IMAD

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

IMAD: in-execution malware analysis and detection

Full text

Pdf (476 KB)

Source

Genetic And Evolutionary Computation Conference archive
Proceedings of the 11th Annual conference on Genetic and evolutionary computation table of contents

Montreal, Québec, Canada

SESSION: Track 13: real world application table of contents

Pages 1553-1560

Year of Publication: 2009

ISBN:978-1-60558-325-9

Authors

Syed Bilal Mehdi	Next Generation Intelligent Networks Research Center, National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan
Ajay Kumar Tanwani	Next Generation Intelligent Networks Research Center, National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan
Muddassar Farooq	Next Generation Intelligent Networks Research Center, National University of Computer & Emerging Sciences (FAST-NUCES), Islamabad, Pakistan

Sponsors

SIGEVO: ACM Special Interest Group on Genetic and Evolutionary Computation
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 21, Downloads (12 Months): 71, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1569901.1570109 What is a DOI?

ABSTRACT

The sophistication of computer malware is becoming a serious threat to the information technology infrastructure, which is the backbone of modern e-commerce systems. We, therefore, advocate the need for developing sophisticated, efficient, and accurate malware classification techniques that can detect a malware on the first day of its launch -- commonly known as "zero-day malware detection". To this end, we present a new technique, IMAD, that can not only identify zero-day malware without any apriori knowledge but can also detect a malicious process while it is executing (in-execution detection). The capability of in-execution malware detection empowers an operating system to immediately kill it before it can cause any significant damage. IMAD is a realtime, dynamic, efficient, in-execution zero-day malware detection scheme, which analyzes the system call sequence of a process to classify it as malicious or benign. We use Genetic Algorithm to optimize system parameters of our scheme. The evolutionary algorithm is evaluated on real world synthetic data extracted from a Linux system. The results of our experiments show that IMAD achieves more than 90% accuracy in classifying in-execution processes as benign or malicious. Moreover, our scheme can classify approximately 50% of malicious processes within first 20% of their system calls.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Symantec Internet Security Threat Report XI: Trends for July -- December 2007, September 2007.
	2	CI Security, The Centre for Counter Intelligence and Security Studies, http://www.cicentre.com/news/cyber_security.html(accessed Jan 20, 2009).
	3	United Press International UPI, http://www.upi.com/Top_News/2009/01/25/Virus_strikes_15_million_PCs/UPI-19421232924206/(accessed Jan 26, 2009).
	4	N. Idika, A.P. Mathur, "A Survey of Malware Detection Techniques", Tehnical Report, Department of Computer Science, Purdue University, 2007.
	5	Sandeep Kumar, Classification and detection of computer intrusions, Purdue University, West Lafayette, IN, 1996
	6	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	7	Wenke Lee , Salvatore J. Stolfo, Data mining approaches for intrusion detection, Proceedings of the 7th conference on USENIX Security Symposium, p.6-6, January 26-29, 1998, San Antonio, Texas
	8	X. Wang, W. Yu, A. Champion, X. Fu, D. Xuan, "Detecting Worms via Mining Dynamic Program Execution", In Proceedings of Third International Conference on Security and Privacy in Communication Networks and the Workshops, SecureComm, pp. 412--421, Nice, 2007.
	9	A. Iqbal, "Danger Theory Mataphor in Artificial Immune System for System Call Data", PhD Thesis, Universiti Teknologi Malaysia, 2006.
	10	G. Helmer, J. Wong, V. Honavar, L. Miller, "Feature Selection Using a Genetic Algorithm for Intrusion Detection", In Proceedings of the Genetic and Evolutionary Computation Conference, GECCO, pp. 13--17, Orlando, 1999.
	11	John H. Holland, Adaptation in natural and artificial systems, MIT Press, Cambridge, MA, 1992
	12	VX Heavens Virus Collection, VX Heavens website, http://hvx.netlux.org
	13	J. Ross Quinlan, C4.5: programs for machine learning, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1993
	14	M. E. Maron , J. L. Kuhns, On Relevance, Probabilistic Indexing and Information Retrieval, Journal of the ACM (JACM), v.7 n.3, p.216-244, July 1960 [doi>10.1145/321033.321035]
	15	W.W. Cohen, "Fast eff ective rule induction", In Proceedings of 12th International Conference on Machine Learning, ICML, pp. 115--123, USA, 1995.
	16	John C. Platt, Fast training of support vector machines using sequential minimal optimization, Advances in kernel methods: support vector learning, MIT Press, Cambridge, MA, 1999