APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION

APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION

Malware or malicious software uses a variety of advanced techniques as its developments through many years. Some different malware files are usually one similar malware file with different obfuscating techniques. These malware files will look different on high level inspection (file structures) but...

Full description

Saved in:
Bibliographic Details
Main Author: PRANAMULIA (NIM : 13512078), RAMANDIKA
Format: Final Project
Language:Indonesia
Online Access:https://digilib.itb.ac.id/gdl/view/23825
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Institut Teknologi Bandung
Language: Indonesia
Description
Summary:Malware or malicious software uses a variety of advanced techniques as its developments through many years. Some different malware files are usually one similar malware file with different obfuscating techniques. These malware files will look different on high level inspection (file structures) but behave exactly the same in low level. <br /> <br /> <br /> <br /> <br /> Therefore, low level inspection technique is a good method to capture signature of malwares with above characteristics. Low level data that can be used to detect similarity between malware files is system call sequence. We are going to capture system call sequence of a malware suspected executable by running it. <br /> <br /> <br /> <br /> <br /> Profile hidden markov model algorithm is used to classify malwares into some malware classes based on system call sequence. Profile hidden markov model can classify not only malware and benign class but also determine how similar a malware instance to each model like worm or trojan based on system call sequence. Used features to build model are system call with highest number of occurrence and system call that’s specific to each malware class. <br /> <br /> <br /> <br /> <br /> Testing result shows that malware classes that are built with 15 types of system call can already achieve a good accuracy. Accuracy for trojan class is around 90%, while accuracy for worm class is around 94%. In contrast with that, false negative rate of these models is pretty high, it’s around 37%. This issue is caused by unavailability of benign class model. Benign class is concluded by giving threshold to each malware classes that are worm and trojan classes.

Similar Items