A scalable multi-level feature extraction technique to detect malicious executables

Mohammad M. Masud, Latifur Khan, Bhavani Thuraisingham

Research output: Contribution to journalArticlepeer-review

57 Citations (Scopus)

Abstract

We present a scalable and multi-level feature extraction technique to detect malicious executables. We propose a novel combination of three different kinds of features at different levels of abstraction. These are binary n-grams, assembly instruction sequences, and Dynamic Link Library (DLL) function calls; extracted from binary executables, disassembled executables, and executable headers, respectively. We also propose an efficient and scalable feature extraction technique, and apply this technique on a large corpus of real benign and malicious executables. The above mentioned features are extracted from the corpus data and a classifier is trained, which achieves high accuracy and low false positive rate in detecting malicious executables. Our approach is knowledge-based because of several reasons. First, we apply the knowledge obtained from the binary n-gram features to extract assembly instruction sequences using our Assembly Feature Retrieval algorithm. Second, we apply the statistical knowledge obtained during feature extraction to select the best features, and to build a classification model. Our model is compared against other feature-based approaches for malicious code detection, and found to be more efficient in terms of detection accuracy and false alarm rate.

Original languageEnglish
Pages (from-to)33-45
Number of pages13
JournalInformation Systems Frontiers
Volume10
Issue number1
DOIs
Publication statusPublished - Mar 2008
Externally publishedYes

Keywords

  • Disassembly
  • Feature extraction
  • Malicious executable
  • n-gram analysis

ASJC Scopus subject areas

  • Software
  • Theoretical Computer Science
  • Information Systems
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'A scalable multi-level feature extraction technique to detect malicious executables'. Together they form a unique fingerprint.

Cite this