Pattern RecognitionNo Access

An Ensemble Cost-Sensitive One-Class Learning Framework for Malware Detection

Jia-Chen Liu

School of Computer Science and Technology, Xidian University, 2nd Taibai Road, Xi'an, Shaanxi, 710071, P. R. China

Search for more papers by this author

Jian-Feng Song

School of Computer Science and Technology, Xidian University, 2nd Taibai Road, Xi'an, Shaanxi, 710071, P. R. China

Search for more papers by this author

Qi-Guang Miao

School of Computer Science and Technology, Xidian University, 2nd Taibai Road, Xi'an, Shaanxi, 710071, P. R. China

Corresponding author.

Search for more papers by this author

Ying Cao

School of Computer Science and Technology, Xidian University, 2nd Taibai Road, Xi'an, Shaanxi, 710071, P. R. China

Search for more papers by this author

, and

Yi-Ning Quan

School of Computer Science and Technology, Xidian University, 2nd Taibai Road, Xi'an, Shaanxi, 710071, P. R. China

Search for more papers by this author

https://doi.org/10.1142/S0218001415500184Cited by:3 (Source: Crossref)

Abstract

Machine learning is among the most popular methods in designing unknown and variant malware detection algorithms. However, most of the existing methods take a single type of features to build binary classifiers. In practice, these methods have limited ability in depicting malware characteristics and the binary classification suffers from inadequate sampling of benign samples and extremely imbalanced training samples when detecting malware. In this paper, we present a malware detection Framework based on ENsemble One-Class Learning, namely FENOC. It uses hybrid features at different semantic layers to ensure a comprehensive insight of the program to be analyzed. We construct the malware detector by a novel learning algorithm called Cost-sensitive Twin One-class Classifier (CosTOC), which uses a pair of one-class classifiers to describe malware and benign programs respectively. CosTOC is more flexible and robust in comparison to conventional binary classifiers when training samples are extremely imbalanced or the benign programs are inadequately sampled. Finally, random subspace method and clustering-based ensemble method are developed to enhance the generalization ability of CosTOC. Experimental results show that FENOC gives a comparative detection rate and a lower false positive rate than many other binary classification algorithms, especially when the detector are trained with imbalanced data, or evaluated in terms of false positive rate.

Keywords:

References

B. Andersonet al., J. Comput. Virol. 7(4), 247 (2011). Crossref, Google Scholar
U. Bayer, E. Kirda and C. Kruegel, Improving the efficiency of dynamic malware analysis, Proc. 25th ACM Symp. Applied Computing (SAC '10) (ACM, NY, 2010) pp. 1871–1878. Google Scholar
U. Bayeret al., J. Comput. Virol. 2(1), 67 (2006). Crossref, Google Scholar
Y. Caoet al., J. Comput. Virology Hacking Tech. 9(4), 193 (2013). Crossref, Google Scholar
Y. Cao et al. , Math. Prob. Eng. 2013 , 1 ( 2013 ) . Google Scholar
M. Eskandari and S. Hashemi, Int. J. Comput. Sci. Netw. Secur. 11(12), 1 (2011). Web of Science, Google Scholar
M. Hallet al., ACM SIGKDD Explor. Newslett. 11(1), 10 (2009). Crossref, Google Scholar
H. He and E. A. Garcia, IEEE Trans. Knowl. Data Eng. 21(9), 1263 (2009). Crossref, Web of Science, Google Scholar
R. Khemchandani and S. Chandra, IEEE Trans. Pattern Anal. Mach. Intell. 29(5), 905 (2007). Crossref, Web of Science, Google Scholar
J. Z. Kolter and M. A. Maloof , J. Mach. Learn. Res. 7 , 2721 ( 2006 ) . Web of Science, Google Scholar
A. Lakhotiaet al., J. Comput. Virol. Hacking Tech. 9(3), 109 (2013). Crossref, Google Scholar
M. Masud , L. Khan and B. M. Thuraisingham , Data Mining Tools for Malware Detection ( CRC Press , 2012 ) . Google Scholar
N. Nissimet al., Pattern Anal. Appl. 15(4), 459 (2012). Crossref, Web of Science, Google Scholar
R. Perdisci, A. Lanzi and W. Lee, Pattern Recogn. Lett. 29(14), 1941 (2008). Crossref, Web of Science, Google Scholar
C. Ravi and R. Manoharan, Int. J. Comput. Appl. 43(17), 12 (2012). Google Scholar
K. Riecket al., J. Comput. Secur. 19(4), 639 (2011). Crossref, Google Scholar
I. Santoset al., Inf. Sci. 231(10), 64 (2011). Crossref, Web of Science, Google Scholar
B. Schölkopfet al., Neural Comput. 13(7), 1443 (2001). Crossref, Web of Science, Google Scholar
A. Shabtaiet al., Secur. Inf. 1(1), 1 (2012). Crossref, Google Scholar
G. Tahan, L. Rokach and Y. Shahar, J. Mach. Learn. Res. 13(1), 949 (2012). Web of Science, Google Scholar
D. M. J. Tax and R. P. W. Duin, Mach. Learn. 54(1), 45 (2004). Crossref, Web of Science, Google Scholar
C. Vatamanu, C. T. D. C. S. Gavrilu and R. U. A. Z. Benchea, J. Comput. Virology Hacking Tech. 9(4), 205 (2013). Crossref, Google Scholar
D. Wang, D. S. Yeung and E. C. C. Tsang, IEEE Trans. Syst. Man Cybern. B Cybern. 36(6), 1283 (2006). Crossref, Web of Science, Google Scholar
P. Wood et al. , Symantec Internet Security Threat Report 17 ( Symantec Corporation , 2012 ) . Google Scholar
S. Yuet al., J. Netw. 6(4), 638 (2011). Google Scholar
D. Yuxinet al., Comput. Secur. 30(6), 514 (2011). Crossref, Web of Science, Google Scholar
Z. Zhou , Ensemble Methods: Foundations and Algorithms ( Chapman & Hall , 2012 ) . Crossref, Google Scholar