Melez Özelliklerin Modellenmesi ile Zararlı Yazılım Tespiti

Yıl 2019, Cilt: 12 Sayı: 2, 50 - 63, 17.12.2019

Mert Nar İbrahim Soğukpınar

Öz

Zararlı yazılımlar sahip oldukları
yeteneklerden ötürü bilgisayar ve sistemlere büyük tehlike oluşturmaktadır.
Etkin tespit sistemlerinin gelişmesinden aynı şekilde etkilenerek daha
tehlikeli ve donanımlı hale gelmektedirler. Otomatik bir tespit sistemi
geliştirmek için, zararlı yazılımlar iyi analiz edilmeli ve gelişim meyilleri
doğru tespit edilmelidir. Zararlı yazılımların çalıştığı bilgisayarda yarattığı
etkiler ve kod yapısı ayrıntılı incelenmeli ve öyle önlem alınmalıdır. Bu
çalışmada önerilen tespit sistemi, zararlı yazılımın hem davranış hem kod
yapısı bilgisini kullanarak Markov zinciri yöntemi ile istatistiksel bir anlam
çıkarmaktadır. Daha sonra derin öğrenme teknikleri ile temellendirilmiş model
melez veri kaynağı ile eğitilmiş ve tespit ortamı hazırlanmıştır. Yaptığımız
testler sonucunda önerilen tespit yöntemi %96,8’lik doğruluk göstermiştir.

Anahtar Kelimeler

Markov Zinciri, Derin Öğrenme, Dinamik Analiz, Durağan Analiz

Malware Detection by Using Markov Models of Hybrid Features

Öz

Malware poses a great danger to
computers and systems due to their capabilities. They are also affected by the
development of effective detection systems and become more dangerous and
equipped. In order to develop an automated detection system, malware must be
well analyzed, and inclination of their evolution should be accurately understood. The runtime
effects of malicious software on the computer and code structure should be
examined in detail and precautions should be taken. The detection system
proposed in this study makes a statistical meaning with Markov chain method
using both behavior and code structure knowledge of malware. Then the model
based on deep learning techniques is trained with the hybrid data source and
detection environment is prepared. As a result of the tests we performed, the
accuracy of the detection method was 96.8%.

Anahtar Kelimeler

Markov Chain, Malware, Deep learning, Convolutional Network, Dynamic Analysis, Static Analysis

