Malware detection: program run length against detection rate

Philip O'Kane, Sakir Sezer, Kieran McLaughlin, Eul Gyu Im

Research output: Contribution to journalArticlepeer-review

14 Citations (Scopus)

Abstract

N-gram analysis is an approach that investigates the structure of a program using bytes, characters or text strings. This research uses dynamic analysis to investigate malware detection using a classification approach based on N-gram analysis. A key issue with dynamic analysis is the length of time a program has to be run to ensure a correct classification. The motivation for this research is to find the optimum subset of operational codes (opcodes) that make the best indicators of malware and to determine how long a program has to be monitored to ensure an accurate support vector machine (SVM) classification of benign and malicious software. The experiments within this study represent programs as opcode density histograms gained through dynamic analysis for different program run periods. A SVM is used as the program classifier to determine the ability of different program run lengths to correctly determine the presence of malicious software. The findings show that malware can be detected with different program run lengths using a small number of opcodes
Original languageEnglish
Pages (from-to)42-51
Number of pages10
JournalIET Software
Volume8
Issue number1
DOIs
Publication statusPublished - Feb 2014

Fingerprint

Dive into the research topics of 'Malware detection: program run length against detection rate'. Together they form a unique fingerprint.

Cite this