國立虎尾科技大學 |

Improving Existing Static and Dynamic Malware Detection Techniques with Instruction-Level Behavior.

Record Type:	Language materials, printed : Monograph/item
Title/Author:	Improving Existing Static and Dynamic Malware Detection Techniques with Instruction-Level Behavior./
Author:	Kim, Danny.
Published:	Ann Arbor : ProQuest Dissertations & Theses, : 2019,
Description:	176 p.
Notes:	Source: Dissertations Abstracts International, Volume: 81-02, Section: B.
Contained By:	Dissertations Abstracts International81-02B.
Subject:	Computer engineering. -
Online resource:	http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=13811176
ISBN:	9781085566568

Improving Existing Static and Dynamic Malware Detection Techniques with Instruction-Level Behavior.
Kim, Danny.

Improving Existing Static and Dynamic Malware Detection Techniques with Instruction-Level Behavior. - Ann Arbor : ProQuest Dissertations & Theses, 2019 - 176 p.

Source: Dissertations Abstracts International, Volume: 81-02, Section: B.

Thesis (Ph.D.)--University of Maryland, College Park, 2019.

This item must not be sold to any third party vendors.

My Ph.D. focuses on detecting malware by leveraging the information obtained at an instruction-level. Instruction-level information is obtained by looking at the instructions or disassembly that make up an executable. My initial work focused on using a dynamic binary instrumentation (DBI) tool. A DBI tool enables the study of instruction-level behavior while the malware is executing, which I show proves to be valuable in detecting malware. To expand on my work with dynamic instruction-level information, I integrated it with machine learning to increase the scalability and robustness of my detection tool. To further increase the scalability of the dynamic detection of malware, I created a two stage static-dynamic malware detection scheme aimed at achieving the accuracy of a fully-dynamic detection scheme without the high computational resources and time required. Lastly, I show the improvement of static analysis-based detection of malware by automatically generated machine learning features based on opcode sequences with the help of convolutional neural networks.The first part of my research focused on obfuscated malware. Obfuscation is the process in which malware tries to hide itself from static analysis and trick disassemblers. I found that by using a DBI tool, I was able to not only detect obfuscation, but detect the differences in how it occurred in malware versus goodware. Through dynamic program-level analysis, I was able to detect specific obfuscations and use the varying methods in which it was used by programs to differentiate malware and goodware. I found that by using the mere presence of obfuscation as a method of detecting malware, I was able to detect previously undetected malware.I then focused on using my knowledge of dynamic program-level features to build a highly accurate machine learning-based malware detection tool. Machine learning is useful in malware detection because it can process a large amount of data to determine meaningful relationships to distinguish malware from benign programs. Through the integration of machine learning, I was able to expand my obfuscation detection schemes to address a broader class of malware, which ultimately led to a malware detection tool that can detect 98.45% of malware with a 1% false positive rate.Understanding the pitfalls of dynamic analysis of malware, I focused on creating a more efficient method of detecting malware. Malware detection comes in three methods: static analysis, dynamic analysis, and hybrids. Static analysis is fast and effective for detecting previously seen malware where as dynamic analysis can be more accurate and robust against zero-day or polymorphic malware, but at the cost of a high computational load. Most modern defenses today use a hybrid approach, which uses both static and dynamic analysis, but are suboptimal. I created a two-phase malware detection tool that approaches the accuracy of the dynamic-only system with only a small fraction of its computational cost, while maintaining a real-time malware detection timeliness similar to a static-only system, thus achieving the best of both approaches.Lastly, my Ph.D. focused on reducing the need for manual feature generation by utilizing Convolutional Neural Networks (CNNs) to automatically generate feature vectors from raw input data. My work shows that using a raw sequence of opcode sequences from static disassembly with a CNN model can automatically produce feature vectors that are useful for detecting malware. Because this process is automated, it presents as a scalable method of consistently producing useful features without human intervention or labor that can be used to detect malware.