Kaynakça

• [1] MalwareBytes-Labs. 2019 State of Malware, 2019. https://blog.malwarebytes.com/malwarebytes-news/ctnt-report (accessed April 15, 2019).
• [2] AV-Test-Institute. 2019 New Malware, 2019. https://https://www.av-test.org/en/statistics/malware/(accessed April 15, 2019).
• [3] Rajeswaran, D., Di Troia, F., Austin, T. H., & Stamp, M. (2018). Function call graphs versus machine learning for malware detection. In Guide to Vulnerability Analysis for Computer Networks and Systems (pp. 259-279). Springer, Cham.
• [4] Pektaş, A., & Acarman, T. (2017). Malware classification based on API calls and behaviour analysis. IET Information Security, 12(2), 107-117.
• [5] Vemparala, S., Di Troia, F., Corrado, V. A., Austin, T. H., & Stamo, M. (2016, March). Malware detection using dynamic birthmarks. In Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics (pp. 41-46). ACM.
• [6] Safa, H., Nassar, M., & Al Orabi, W. A. R. (2019, June). Benchmarking Convolutional and Recurrent Neural Networks for Malware Classification. In 2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC) (pp. 561-566). IEEE.
• [7] Afianian, A., Niksefat, S., Sadeghiyan, B., & Baptiste, D. (2018). Malware Dynamic Analysis Evasion Techniques: A Survey. arXiv preprint arXiv:1811.01190.
• [8] Sartea, R., & Farinelli, A. (2018, July). Detection of Intelligent Agent Behaviors Using Markov Chains. In Proceedings of the 17th International Conference on Autonomous Agents and MultiAgent Systems (pp. 2064-2066). International Foundation for Autonomous Agents and Multiagent Systems.
• [9] Martín, A., Rodríguez-Fernández, V., & Camacho, D. (2018). CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains. Engineering Applications of Artificial Intelligence, 74, 121-133.
• [10] Anderson, B., Storlie, C., & Lane, T. (2012, October). Improving malware classification: bridging the static/dynamic gap. In Proceedings of the 5th ACM workshop on Security and artificial intelligence (pp. 3-14). ACM.
• [11] Kolosnjaji, B., Demontis, A., Biggio, B., Maiorca, D., Giacinto, G., Eckert, C., & Roli, F. (2018, September). Adversarial malware binaries: Evading deep learning for malware detection in executables. In 2018 26th European Signal Processing Conference (EUSIPCO) (pp. 533-537). IEEE.
• [12] Demetrio, L., Biggio, B., Lagorio, G., Roli, F., & Armando, A. (2019). Explaining Vulnerabilities of Deep Learning to Adversarial Malware Binaries. arXiv preprint arXiv:1901.03583.
• [13] Biggio, B., Rieck, K., Ariu, D., Wressnegger, C., Corona, I., Giacinto, G., & Roli, F. (2014, November). Poisoning behavioral malware clustering. In Proceedings of the 2014 workshop on artificial intelligent and security workshop (pp. 27-36). ACM.
• [14] Garetto, M., Gong, W., & Towsley, D. (2003, March). Modeling malware spreading dynamics. In IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No. 03CH37428) (Vol. 3, pp. 1869-1879). IEEE.
• [15] Chen, Z., & Ji, C. (2005). Spatial-temporal modeling of malware propagation in networks. IEEE Transactions on Neural networks, 16(5), 1291-1303.
• [16] Karyotis, V. (2010). Markov random fields for malware propagation: the case of chain networks. IEEE Communications Letters, 14(9), 875-877.
• [17] Zhang, J., Qin, Z., Yin, H., Ou, L., & Zhang, K. (2019). A feature-hybrid malware variants detection using CNN based opcode embedding and BPNN based API embedding. Computers & Security, 84, 376-392.
• [18] Xiao, X., Wang, Z., Li, Q., Xia, S., & Jiang, Y. (2016). Back-propagation neural network on Markov chains from system call sequences: a new approach for detecting Android malware with system call sequences. IET Information Security, 11(1), 8-15.
• [19] Onwuzurike, L., Mariconti, E., Andriotis, P., Cristofaro, E. D., Ross, G., & Stringhini, G. (2019). MaMaDroid: Detecting android malware by building markov chains of behavioral models (extended version). ACM Transactions on Privacy and Security (TOPS), 22(2), 14.
• [20] Xiao, F., Lin, Z., Sun, Y., & Ma, Y. (2019). Malware Detection Based on Deep Learning of Behavior Graphs. Mathematical Problems in Engineering, 2019.
• [21] Ndibanje, B., Kim, K. H., Kang, Y. J., Kim, H. H., Kim, T. Y., & Lee, H. J. (2019). Cross-Method-Based Analysis and Classification of Malicious Behavior by API Calls Extraction. Applied Sciences, 9(2), 239.
• [22] Alsulami, B., & Mancoridis, S. (2018, October). Behavioral Malware Classification using Convolutional Recurrent Neural Networks. In 2018 13th International Conference on Malicious and Unwanted Software (MALWARE) (pp. 103-111). IEEE.
• [23] Sun, G., & Qian, Q. (2018). Deep learning and visualization for identifying malware families. IEEE Transactions on Dependable and Secure Computing.
• [24] Le, Q., Boydell, O., Mac Namee, B., & Scanlon, M. (2018). Deep learning at the shallow end: Malware classification for non-domain experts. Digital Investigation, 26, S118-S126.
• [25] Kolosnjaji, B., Demontis, A., Biggio, B., Maiorca, D., Giacinto, G., Eckert, C., & Roli, F. (2018, September). Adversarial malware binaries: Evading deep learning for malware detection in executables. In 2018 26th European Signal Processing Conference (EUSIPCO) (pp. 533-537). IEEE.
• [26] Kolosnjaji, B., Zarras, A., Webster, G., & Eckert, C. (2016, December). Deep learning for classification of malware system call sequences. In Australasian Joint Conference on Artificial Intelligence (pp. 137-149). Springer, Cham.
• [27] Kakisim, A. G., Nar, M., Carkaci, N., & Sogukpinar, I. (2018, November). Analysis and Evaluation of Dynamic Feature-Based Malware Detection Methods. In International Conference on Security for Information Technology and Communications (pp. 247-258). Springer, Cham.
• [28] VxHeaven. Computer virus collection, 2014. http://83.133.184.251/virensimulation.org/(accessed April 15, 2019).
• [29] Chollet, F. Keras (2015) GitHub repository. https://github.com/fchollet/keras
• [30] Eibe Frank, Mark A. Hall, and Ian H. Witten (2016). The WEKA Workbench. Online Appendix for "Data Mining: Practical Machine Learning Tools and Techniques", Morgan Kaufmann, Fourth Edition, 2016.
• [31] Chollet, F. (2018). Deep Learning mit Python und Keras: Das Praxis-Handbuch vom Entwickler der Keras-Bibliothek. MITP-Verlags GmbH & Co. KG.