Robust and effective malware detection through quantitative data flow graph metrics

Tobias Wüchner, Martín Ochoa, Alexander Pretschner

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

50 Scopus citations

Abstract

We present a novel malware detection approach based on metrics over quantitative data flow graphs. Quantitative data flow graphs (QDFGs) model process behavior by interpreting issued system calls as aggregations of quantifiable data flows. Due to the high abstraction level we consider QDFG metric based detection more robust against typical behavior obfuscation like bogus call injection or call reordering than other common behavioral models that base on raw system calls. We support this claim with experiments on obfuscated malware logs and demonstrate the superior obfuscation robustness in comparison to detection using ngrams. Our evaluations on a large and diverse data set consisting of about 7000 malware and 500 goodware samples show an average detection rate of 98.01% and a false positive rate of 0.48%. Moreover, we show that our approach is able to detect new malware (i.e. samples from malware families not included in the training set) and that the consideration of quantities in itself significantly improves detection precision.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 12th International Conference, DIMVA 2015, Proceedings
EditorsFederico Maggi, Magnus Almgren, Vincenzo Gulisano
PublisherSpringer Verlag
Pages98-118
Number of pages21
ISBN (Print)9783319205496
DOIs
StatePublished - 2015
Event12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2015 - Milan, Italy
Duration: 9 Jul 201510 Jul 2015

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9148
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2015
Country/TerritoryItaly
CityMilan
Period9/07/1510/07/15

Fingerprint

Dive into the research topics of 'Robust and effective malware detection through quantitative data flow graph metrics'. Together they form a unique fingerprint.

Cite this