluwer Academic Publishers, Norwell, MA, 1998
 
17
David J. Hand , Padhraic Smyth , Heikki Mannila, Principles of data mining, MIT Press, Cambridge, MA, 2001
 
18
Anil K. Jain , Robert P. W. Duin , Jianchang Mao, Statistical Pattern Recognition: A Review, IEEE Transactions on Pattern Analysis and Machine Intelligence, v.22 n.1, p.4-37, January 2000  [doi>10.1109/34.824819]
 
19
H. T. Jankowitz, Detecting plagiarism in student Pascal programs, The Computer Journal, v.31 n.1, p.1-8, Feb., 1988  [doi>10.1093/comjnl/31.1.1]
 
20
Thorsten Joachims, Text Categorization with Suport Vector Machines: Learning with Many Relevant Features, Proceedings of the 10th European Conference on Machine Learning, p.137-142, April 21-23, 1998
 
21
J. Kephart, G. Sorkin, W. Arnold, D. Chess, G. Tesauro, and S. White. Biologically inspired defenses against computer viruses. In Proceedings of the Fourteenth International Joint Conference on Artificial Intelligence, pages 985--996, San Francisco, CA, 1995. Morgan Kaufmann.
 
22
Bradley Kjell , W. Addison Woods , Ophir Frieder, Discrimination of authorship using visualization, Information Processing and Management: an International Journal, v.30 n.1, p.141-150, Jan.-Feb. 1994  [doi>10.1016/0306-4573(94)90029-9]
 
23
I. Krsul. Authorship analysis: Identifying the author of a program. Master's thesis, Purdue University, West Lafayette, IN, 1994.
 
24
I. Krsul and E. Spafford. Authorship analysis: Identifying the authors of a program. In Proceedings of the Eighteenth National Information Systems Security Conference, pages 514--524, Gaithersburg, MD, 1995. National Institute of Standards and Technology.
 
25
R. Lo, K. Levitt, and R. Olsson. MCF: A malicious code filter. Computers & Security, 14:541--566, 1995.
26
M. E. Maron , J. L. Kuhns, On Relevance, Probabilistic Indexing and Information Retrieval, Journal of the ACM (JACM), v.7 n.3, p.216-244, July 1960  [doi>10.1145/321033.321035]
 
27
Gary McGraw , Greg Morrisett, Attacking Malicious Code: A Report to the Infosec Research Council, IEEE Software, v.17 n.5, p.33-41, September 2000  [doi>10.1109/52.877857]
 
28
C. Metz, Y. Jiang, H. MacMahon, R. Nishikawa, and X. Pan. ROC software. Web page, Kurt Rossmann Laboratories for Radiologic Image Research, University of Chicago, Chicago, IL, 2003.
 
29
P. Miller. hexdump 1.4. Software, http://gd.tuwien.ac.at/softeng/Aegis/hexdump.html, 1999.
 
30
Thomas M. Mitchell, Machine Learning, McGraw-Hill Higher Education, 1997
 
31
D. Opitz and R. Maclin. Popular ensemble methods: An empirical study. Journal of Artificial Intelligence Research, 11:169--198, 1999.
 
32
John C. Platt, Fast training of support vector machines using sequential minimal optimization, Advances in kernel methods: support vector learning, MIT Press, Cambridge, MA, 1999
 
33
J. Platt. Probabilities for SV machines. In P. Bartlett, B. Schölkopf, D. Schuurmans, and A. Smola, editors, Advances in Large-Margin Classifiers, pages 61--74. MIT Press, Cambridge, MA, 2000.
 
34
Foster Provost , Tom Fawcett, Robust Classification for Imprecise Environments, Machine Learning, v.42 n.3, p.203-231, March 2001  [doi>10.1023/A:1007601015854]
 
35
J. Ross Quinlan, C4.5: programs for machine learning, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1993
 
36
M. Sahami, S. Dumais, D. Heckerman, and E. Horvitz. A Bayesian approach to filtering junk e-mail. In Learning for Text Categorization: Papers from the 1998 AAAI Workshop, Menlo Park, CA, 1998. AAAI Press. Technical Report WS-98-05.
 
37
Matthew G. Schultz , Eleazar Eskin , Erez Zadok , Salvatore J. Stolfo, Data Mining Methods for Detection of New Malicious Executables, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.38, May 14-16, 2001
 
38
S. Soman, C. Krintz, and G. Vigna. Detecting malicious Java code using virtual machine auditing. In Proceedings of the Twelfth USENIX Security Symposium, Berkeley, CA, 2003. Advanced Computing Systems Association.
 