ISBN: 9781085566568Subjects--Topical Terms:

569006
Computer engineering.
Subjects--Index Terms:

Cybersecurity

Improving Existing Static and Dynamic Malware Detection Techniques with Instruction-Level Behavior.
LDR:04999nam a2200397 4500 001 951818
005 20200821052202.5
008 200914s2019 ||||||||||||||||| ||eng d
020 $a 9781085566568
035 $a (MiAaPQ)AAI13811176
035 $a AAI13811176
040 $a MiAaPQ $c MiAaPQ
100 1 $a Kim, Danny. $3 1241301
245 1 0 $a Improving Existing Static and Dynamic Malware Detection Techniques with Instruction-Level Behavior.
260 1 $a Ann Arbor : $b ProQuest Dissertations & Theses, $c 2019
300 $a 176 p.
500 $a Source: Dissertations Abstracts International, Volume: 81-02, Section: B.
500 $a Advisor: Barua, Rajeev.
502 $a Thesis (Ph.D.)--University of Maryland, College Park, 2019.
506 $a This item must not be sold to any third party vendors.
506 $a This item must not be added to any third party search indexes.
520 $a My Ph.D. focuses on detecting malware by leveraging the information obtained at an instruction-level. Instruction-level information is obtained by looking at the instructions or disassembly that make up an executable. My initial work focused on using a dynamic binary instrumentation (DBI) tool. A DBI tool enables the study of instruction-level behavior while the malware is executing, which I show proves to be valuable in detecting malware. To expand on my work with dynamic instruction-level information, I integrated it with machine learning to increase the scalability and robustness of my detection tool. To further increase the scalability of the dynamic detection of malware, I created a two stage static-dynamic malware detection scheme aimed at achieving the accuracy of a fully-dynamic detection scheme without the high computational resources and time required. Lastly, I show the improvement of static analysis-based detection of malware by automatically generated machine learning features based on opcode sequences with the help of convolutional neural networks.The first part of my research focused on obfuscated malware. Obfuscation is the process in which malware tries to hide itself from static analysis and trick disassemblers. I found that by using a DBI tool, I was able to not only detect obfuscation, but detect the differences in how it occurred in malware versus goodware. Through dynamic program-level analysis, I was able to detect specific obfuscations and use the varying methods in which it was used by programs to differentiate malware and goodware. I found that by using the mere presence of obfuscation as a method of detecting malware, I was able to detect previously undetected malware.I then focused on using my knowledge of dynamic program-level features to build a highly accurate machine learning-based malware detection tool. Machine learning is useful in malware detection because it can process a large amount of data to determine meaningful relationships to distinguish malware from benign programs. Through the integration of machine learning, I was able to expand my obfuscation detection schemes to address a broader class of malware, which ultimately led to a malware detection tool that can detect 98.45% of malware with a 1% false positive rate.Understanding the pitfalls of dynamic analysis of malware, I focused on creating a more efficient method of detecting malware. Malware detection comes in three methods: static analysis, dynamic analysis, and hybrids. Static analysis is fast and effective for detecting previously seen malware where as dynamic analysis can be more accurate and robust against zero-day or polymorphic malware, but at the cost of a high computational load. Most modern defenses today use a hybrid approach, which uses both static and dynamic analysis, but are suboptimal. I created a two-phase malware detection tool that approaches the accuracy of the dynamic-only system with only a small fraction of its computational cost, while maintaining a real-time malware detection timeliness similar to a static-only system, thus achieving the best of both approaches.Lastly, my Ph.D. focused on reducing the need for manual feature generation by utilizing Convolutional Neural Networks (CNNs) to automatically generate feature vectors from raw input data. My work shows that using a raw sequence of opcode sequences from static disassembly with a CNN model can automatically produce feature vectors that are useful for detecting malware. Because this process is automated, it presents as a scalable method of consistently producing useful features without human intervention or labor that can be used to detect malware.
590 $a School code: 0117.
650 4 $a Computer engineering. $3 569006
650 4 $a Computer science. $3 573171
650 4 $a Artificial intelligence. $3 559380
653 $a Cybersecurity
653 $a Dynamic analysis
653 $a Machine learning
653 $a Malware detection
653 $a Program analysis
653 $a Static analysis
690 $a 0464
690 $a 0984
690 $a 0800
710 2 $a University of Maryland, College Park. $b Electrical Engineering. $3 845418
773 0 $t Dissertations Abstracts International $g 81-02B.
790 $a 0117
791 $a Ph.D.
792 $a 2019
793 $a English
856 4 0 $u http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=13811176