Detecting Scareware by Mining Variable Length Instruction Sequences
| Document type: | Conference Papers |
|---|---|
| Peer reviewed: | Yes |
| Full text: | |
| Author(s): | Raja Khurram Shahzad, Niklas Lavesson |
| Title: | Detecting Scareware by Mining Variable Length Instruction Sequences |
| Conference name: | Information Security for South Africa |
| Year: | 2011 |
| ISBN: | 978-1-4577-1482-5 |
| Publisher: | IEEE Press |
| City: | Johannesburg |
| Organization: | Blekinge Institute of Technology |
| Department: | School of Computing (Sektionen för datavetenskap och kommunikation) School of Computing S-371 79 Karlskrona +46 455 38 50 00 http://www.bth.se/com |
| Authors e-mail: | rks@bth.se, Niklas.Lavesson@bth.se |
| Language: | English |
| Abstract: | Scareware is a recent type of malicious software that may pose financial and privacy-related threats to novice users. Traditional countermeasures, such as anti-virus software, require regular updates and often lack the capability of detecting novel (unseen) instances. This paper presents a scareware detection method that is based on the application of machine learning algorithms to learn patterns in extracted variable length opcode sequences derived from instruction sequences of binary files. The patterns are then used to classify software as legitimate or scareware but they may also reveal interpretable behavior that is unique to either type of software. We have obtained a large number of real world scareware applications and designed a data set with 550 scareware instances and 250 benign instances. The experimental results show that several common data mining algorithms are able to generate accurate models from the data set. The Random Forest algorithm is shown to outperform the other algorithms in the experiment. Essentially, our study shows that, even though the differences between scareware and legitimate software are subtler than between, say, viruses and legitimate software, the same type of machine learning approach can be used in both of these dissimilar cases. |
| Subject: | Computer Science\Artificial Intelligence Computer Science\Electronic security Computer Science\General |
| Keywords: | Scareware, Instruction Sequences, Classification |