39
Eugene H. Spafford , Stephen A. Weeber, Software forensics: can we track code to its authors?, Computers and Security, v.12 n.6, p.585-595, Oct. 1993  [doi>10.1016/0167-4048(93)90055-A]
 
40
J. Swets and R. Pickett. Evaluation of diagnostic systems: Methods from signal detection theory. Academic Press, New York, NY, 1982.
 
41
G. Tesauro, J. Kephart, and G. Sorkin. Neural networks for computer virus recognition. IEEE Expert, 11:5--6, August 1996.
 
42
Ian H. Witten , Eibe Frank, Data mining: practical machine learning tools and techniques with Java implementations, Morgan Kaufmann Publishers Inc., San Francisco, CA, 2000
 
43
Yiming Yang , Jan O. Pedersen, A Comparative Study on Feature Selection in Text Categorization, Proceedings of the Fourteenth International Conference on Machine Learning, p.412-420, July 08-12, 1997

CITED BY  15
Mohammad M. Masud , Latifur Khan , Bhavani Thuraisingham, A scalable multi-level feature extraction technique to detect malicious executables, Information Systems Frontiers, v.10 n.1, p.33-45, March 2008
Mila Dalla Preda , Mihai Christodorescu , Somesh Jha , Saumya Debray, A semantics-based approach to malware detection, ACM SIGPLAN Notices, v.42 n.1, January 2007
D. Michael Cai , Maya Gokhale , James Theiler, Comparison of feature selection and classification algorithms in identifying malicious executables, Computational Statistics & Data Analysis, v.51 n.6, p.3156-3172, March, 2007
Christopher LaRosa , Li Xiong , Ken Mandelberg, Frequent pattern mining for kernel trace data, Proceedings of the 2008 ACM symposium on Applied computing, March 16-20, 2008, Fortaleza, Ceara, Brazil
J. Zico Kolter , Marcus A. Maloof, Learning to Detect and Classify Malicious Executables in the Wild, The Journal of Machine Learning Research, 7, p.2721-2744, 12/1/2006
Oliver Sharma , Mark Girolami , Joseph Sventek, Detecting worm variants using machine learning, Proceedings of the 2007 ACM CoNEXT conference, December 10-13, 2007, New York, New York
Yanfang Ye , Dingding Wang , Tao Li , Dongyi Ye, IMDS: intelligent malware detection system, Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining, August 12-15, 2007, San Jose, California, USA
Mila Dalla Preda , Mihai Christodorescu , Somesh Jha , Saumya Debray, A semantics-based approach to malware detection, ACM Transactions on Programming Languages and Systems (TOPLAS), v.30 n.5, p.1-54, August 2008
Jianyong Dai , Ratan Guha , Joohan Lee, Feature set selection in data mining techniques for unknown virus detection: a comparison study, Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, April 13-15, 2009, Oak Ridge, Tennessee
Hazem M. El-Bakry , Nikos Mastorakis, Fast virus detection by using high speed time delay neural networks, Proceedings of the 10th WSEAS international conference on Neural networks, p.169-183, March 23-25, 2009, Prague, Czech Republic
Asaf Shabtai , Robert Moskovitch , Yuval Elovici , Chanan Glezer, Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey, Information Security Tech. Report, v.14 n.1, p.16-29, February, 2009
Travis Atkison, Applying randomized projection to aid prediction algorithms in detecting high-dimensional rogue applications, Proceedings of the 47th Annual Southeast Regional Conference, March 19-21, 2009, Clemson, South Carolina
Yanfang Ye , Tao Li , Qingshan Jiang , Zhixue Han , Li Wan, Intelligent file scoring system for malware detection from the gray list, Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, June 28-July 01, 2009, Paris, France
Peter Stone, Learning and multiagent reasoning for autonomous agents, Proceedings of the 20th international joint conference on Artifical intelligence, p.13-30, January 06-12, 2007, Hyderabad, India
Muazzam Siddiqui , Morgan C. Wang , Joohan Lee, A survey of data mining techniques for malware detection using file features, Proceedings of the 46th Annual Southeast Regional Conference on XX, March 28-29, 2008, Auburn, Alabama

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.2 DATABASE MANAGEMENT
      H.2.8 Database applications
          Subjects: Data mining

Additional Classification:
  I. Computing Methodologies
  I.2 ARTIFICIAL INTELLIGENCE
      I.2.6 Learning
          Subjects: Concept learning

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Invasive software (e.g., viruses, worms, Trojan horses)


General Terms:
Algorithms, Experimentation, Security


Keywords:
concept learning, data mining, malicious software, security

Collaborative Colleagues:
Jeremy Z. Kolter: colleagues
Marcus A. Maloof: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player