APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION
Malware or malicious software uses a variety of advanced techniques as its developments through many years. Some different malware files are usually one similar malware file with different obfuscating techniques. These malware files will look different on high level inspection (file structures) but...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/23825 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| id |
id-itb.:23825 |
|---|---|
| spelling |
id-itb.:238252017-10-09T10:28:07ZAPPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION PRANAMULIA (NIM : 13512078), RAMANDIKA Indonesia Final Project INSTITUT TEKNOLOGI BANDUNG https://digilib.itb.ac.id/gdl/view/23825 Malware or malicious software uses a variety of advanced techniques as its developments through many years. Some different malware files are usually one similar malware file with different obfuscating techniques. These malware files will look different on high level inspection (file structures) but behave exactly the same in low level. <br /> <br /> <br /> <br /> <br /> Therefore, low level inspection technique is a good method to capture signature of malwares with above characteristics. Low level data that can be used to detect similarity between malware files is system call sequence. We are going to capture system call sequence of a malware suspected executable by running it. <br /> <br /> <br /> <br /> <br /> Profile hidden markov model algorithm is used to classify malwares into some malware classes based on system call sequence. Profile hidden markov model can classify not only malware and benign class but also determine how similar a malware instance to each model like worm or trojan based on system call sequence. Used features to build model are system call with highest number of occurrence and system call that’s specific to each malware class. <br /> <br /> <br /> <br /> <br /> Testing result shows that malware classes that are built with 15 types of system call can already achieve a good accuracy. Accuracy for trojan class is around 90%, while accuracy for worm class is around 94%. In contrast with that, false negative rate of these models is pretty high, it’s around 37%. This issue is caused by unavailability of benign class model. Benign class is concluded by giving threshold to each malware classes that are worm and trojan classes. text |
| institution |
Institut Teknologi Bandung |
| building |
Institut Teknologi Bandung Library |
| continent |
Asia |
| country |
Indonesia Indonesia |
| content_provider |
Institut Teknologi Bandung |
| collection |
Digital ITB |
| language |
Indonesia |
| description |
Malware or malicious software uses a variety of advanced techniques as its developments through many years. Some different malware files are usually one similar malware file with different obfuscating techniques. These malware files will look different on high level inspection (file structures) but behave exactly the same in low level. <br />
<br />
<br />
<br />
<br />
Therefore, low level inspection technique is a good method to capture signature of malwares with above characteristics. Low level data that can be used to detect similarity between malware files is system call sequence. We are going to capture system call sequence of a malware suspected executable by running it. <br />
<br />
<br />
<br />
<br />
Profile hidden markov model algorithm is used to classify malwares into some malware classes based on system call sequence. Profile hidden markov model can classify not only malware and benign class but also determine how similar a malware instance to each model like worm or trojan based on system call sequence. Used features to build model are system call with highest number of occurrence and system call that’s specific to each malware class. <br />
<br />
<br />
<br />
<br />
Testing result shows that malware classes that are built with 15 types of system call can already achieve a good accuracy. Accuracy for trojan class is around 90%, while accuracy for worm class is around 94%. In contrast with that, false negative rate of these models is pretty high, it’s around 37%. This issue is caused by unavailability of benign class model. Benign class is concluded by giving threshold to each malware classes that are worm and trojan classes. |
| format |
Final Project |
| author |
PRANAMULIA (NIM : 13512078), RAMANDIKA |
| spellingShingle |
PRANAMULIA (NIM : 13512078), RAMANDIKA APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION |
| author_facet |
PRANAMULIA (NIM : 13512078), RAMANDIKA |
| author_sort |
PRANAMULIA (NIM : 13512078), RAMANDIKA |
| title |
APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION |
| title_short |
APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION |
| title_full |
APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION |
| title_fullStr |
APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION |
| title_full_unstemmed |
APPLICATION OF PROFILE HIDDEN MARKOV MODEL FOR MALWARE CLASSIFICATION |
| title_sort |
application of profile hidden markov model for malware classification |
| url |
https://digilib.itb.ac.id/gdl/view/23825 |
| _version_ |
1822921027321069568 |