A behavior based malware detection scheme for avoiding false positive

Yoshiro Fukushima, Akihiro Sakai, Yoshiaki Hori, Kouichi Sakurai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

19 Citations (Scopus)

Abstract

The number of malware is increasing rapidly and a lot of malware use stealth techniques such as encryption to evade pattern matching detection by anti-virus software. To resolve the problem, behavior based detection method which focuses on malicious behaviors of malware have been researched. Although they can detect unknown and encrypted malware, they suffer a serious problem of false positives against benign programs. For example, creating files and executing them are common behaviors performed by malware, however, they are also likely performed by benign programs thus it causes false positives. In this paper, we propose a malware detection method based on evaluation of suspicious process behaviors on Windows OS. To avoid false positives, our proposal focuses on not only malware specific behaviors but also normal behavior that malware would usually not do. Moreover, we implement a prototype of our proposal to effectively analyze behaviors of programs. Our evaluation experiments using our malware and benign program datasets show that our malware detection rate is about 60% and it does not cause any false positives. Furthermore, we compare our proposal with completely behavior-based anti-virus software. Our results show that our proposal puts few burdens on users and reduces false positives.

Original languageEnglish
Title of host publication2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
Pages79-84
Number of pages6
DOIs
Publication statusPublished - Dec 1 2010
Event2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010 - Kyoto, Japan
Duration: Oct 5 2010Oct 5 2010

Publication series

Name2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

Other

Other2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010
CountryJapan
CityKyoto
Period10/5/1010/5/10

Fingerprint

Viruses
Malware
Pattern matching
Cryptography
Experiments

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Cite this

Fukushima, Y., Sakai, A., Hori, Y., & Sakurai, K. (2010). A behavior based malware detection scheme for avoiding false positive. In 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010 (pp. 79-84). [5634444] (2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010). https://doi.org/10.1109/NPSEC.2010.5634444

A behavior based malware detection scheme for avoiding false positive. / Fukushima, Yoshiro; Sakai, Akihiro; Hori, Yoshiaki; Sakurai, Kouichi.

2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010. 2010. p. 79-84 5634444 (2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Fukushima, Y, Sakai, A, Hori, Y & Sakurai, K 2010, A behavior based malware detection scheme for avoiding false positive. in 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010., 5634444, 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010, pp. 79-84, 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010, Kyoto, Japan, 10/5/10. https://doi.org/10.1109/NPSEC.2010.5634444
Fukushima Y, Sakai A, Hori Y, Sakurai K. A behavior based malware detection scheme for avoiding false positive. In 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010. 2010. p. 79-84. 5634444. (2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010). https://doi.org/10.1109/NPSEC.2010.5634444
Fukushima, Yoshiro ; Sakai, Akihiro ; Hori, Yoshiaki ; Sakurai, Kouichi. / A behavior based malware detection scheme for avoiding false positive. 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010. 2010. pp. 79-84 (2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010).
@inproceedings{ba3d0828dcac4d0bad0ad48ea3415b7d,
title = "A behavior based malware detection scheme for avoiding false positive",
abstract = "The number of malware is increasing rapidly and a lot of malware use stealth techniques such as encryption to evade pattern matching detection by anti-virus software. To resolve the problem, behavior based detection method which focuses on malicious behaviors of malware have been researched. Although they can detect unknown and encrypted malware, they suffer a serious problem of false positives against benign programs. For example, creating files and executing them are common behaviors performed by malware, however, they are also likely performed by benign programs thus it causes false positives. In this paper, we propose a malware detection method based on evaluation of suspicious process behaviors on Windows OS. To avoid false positives, our proposal focuses on not only malware specific behaviors but also normal behavior that malware would usually not do. Moreover, we implement a prototype of our proposal to effectively analyze behaviors of programs. Our evaluation experiments using our malware and benign program datasets show that our malware detection rate is about 60{\%} and it does not cause any false positives. Furthermore, we compare our proposal with completely behavior-based anti-virus software. Our results show that our proposal puts few burdens on users and reduces false positives.",
author = "Yoshiro Fukushima and Akihiro Sakai and Yoshiaki Hori and Kouichi Sakurai",
year = "2010",
month = "12",
day = "1",
doi = "10.1109/NPSEC.2010.5634444",
language = "English",
isbn = "9781424489152",
series = "2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010",
pages = "79--84",
booktitle = "2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010",

}

TY - GEN

T1 - A behavior based malware detection scheme for avoiding false positive

AU - Fukushima, Yoshiro

AU - Sakai, Akihiro

AU - Hori, Yoshiaki

AU - Sakurai, Kouichi

PY - 2010/12/1

Y1 - 2010/12/1

N2 - The number of malware is increasing rapidly and a lot of malware use stealth techniques such as encryption to evade pattern matching detection by anti-virus software. To resolve the problem, behavior based detection method which focuses on malicious behaviors of malware have been researched. Although they can detect unknown and encrypted malware, they suffer a serious problem of false positives against benign programs. For example, creating files and executing them are common behaviors performed by malware, however, they are also likely performed by benign programs thus it causes false positives. In this paper, we propose a malware detection method based on evaluation of suspicious process behaviors on Windows OS. To avoid false positives, our proposal focuses on not only malware specific behaviors but also normal behavior that malware would usually not do. Moreover, we implement a prototype of our proposal to effectively analyze behaviors of programs. Our evaluation experiments using our malware and benign program datasets show that our malware detection rate is about 60% and it does not cause any false positives. Furthermore, we compare our proposal with completely behavior-based anti-virus software. Our results show that our proposal puts few burdens on users and reduces false positives.

AB - The number of malware is increasing rapidly and a lot of malware use stealth techniques such as encryption to evade pattern matching detection by anti-virus software. To resolve the problem, behavior based detection method which focuses on malicious behaviors of malware have been researched. Although they can detect unknown and encrypted malware, they suffer a serious problem of false positives against benign programs. For example, creating files and executing them are common behaviors performed by malware, however, they are also likely performed by benign programs thus it causes false positives. In this paper, we propose a malware detection method based on evaluation of suspicious process behaviors on Windows OS. To avoid false positives, our proposal focuses on not only malware specific behaviors but also normal behavior that malware would usually not do. Moreover, we implement a prototype of our proposal to effectively analyze behaviors of programs. Our evaluation experiments using our malware and benign program datasets show that our malware detection rate is about 60% and it does not cause any false positives. Furthermore, we compare our proposal with completely behavior-based anti-virus software. Our results show that our proposal puts few burdens on users and reduces false positives.

UR - http://www.scopus.com/inward/record.url?scp=79952044700&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79952044700&partnerID=8YFLogxK

U2 - 10.1109/NPSEC.2010.5634444

DO - 10.1109/NPSEC.2010.5634444

M3 - Conference contribution

AN - SCOPUS:79952044700

SN - 9781424489152

T3 - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

SP - 79

EP - 84

BT - 2010 6th IEEE Workshop on Secure Network Protocols, NPSec 2010

ER -