dc.contributor.author | Banin, Sergii | |
dc.contributor.author | Dyrkolbotn, Geir Olav | |
dc.date.accessioned | 2019-09-17T06:32:18Z | |
dc.date.available | 2019-09-17T06:32:18Z | |
dc.date.created | 2019-09-16T10:41:44Z | |
dc.date.issued | 2019 | |
dc.identifier.citation | Lecture Notes in Computer Science. 2019, 11689 149-167. | nb_NO |
dc.identifier.issn | 0302-9743 | |
dc.identifier.uri | http://hdl.handle.net/11250/2617082 | |
dc.description.abstract | Malware brings constant threats to the services and facilities used by modern society. In order to perform and improve anti-malware defense, there is a need for methods that are capable of malware categorization. As malware grouped into categories according to its functionality, dynamic malware analysis is a reliable source of features that are useful for malware classification. Different types of dynamic features are described in literature [5, 6, 13]. These features can be divided into two main groups: high-level features (API calls, File activity, Network activity, etc.) and low-level features (memory access patterns, high-performance counters, etc). Low-level features bring special interest for malware analysts: regardless of the anti-detection mechanisms used by malware, it is impossible to avoid execution on hardware. As hardware-based security solutions are constantly developed by hardware manufacturers and prototyped by researchers, research on low-level features used for malware analysis is a promising topic. The biggest problem with low-level features is that they don’t bring much information to a human analyst. In this paper, we analyze potential correlation between the low- and high-level features used for malware classification. In particular, we analyze n-grams of memory access operations found in [6] and try to find their relationship with n-grams of API calls. We also compare performance of API calls and memory access n-grams on the same dataset as used in [6]. In the end, we analyze their combined performance for malware classification and explain findings in the correlation between high- and low-level features. | nb_NO |
dc.language.iso | eng | nb_NO |
dc.publisher | Springer Nature | nb_NO |
dc.title | Correlating High- and Low-Level Features: Increased Understanding of Malware Classification | nb_NO |
dc.type | Journal article | nb_NO |
dc.type | Peer reviewed | nb_NO |
dc.description.version | acceptedVersion | nb_NO |
dc.source.pagenumber | 149-167 | nb_NO |
dc.source.volume | 11689 | nb_NO |
dc.source.journal | Lecture Notes in Computer Science | nb_NO |
dc.identifier.doi | https://doi.org/10.1007/978-3-030-26834-3_9 | |
dc.identifier.cristin | 1724986 | |
dc.description.localcode | This is a post-peer-review, pre-copyedit version of an article published in Lecture notes in computer science. Locked until 24 July 2020 due to copyright restrictions. The final authenticated version is available online at: https://doi.org/10.1007/978-3-030-26834-3_9. | nb_NO |
cristin.unitcode | 194,63,30,0 | |
cristin.unitname | Institutt for informasjonssikkerhet og kommunikasjonsteknologi | |
cristin.ispublished | true | |
cristin.fulltext | original | |
cristin.qualitycode | 1 | |