Dissertation
Behavioral malware detection and classification using Windows Prefetch files
Doctor of Philosophy (Ph.D.), Drexel University
Mar 2019
DOI:
https://doi.org/10.17918/xxb4-yt36
Abstract
The advent of modern polymorphic and metamorphic malware, which encrypt or change their code when they replicate, rendered static signature detectors and classifiers less effective and gave rise to techniques that analyze the behavior of programs to detect and classify malware. Behavioral malware detectors and classifiers use run-time features to capture execution characteristics of running applications and are designed to overcome the shortcomings of static signature techniques. However, behavioral techniques introduce new challenges, for example, they need to be a) effective at attaining low false positive rates in a realistic setting, b) adaptive at maintaining their effectiveness as hosts change over time, and c) resilient against evasive malware that imitate the behavior of benign programs to avoid detection. This dissertation describes an adaptive and resilient malware detector and classifier based on behavioral data extracted from Microsoft Windows Prefetch files. The system detects and classifies malware with high accuracy, few false positives, and low overhead, but also adapts to changes in the monitored hosts, and is resilient against evasive malware. The malware detector uses an online algorithm to adapt to changes in the host Windows platforms over time. Moreover, the detector includes a defense mechanism against evasive mimicry malware. The malware classifier aims to improve on the state-of-art by classifying common and rare families with high classification accuracy and adapting to newly discovered malware samples and families. Extensive experiments are conducted to evaluate the effectiveness and performance of the detector and classifier, the efficiency of the online adaptation algorithm to learn new behavioral signatures, and the resilience of the techniques against mimicry malware. The novelty of the work lies in a) building a behavioral malware detector and classifier using dynamic features extracted from Microsoft Windows Prefetch files, b) creating a malware detector that is robust to mimicry attacks, and c) building an extensive experimental framework to evaluate the malware detector and classifier on a large collection of data.
Metrics
72 File views/ downloads
48 Record Views
Details
- Title
- Behavioral malware detection and classification using Windows Prefetch files
- Creators
- Bander Alsulami - DU
- Contributors
- Spiros Mancoridis (Advisor) - Drexel University (1970-)
- Awarding Institution
- Drexel University
- Degree Awarded
- Doctor of Philosophy (Ph.D.)
- Publisher
- Drexel University; Philadelphia, Pennsylvania
- Number of pages
- xii, 94 pages
- Resource Type
- Dissertation
- Language
- English
- Academic Unit
- Computer Science (Computing) (2013-2026); College of Computing and Informatics (2013-2026); Drexel University
- Other Identifier
- 9351; 991014632177704721