Yulong Cui1, Zhiwei Zhang1,2,*, Zhidong Ma1, Zehan Chen1,2, Yuzi Wang1, and Yulong Shen1
Zhiwei Zhang
1School of Computer Science and Technology, Xidian University, Xi'an, Shaanxi, 710071, China
2Institute of Network Information, Academy of Systems Engineering, Academy of Military Sciences, Beijing, 100141, China
*Corresponding author
Enormous traditional malware detection methods have been proposed and they are efficient in detecting known malware, however, these methods usually either are ineffective or have high false positive rate in detecting unknown malware. To improve the performance in unknown malware detection, many novel methods are presented by introducing and employing software behavior visualization, Artificial Intelligence, and other popular technologies. Unfortunately, they are still facing the inadequate data utilization and benchmark dataset lack problems. Therefore, in this paper, we propose an effective malware detection method by utilizing multi-dimensional software dynamic behavior information. To construct the concrete scheme, we combine a mapping mechanism from key parameters of software operation to grayscale images with a malware prediction model. In addition, to our knowledge, we constructed the first publicly accessible software dynamic behavior dataset containing over 800 malicious and 600 non-malicious software behavior images. Finally, the experiment results show that our method can effectively detect unknow malware and outperforms the existing comparative baseline schemes in terms of accuracy, precision, and recall.
Unknown Malware Detection, Dynamic Behavioral Information, Software Behavior Image Dataset
Yulong Cui, Zhiwei Zhang, Zhidong Ma, Zehan Chen, Yuzi Wang, and Yulong Shen (2024). VMD: A Visualizable Malware Detection Scheme Based on Multi-dimensional Dynamic Behavior Information. Journal of Networking and Network Applications, Volume 4, Issue 1, pp. 12–20. https://doi.org/10.33969/J-NaNA.2024.040102.
[1] Z. Ma, H. Ge, Y. Liu, M. Zhao, and J. Ma, “A combination method for android malware detection based on control flow graphs and machine learning algorithms,” IEEE Access, vol. 7, pp. 21 235–21 245, 2019.
[2] M. F. Zolkipli and A. Jantan, “A framework for malware detection using combination technique and signature generation,” in 2010 Second International Conference on Computer Research and Development. IEEE, 2010, pp. 196–199.
[3] H. R. Borojerdi and M. Abadi, “Malhunter: Automatic generation of multiple behavioral signatures for polymorphic malware detection,” in ICCKE 2013. IEEE, 2013, pp. 430–436.
[4] M. Zheng, M. Sun, and J. C. Lui, “Droid analytics: a signature based analytic system to collect, extract, analyze and associate android mal-ware,” in 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 2013, pp. 163–171.
[5] G. Wagener, R. State, and A. Dulaunoy, “Malware behaviour analysis,” Journal in Computer Virology, vol. 4, pp. 279–287, 2008.
[6] Y. Fukushima, A. Sakai, Y. Hori, and K. Sakurai, “A behavior based malware detection scheme for avoiding false positive,” in 2010 6th IEEE Workshop on Secure Network Protocols. IEEE, 2010, pp. 79–84.
[7] M. Chandramohan, H. B. K. Tan, L. C. Briand, L. K. Shar, and B. M. Padmanabhuni, “A scalable approach for malware detection through bounded feature space behavior modeling,” in 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 2013, pp. 312–322.
[8] S. Das, Y. Liu, W. Zhang, and M. Chandramohan, “Semantics-based online malware detection: Towards efficient real-time protection against malware,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 2, pp. 289–302, 2015.
[9] Y. Ye, T. Li, Q. Jiang, and Y. Wang, “Cimds: adapting postprocessing techniques of associative classification for malware detection,” IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), vol. 40, no. 3, pp. 298–307, 2010.
[10] Z. Bazrafshan, H. Hashemi, S. M. H. Fard, and A. Hamzeh, “A survey on heuristic malware detection techniques,” in The 5th Conference on Information and Knowledge Technology. IEEE, 2013, pp. 113–120.
[11] G. E. Dahl, J. W. Stokes, L. Deng, and D. Yu, “Large-scale malware classification using random projections and neural networks,” in 2013 IEEE International Conference on Acoustics, Speech and Signal Pro-cessing. IEEE, 2013, pp. 3422–3426.
[12] Z. Yuan, Y. Lu, Z. Wang, and Y. Xue, “Droid-sec: deep learning in an-droid malware detection,” in Proceedings of the 2014 ACM Conference on SIGCOMM, 2014, pp. 371–372.
[13] R. Kumar, Z. Xiaosong, R. U. Khan, I. Ahad, and J. Kumar, “Malicious code detection based on image processing using deep learning,” in Proceedings of the 2018 International Conference on Computing and Artificial Intelligence, 2018, pp. 81–85.
