Mal-Netminer: Malware Classification Approach Based on Social Network Analysis of System Call Graph

Jae Wook Jang, Jiyoung Woo, Aziz Mohaisen, Jaesung Yun, Huy Kang Kim

Research output: Contribution to journalArticle

6 Citations (Scopus)

Abstract

As the security landscape evolves over time, where thousands of species of malicious codes are seen every day, antivirus vendors strive to detect and classify malware families for efficient and effective responses against malware campaigns. To enrich this effort and by capitalizing on ideas from the social network analysis domain, we build a tool that can help classify malware families using features driven from the graph structure of their system calls. To achieve that, we first construct a system call graph that consists of system calls found in the execution of the individual malware families. To explore distinguishing features of various malware species, we study social network properties as applied to the call graph, including the degree distribution, degree centrality, average distance, clustering coefficient, network density, and component ratio. We utilize features driven from those properties to build a classifier for malware families. Our experimental results show that "influence-based" graph metrics such as the degree centrality are effective for classifying malware, whereas the general structural metrics of malware are less effective for classifying malware. Our experiments demonstrate that the proposed system performs well in detecting and classifying malware families within each malware class with accuracy greater than 96%.

Original languageEnglish
Article number769624
JournalMathematical Problems in Engineering
Volume2015
DOIs
Publication statusPublished - 2015

Fingerprint

Social Network Analysis
Malware
Electric network analysis
Graph in graph theory
Centrality
Classify
Metric Graphs
Clustering Coefficient
Average Distance
Degree Distribution
Social Networks
Computer systems
Classifiers
Classifier
Family

ASJC Scopus subject areas

  • Mathematics(all)
  • Engineering(all)

Cite this

Mal-Netminer : Malware Classification Approach Based on Social Network Analysis of System Call Graph. / Jang, Jae Wook; Woo, Jiyoung; Mohaisen, Aziz; Yun, Jaesung; Kim, Huy Kang.

In: Mathematical Problems in Engineering, Vol. 2015, 769624, 2015.

Research output: Contribution to journalArticle

@article{7b555e8ca10d41528c256e5493fc83cb,
title = "Mal-Netminer: Malware Classification Approach Based on Social Network Analysis of System Call Graph",
abstract = "As the security landscape evolves over time, where thousands of species of malicious codes are seen every day, antivirus vendors strive to detect and classify malware families for efficient and effective responses against malware campaigns. To enrich this effort and by capitalizing on ideas from the social network analysis domain, we build a tool that can help classify malware families using features driven from the graph structure of their system calls. To achieve that, we first construct a system call graph that consists of system calls found in the execution of the individual malware families. To explore distinguishing features of various malware species, we study social network properties as applied to the call graph, including the degree distribution, degree centrality, average distance, clustering coefficient, network density, and component ratio. We utilize features driven from those properties to build a classifier for malware families. Our experimental results show that {"}influence-based{"} graph metrics such as the degree centrality are effective for classifying malware, whereas the general structural metrics of malware are less effective for classifying malware. Our experiments demonstrate that the proposed system performs well in detecting and classifying malware families within each malware class with accuracy greater than 96{\%}.",
author = "Jang, {Jae Wook} and Jiyoung Woo and Aziz Mohaisen and Jaesung Yun and Kim, {Huy Kang}",
year = "2015",
doi = "10.1155/2015/769624",
language = "English",
volume = "2015",
journal = "Mathematical Problems in Engineering",
issn = "1024-123X",
publisher = "Hindawi Publishing Corporation",

}

TY - JOUR

T1 - Mal-Netminer

T2 - Malware Classification Approach Based on Social Network Analysis of System Call Graph

AU - Jang, Jae Wook

AU - Woo, Jiyoung

AU - Mohaisen, Aziz

AU - Yun, Jaesung

AU - Kim, Huy Kang

PY - 2015

Y1 - 2015

N2 - As the security landscape evolves over time, where thousands of species of malicious codes are seen every day, antivirus vendors strive to detect and classify malware families for efficient and effective responses against malware campaigns. To enrich this effort and by capitalizing on ideas from the social network analysis domain, we build a tool that can help classify malware families using features driven from the graph structure of their system calls. To achieve that, we first construct a system call graph that consists of system calls found in the execution of the individual malware families. To explore distinguishing features of various malware species, we study social network properties as applied to the call graph, including the degree distribution, degree centrality, average distance, clustering coefficient, network density, and component ratio. We utilize features driven from those properties to build a classifier for malware families. Our experimental results show that "influence-based" graph metrics such as the degree centrality are effective for classifying malware, whereas the general structural metrics of malware are less effective for classifying malware. Our experiments demonstrate that the proposed system performs well in detecting and classifying malware families within each malware class with accuracy greater than 96%.

AB - As the security landscape evolves over time, where thousands of species of malicious codes are seen every day, antivirus vendors strive to detect and classify malware families for efficient and effective responses against malware campaigns. To enrich this effort and by capitalizing on ideas from the social network analysis domain, we build a tool that can help classify malware families using features driven from the graph structure of their system calls. To achieve that, we first construct a system call graph that consists of system calls found in the execution of the individual malware families. To explore distinguishing features of various malware species, we study social network properties as applied to the call graph, including the degree distribution, degree centrality, average distance, clustering coefficient, network density, and component ratio. We utilize features driven from those properties to build a classifier for malware families. Our experimental results show that "influence-based" graph metrics such as the degree centrality are effective for classifying malware, whereas the general structural metrics of malware are less effective for classifying malware. Our experiments demonstrate that the proposed system performs well in detecting and classifying malware families within each malware class with accuracy greater than 96%.

UR - http://www.scopus.com/inward/record.url?scp=84944185088&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84944185088&partnerID=8YFLogxK

U2 - 10.1155/2015/769624

DO - 10.1155/2015/769624

M3 - Article

AN - SCOPUS:84944185088

VL - 2015

JO - Mathematical Problems in Engineering

JF - Mathematical Problems in Engineering

SN - 1024-123X

M1 - 769624

ER -