Leveraging compression-based graph mining for behavior-based malware detection

Tobias Wuchner, Aleksander Cislak, Martin Ochoa, Alexander Pretschner

Research output: Contribution to journalArticlepeer-review

55 Scopus citations

Abstract

Behavior-based detection approaches commonly address the threat of statically obfuscated malware. Such approaches often use graphs to represent process or systembehavior and typically employ frequency-based graph mining techniques to extract characteristic patterns from collections of malware graphs. Recent studies in the molecule mining domain suggest that frequency-based graph mining algorithms often perform sub-optimally in finding highly discriminating patterns. We propose a novel malware detection approach that uses so-called compression-based mining on quantitative data flow graphs to derive highly accurate detection models. Our evaluation on a large and diverse malware set shows that our approach outperforms frequency-based detection models in terms of detection effectiveness by more than 600 percent.

Original languageEnglish
Article number7867799
Pages (from-to)99-112
Number of pages14
JournalIEEE Transactions on Dependable and Secure Computing
Volume16
Issue number1
DOIs
StatePublished - 1 Jan 2019

Keywords

  • Data mining
  • Graph mining
  • Machine learning
  • Malware detection
  • Quantitative data flow analysis

Fingerprint

Dive into the research topics of 'Leveraging compression-based graph mining for behavior-based malware detection'. Together they form a unique fingerprint.

Cite this