Windows Malware Detection Method Based on the Path IRP

2014 ◽  
Vol 687-691 ◽  
pp. 2626-2629
Author(s):  
Fu Yong Zhang
Keyword(s):  
Operating System ◽  
Positive Selection ◽  
Negative Selection ◽  
Detection Rate ◽  
Detection Method ◽  
Malware Detection ◽  
Experimental Results ◽  
Selection Algorithm ◽  
Negative Selection Algorithm ◽  
Request Sequence

Because the IRP (I/O Request Packets) sequences of programs are not identical in different environments in the same operating system, which have a certain influence on the detection results. Through a lot of experiments, we found that the IRP request sequences of programs on the same operation path are consistent. Therefore, the new malware detection method based on the path IRP sequences is proposed. Every single IRP request sequence on the same operation path is extracted, Negative Selection Algorithm (NSA) and Positive Selection Algorithm (PSA) are used for detection. Experimental results reveal that our method outperforms the method which based on IRP sequences in detection rate.

A Dynamic Malware Detection Approach by Mining the Frequency of API Calls

2014 ◽  
Vol 519-520 ◽  
pp. 309-312 ◽  
Author(s):  
Jin Rong Bai ◽  
Zhen Zhou An ◽  
Guo Zhong Zou ◽  
Shi Guang Mu
Keyword(s):  
Detection Rate ◽  
Detection Method ◽  
Malware Detection ◽  
Experimental Results ◽  
Detection Approach ◽  
Dynamic Detection

Dynamic detection method based on software behavior is an efficient and effective way for anti-virus technology. Malware and benign executable differ mainly in the implementation of some special behavior to propagation and destruction. A program's execution flow is essentially equivalent to the stream of API calls. Analyzing the API calls frequency from six kinds of behaviors in the same time has the very well differentiate between malicious and benign executables. This paper proposed a dynamic malware detection approach by mining the frequency of sensitive native API calls and described experiments conducted against recent Win32 malware. Experimental results indicate that the detection rate of proposed method is 98% and the value of the AUC is 0.981. Furthermore, proposed method can identify known and unknown malware.

An improved real-valued negative selection algorithm based on the constant detector for anomaly detection

2021 ◽  
Vol 40 (5) ◽  
pp. 8793-8806
Author(s):  
Dong Li ◽  
Xin Sun ◽  
Furong Gao ◽  
Shulin Liu
Keyword(s):  
Anomaly Detection ◽  
False Alarm ◽  
State Space ◽  
False Alarm Rate ◽  
Negative Selection ◽  
Detection Rate ◽  
Detection Methods ◽  
Selection Algorithm ◽  
Negative Selection Algorithm ◽  
Synthetic Datasets

Compared with the traditional negative selection algorithms produce detectors randomly in whole state space, the boundary-fixed negative selection algorithm (FB-NSA) non-randomly produces a layer of detectors closely surrounding the self space. However, the false alarm rate of FB-NSA is higher than many anomaly detection methods. Its detection rate is very low when normal data close to the boundary of state space. This paper proposed an improved FB-NSA (IFB-NSA) to solve these problems. IFB-NSA enlarges the state space and adds auxiliary detectors in appropriate places to improve the detection rate, and uses variable-sized training samples to reduce the false alarm rate. We present experiments on synthetic datasets and the UCI Iris dataset to demonstrate the effectiveness of this approach. The results show that IFB-NSA outperforms FB-NSA and the other anomaly detection methods in most of the cases.

Sign in / Sign up

Export Citation Format

Share Document