As current kernel malware detection method based on data signature exists the problem that its efficiency decreases with the growth of the number of signatures, a signature selection method for kernel malware based on hierarchical cluster is presented. First, since current similarity calculation methods are difficult to be applied to data signature selection, a longest common subset based method and a 2-round Hash computation algorithm are introduced. Second, a longest common subset based hierarchical cluster algorithm is presented, thereby performing similar signature aggregation effectively. Finally, a signature selection algorithm based on inconsistent coefficient is designed to reduce the number of signatures. Experimental results show the effectiveness of the method, and performance evaluations indicate that algorithm runtime is acceptable.
Yin H, Song D, Egele M, et al.. Panorama: capturing system-wide information flow for malware detection and analysis[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, USA, 2007: 116-127.
Wang Rui, Feng Deng-guo, Yang Yi, et al.. Semantics-based malware behavior signature extraction and detection method[J]. Journal of Software, 2012, 23(2): 378-393.
[3]
Nataraj L, Karthikeyan S, Jacob G, et al.. Malware images: visualization and automatic classification[C]. Proceedings of the 8th International Symposium on Visualization for Cyber Security, Pittsburg, PA, USA, 2011: 4-10.
[4]
Nataraj L, Yegneswaran V, Porras P, et al.. A comparative assessment of malware classification using binary texture analysis and dynamic analysis[C]. Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, Chicago, USA, 2011: 21-30.
Han Xiao-guang, Qu Wu, Yao Xuan-xia, et al.. Research on malicious code variants detection based on texture fingerprint [J]. Journal of Communications, 2014, 35(8): 125-136.
[6]
Ding Yun-xin, Dai Wei, Yan Sheng-li, et al.. Control flow- based opcode behavior analysis for malware detection[J]. Computer & Security, 2014, 44: 65-74.
[7]
Wang X and Karri R. NumChecker: detecting kernel control- flow modifying rootkits by using hardware performance counters[C]. Proceedings of the 50th Annual Design Automation Conference, Austin, TX, USA, 2013: 79-86.
[8]
Debbabi M, Desharnais J, et al.. Static detection of malicious code in executable programs[J]. Intermational Journal of Requirement Engineering, 2001(184-189): 79-86.
[9]
Baliga A, Ganapathy V, and Iftode L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 8(5): 670-684.
[10]
Zhu F. Integrity-based kernel malware detection[D]. [Ph.D. dissertation], Florida International University, 2014.
[11]
Rhee J, Riley R, Lin Z Q, et al.. Data-centric OS kernel malware characterization[J]. IEEE Transactions on Information Forensics and Security, 2014, 9(1): 72-87.
[12]
Tumer D, Entwisle S, Fossi M, et al.. Symantec Internet security thread report 2014[R]. Symantec Corporation, 2014.
Chen Ji-meng, Chen Jia-jun, Liu Jie, et al.. Clustering algorithms for large-scale social networks based on structural similarity[J]. Journal of Electronics & Information Technology, 2015, 37(2): 449-454.
[14]
Ciprian O, George C, and Gheorghe S. Malware clustering using suffix trees[J]. Journal of Computer Virology Hacking Techniques, 2014, DOI: 10.1007/s11416-014-0227-6.
Qi Shu-hui. Research into malware classification and detection based on instruction analysis[D]. [Master dissertation], Hangzhou Dianzi University, 2012.
Luo Yang-xia and Fang Ding-yi. Feature selection for software birthmark based on cluster analysis[J]. Acta Electronica Sinica, 2013, 41(12): 2334-2338.
[17]
Bailey M, Oberheide J, Andersen J, et al.. Automated classification and analysis of internet malware[C]. Proceedings of the 10th Symposium on Recent Advances in Intrusion Detection, Gold Coast, Australia, 2007: 178-197.