[14] J. Saxe and K. Berlin, “Deep neural network based malware detection using two dimensional binary program features,” in 2015 10th Interna-tional Conference on Malicious and Unwanted Software (MALWARE). IEEE, 2015, pp. 11–20.
[15] A. Saracino, D. Sgandurra, G. Dini, and F. Martinelli, “Madam: Effective and efficient behavior-based android malware detection and prevention,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 1, pp. 83–97, 2016.
[16] W. Huang and J. W. Stokes, “Mtnet: a multi-task neural network for dynamic malware classification,” in Detection of Intrusions and Malware, and Vulnerability Assessment: 13th International Conference, DIMVA 2016, San Sebasti´an, Spain, July 7-8, 2016, Proceedings 13. Springer, 2016, pp. 399–418.
[17] Y. Bengio et al., “Learning deep architectures for ai,” Foundations and Trends® in Machine Learning, vol. 2, no. 1, pp. 1–127, 2009.
[18] Y. LeCun, L. Bottou, Y. Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,” Proceedings of the IEEE, vol. 86, no. 11, pp. 2278–2324, 1998.
[19] A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” Advances in Neural Informa-tion Processing Systems, vol. 25, 2012.
[20] K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” ArXiv Preprint ArXiv:1409.1556, 2014.
[21] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016, pp. 770–778.
[22] R. Girshick, J. Donahue, T. Darrell, and J. Malik, “Rich feature hierarchies for accurate object detection and semantic segmentation,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2014, pp. 580–587.
[23] L. Nataraj, S. Karthikeyan, G. Jacob, and B. S. Manjunath, “Malware images: visualization and automatic classification,” in Proceedings of the 8th International Symposium on Visualization for Cyber Security, 2011, pp. 1–7.
[24] H. Naeem, B. Guo, M. R. Naeem, F. Ullah, H. Aldabbas, and M. S. Javed, “Identification of malicious code variants based on image visu-alization,” Computers & Electrical Engineering, vol. 76, pp. 225–237, 2019.
[25] J. Su, D. V. Vasconcellos, S. Prasad, D. Sgandurra, Y. Feng, and K. Sakurai, “Lightweight classification of iot malware based on image recognition,” in 2018 IEEE 42Nd Annual Computer Software and Applications Conference (COMPSAC), vol. 2. IEEE, 2018, pp. 664–669.
[26] K. S. Han, J. H. Lim, B. Kang, and E. G. Im, “Malware analysis using visualized images and entropy graphs,” International Journal of Information Security, vol. 14, pp. 1–14, 2015.
[27] H. S. Anderson and P. Roth, “Ember: an open dataset for train-ing static pe malware machine learning models,” ArXiv Preprint ArXiv:1804.04637, 2018.
[28] A. S. Bozkir, E. Tahillioglu, M. Aydos, and I. Kara, “Catch them alive: A malware detection approach through memory forensics, manifold learning and computer vision,” Computers & Security, vol. 103, p. 102166, 2021.
[29] Z. Cui, L. Du, P. Wang, X. Cai, and W. Zhang, “Malicious code detection based on cnns and multi-objective algorithm,” Journal of Parallel and Distributed Computing, vol. 129, pp. 50–58, 2019.
[30] K. Rieck, P. Trinius, C. Willems, and T. Holz, “Automatic analysis of malware behavior using machine learning,” Journal of Computer Security, vol. 19, no. 4, pp. 639–668, 2011.
[31] R. S. Pirscoveanu, S. S. Hansen, T. M. Larsen, M. Stevanovic, J. M. Pedersen, and A. Czech, “Analysis of malware behavior: Type classi-fication using machine learning,” in 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). IEEE, 2015, pp. 1–7.
[32] I. Firdausi, A. Erwin, A. S. Nugroho et al., “Analysis of machine learning techniques used in behavior-based malware detection,” in 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies. IEEE, 2010, pp. 201–203.
[33] C. Forensics, “Because sharing is caring,” https://virusshare.com/.
[34] F. O. Catak, A. F. Yazı, O. Elezaj, and J. Ahmed, “Deep learning based sequential model for malware analysis using windows exe api calls,” PeerJ Computer Science, vol. 6, p. e285, Jul. 2020. [Online]. Available: https://doi.org/10.7717/peerj-cs.285
[35] Z. Ma, Z. Zhang, C. Liu, T. Hu, H. Li, and B. Ren, “Visualizable malware detection based on multi-dimension dynamic behaviors,” in 2022 International Conference on Networking and Network Applications (NaNA). IEEE, 2022, pp. 247–252.