We evaluate the proposed Markov n-gram detector on a comprehensive malware dataset consisting of more than 37,000 malware samples and 1,800 benign samples of six well-known filetypes. We show that the entropy rate of Markov n-grams gets significantly perturbed at malcode embedding locations, and therefore can act as a robust feature for embedded malware detection. For embedded malware detection, we use an information-theoretic measure, called entropy rate, to quantify changes in Markov n-gram distributions observed in a file. To capture and leverage this correlation structure for embedded malware detection, we model the conditional distributions as Markov n -grams. Consequently, conditional n-grams provide a more meaningful representation of a file’s statistical properties than traditional n-grams. We first analyze byte sequences in benign files to show that benign files’ data generally exhibit a 1-st order dependence structure. In this paper, we present a novel anomaly detection scheme to detect embedded malware. ![]() ![]() ![]() It has been shown that embedded malware is not detected by commercial antivirus software even when the malware signature is present in the antivirus database. Embedded malware is a recently discovered security threat that allows malcode to be hidden inside a benign file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |