Detecting malware with information complexity
Article
Alshahwan, N., Barr, E., Clark, D., Danezis, G. and Menéndez, H. 2020. Detecting malware with information complexity. Entropy. 22 (5), pp. 1-29. https://doi.org/10.3390/e22050575
| Type | Article |
|---|---|
| Title | Detecting malware with information complexity |
| Authors | Alshahwan, N., Barr, E., Clark, D., Danezis, G. and Menéndez, H. |
| Abstract | Malware concealment is the predominant strategy for malware propagation. Black hats create variants of malware based on polymorphism and metamorphism. Malware variants, by definition, share some information. Although the concealment strategy alters this information, there are still patterns on the software. Given a zoo of labelled malware and benign-ware, we ask whether a suspect program is more similar to our malware or to our benign-ware. Normalized Compression Distance (NCD) is a generic metric that measures the shared information content of two strings. This measure opens a new front in the malware arms race, one where the countermeasures promise to be more costly for malware writers, who must now obfuscate patterns as strings qua strings, without reference to execution, in their variants. Our approach classifies disk-resident malware with 97.4% accuracy and a false positive rate of 3%. We demonstrate that its accuracy can be improved by combining NCD with the compressibility rates of executables using decision forests, paving the way for future improvements. We demonstrate that malware reported within a narrow time frame of a few days is more homogeneous than malware reported over two years, but that our method still classifies the latter with 95.2% accuracy and a 5% false positive rate. Due to its use of compression, the time and computation cost of our method is nontrivial. We show that simple approximation techniques can improve its running time by up to 63%. We compare our results to the results of applying the 59 anti-malware programs used on the VirusTotal website to our malware. Our approach outperforms each one used alone and matches that of all of them used collectively. |
| Keywords | information theory, Kolmogorov complexity, normalized compression distance, malware detection |
| Publisher | MDPI AG |
| Journal | Entropy |
| ISSN | 1099-4300 |
| Electronic | 1099-4300 |
| Publication dates | |
| Online | 20 May 2020 |
| 20 May 2020 | |
| Publication process dates | |
| Deposited | 22 May 2020 |
| Accepted | 16 May 2020 |
| Output status | Published |
| Publisher's version | License File Access Level Open |
| Copyright Statement | © 2020 by the authors. Licensee MDPI, Basel, Switzerland. This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited |
| Additional information | This article belongs to the Section Multidisciplinary Applications |
| Digital Object Identifier (DOI) | https://doi.org/10.3390/e22050575 |
| Language | English |
https://repository.mdx.ac.uk/item/88z21
Download files
Publisher's version
 | entropy-22-00575.xml | |
| entropy-22-00575.pdf | ||
| License: CC BY 4.0 | ||
| File access level: Open | ||
27
total views22
total downloads0
views this month0
downloads this month