article

ELF-Miner: using structural knowledge and data mining methods to detect new (Linux) malicious executables

Authors:

Farrukh Shahzad,

Muddassar FarooqAuthors Info & Claims

Knowledge and Information Systems, Volume 30, Issue 3

Pages 589 - 612

Published: 01 March 2012 Publication History

Abstract

Linux malware can pose a significant threat—its (Linux) penetration is exponentially increasing—because little is known or understood about Linux OS vulnerabilities. We believe that now is the right time to devise non-signature based zero-day (previously unknown) malware detection strategies before Linux intruders take us by surprise. Therefore, in this paper, we first do a forensic analysis of Linux executable and linkable format (ELF) files. Our forensic analysis provides insight into different features that have the potential to discriminate malicious executables from benign ones. As a result, we can select a features’ set of 383 features that are extracted from an ELF headers. We quantify the classification potential of features using information gain and then remove redundant features by employing preprocessing filters. Finally, we do an extensive evaluation among classical rule-based machine learning classifiers—RIPPER, PART, C4.5 Rules, and decision tree J48—and bio-inspired classifiers—cAnt Miner, UCS, XCS, and GAssist—to select the best classifier for our system. We have evaluated our approach on an available collection of 709 Linux malware samples from vx heavens and offensive computing. Our experiments show that ELF-Miner provides more than 99% detection accuracy with less than 0.1% false alarm rate.

Cited By

View all

Alrabaee SDebbabi MWang L(2022)A Survey of Binary Code Fingerprinting Approaches: Taxonomy, Methodologies, and FeaturesACM Computing Surveys10.1145/348686055:1(1-41)Online publication date: 17-Jan-2022
https://dl.acm.org/doi/10.1145/3486860
Narouei MAhmadi MGiacinto GTakabi HSami A(2015)DLLMinerSecurity and Communication Networks10.1002/sec.12558:18(3311-3322)Online publication date: 1-Dec-2015
https://dl.acm.org/doi/10.1002/sec.1255
Komashinskiy DKotenko I(2012)Using low-level dynamic attributes for malware detection based on data mining methodsProceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security10.1007/978-3-642-33704-8_22(254-269)Online publication date: 17-Oct-2012
https://dl.acm.org/doi/10.1007/978-3-642-33704-8_22

Index Terms

ELF-Miner: using structural knowledge and data mining methods to detect new (Linux) malicious executables
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Supervised learning
        Supervised learning by classification

Index terms have been assigned to the content through auto-classification.

Recommendations

ELF-Miner: using structural knowledge and data mining methods to detect new (Linux) malicious executables

Linux malware can pose a significant threat--its (Linux) penetration is exponentially increasing--because little is known or understood about Linux OS vulnerabilities. We believe that now is the right time to devise non-signature based zero-day (...
Opcode sequences as representation of executables for data-mining-based unknown malware detection

Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
Data Mining Methods for Detection of New Malicious Executables
SP '01: Proceedings of the 2001 IEEE Symposium on Security and Privacy

Abstract: A serious security threat today is malicious executables, especially new, unseen malicious executables often arriving as email attachments. These new malicious executables are created at the rate of thousands every year and pose a serious ...

Comments

Information & Contributors

Information

Published In

Knowledge and Information Systems Volume 30, Issue 3

March 2012

50 pages

ISSN:0219-1377

Issue’s Table of Contents

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 01 March 2012

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Alrabaee SDebbabi MWang L(2022)A Survey of Binary Code Fingerprinting Approaches: Taxonomy, Methodologies, and FeaturesACM Computing Surveys10.1145/348686055:1(1-41)Online publication date: 17-Jan-2022
https://dl.acm.org/doi/10.1145/3486860
Narouei MAhmadi MGiacinto GTakabi HSami A(2015)DLLMinerSecurity and Communication Networks10.1002/sec.12558:18(3311-3322)Online publication date: 1-Dec-2015
https://dl.acm.org/doi/10.1002/sec.1255
Komashinskiy DKotenko I(2012)Using low-level dynamic attributes for malware detection based on data mining methodsProceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security10.1007/978-3-642-33704-8_22(254-269)Online publication date: 17-Oct-2012
https://dl.acm.org/doi/10.1007/978-3-642-33704-8_22

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Index Terms

Recommendations