P. Vinod

Metamorphic virus detection using feature selection techniques

In this article, a non-signature based statistical scanner for metamorphic malware detection, employing feature ranking methods like Term Frequency-Inverse Document Frequency-Class Frequency (TF-IDF-CF), Galavotti-Sebastiani-Simi Coefficient (GSS), Term Significance (TS) and Odds Ratio (OR) is proposed. Malware and benign models for classification are created by considering top ranked features obtained through each feature selection method. The proposed statistical detector was tested on synthetic and live specimens. Accuracy of 100% is attained with the synthetic malware dataset, whereas, accuracy above 92% is obtained for the live metamorphic samples involving complex obfuscation techniques. Further, relevance of feature ranking methods at varying feature length is evaluated using McNemar test. Thus, the non-signature based scanner designed by us could be used for the detection of sophisticated metamorphic malware.

Heterogeneous feature space for Android malware detection

In this paper, a broad static analysis system to classify the android malware application is been proposed. The features like hardware components, permissions, application components, filtered intents, opcodes and number of smali files per application are used to generate the vector space model. Significant features are selected using Entropy based Category Coverage Difference criterion. The performance of the system was evaluated using classifiers like SVM, Rotation Forest and Random Forest. An accuracy of 98.14% with F-measure 0.976 was obtained for the Meta feature space model containing malware features using Random Forest classifier. An overall analysis concluded that the malware model outperforms benign model.

Towards the Detection of Undetectable Metamorphic Malware

Our research developed a non signature based approach, employing feature selection methods such as Categorical Proportional Distance (CPD), Weight of Evidence of Text (WET), Term Frequency - Inverse Document Frequency (TF-IDF), Term Frequency - Inverse Document Frequency - Class Frequency (TF-IDF-CF), Galavotti-Sebastiani-Simi Coefficient (GSS) and Term Significance (TS). Classification model is developed by considering bi--gram features ranked with these feature selection techniques. The proposed feature selection approaches detect unseen malware samples with accuracy in the range of 99% to 100%. Relevance of a feature ranking methods on variable feature length is ascertained using McNemar test.

Discriminant features for metamorphic malware detection

To unfold a solution for the detection of metamorphic viruses (obfuscated malware), we propose a non signature based approach using feature selection techniques such as Categorical Proportional Difference (CPD), Weight of Evidence of Text (WET), Term Frequency-Inverse Document Frequency (TF-IDF) and Term Frequency-Inverse Document Frequency-Class Frequency (TF-IDF-CF). Feature selection methods are employed to rank and prune bi-gram features obtained from malware and benign files. Synthesized features are further evaluated for their prominence in either of the classes. Using our proposed methodology 100% accuracy is obtained with test samples. Hence, we argue that the statistical scanner proposed by us can identify future metamorphic variants and can assist antiviruses with high accuracy.

Information theoretic method for classification of packed and encoded files

Malware authors make use of some anti-reverse engineering and obfuscation techniques like packing and encoding in-order to conceal their malicious payload. These techniques succeeded in evading the traditional signature based AV scanners. Packed or encoded malware samples are difficult to be analysed directly by the AV scanners. So, such samples must be initially unpacked or decoded for efficient analysis of the malicious code. This paper illustrates a static information theoretic method for the classification of packed and encoded files. The proposed method extracts fragments of fixed size from the files and calculates the entropy scores of the fragments. These entropy scores are then used for computing the Similarity Distance Matrix for fragments in a file-pair. The proposed system classifies all the encoded and packed samples properly, thereby obtaining improved detection. The proposed system is also capable of differentiating the type of packers used for the packing or encoding process.

Composite Email Features for Spam Identification

An approach is proposed in this work to search for composite email features by applying a language-specific technique known as NLP (Natural Language Processing) in email spam domain. Different style markers are employed on Enron-spam dataset to capture the nature of emails written by spam and ham email authors. Mainly, features from five categories, consisting of character-based features, word-based features, tag-based, structural features, and Bag-of-Words, are extracted. Dimensionality reduction is applied subsequently using TF–IDF–CF (Term Frequency–Inverse Document Frequency–Class Frequency) feature selection method in order to choose the prominent features from the huge feature space. The experiments are carried out on individual feature as well as composite feature models. A promising performance is produced by composite model with an F-measure of 0.9935 and minimum FPR of 0.0004.

Machine learning approach for filtering spam emails

An efficient email spam filtering system by selecting relevant features to reduce the dimensions has become a pivotal aspect in the field of machine learning based spam filtering. To deal with noisy features, TF-IDF-CF is chosen as the feature selection method in this study. The selected relevant feature sets are submitted to LibSVM and MNB classifiers to construct ham and spam models. An accuracy of 98.2612 with F-measure 0.9841 is obtained which depicts the effectiveness of proposed scheme.

Pruned feature space for metamorphic malware detection using Markov Blanket

The proposed non-signature based system creates a meta feature space for the detection of metamorphic malware samples where three sets of features are extracted from the files: (a) branch opcodes (b) unigrams (c) bigrams. The feature space is initially pruned using Naïve Bayes method. After the rare feature elimination process, the relevant opcodes that are highly contributing towards the target class are selected, thereby forming a relevant feature set. Next phase is to remove the redundant features that are present in the relevant feature set using the Markov Blanket approach. Prominent features extracted are used for generating the training models and unseen instances are tested using the optimal models. Proposed system is capable of detecting the NGVCK viruses and MWORM with an accuracy of 100% using the meta opcode space of 25 features. A promising F1-score of 1.0 was gained and the results demonstrate the efficiency of the proposed metamorphic malware detector.