Aboaoja Faitouri A, Zainal Anazida, Ghaleb Fuad A, Alghamdi Norah Saleh, Saeed Faisal, Alhuwayji Husayn
Faculty of Computing, Universiti Teknologi Malaysia, Johor Baru, Johor, Malaysia.
Faculty of Education-Elgobbah, University of Derna, Libya, Elgobbah, Barka, Libya.
PeerJ Comput Sci. 2023 Sep 22;9:e1492. doi: 10.7717/peerj-cs.1492. eCollection 2023.
Malware, malicious software, is the major security concern of the digital realm. Conventional cyber-security solutions are challenged by sophisticated malicious behaviors. Currently, an overlap between malicious and legitimate behaviors causes more difficulties in characterizing those behaviors as malicious or legitimate activities. For instance, evasive malware often mimics legitimate behaviors, and evasion techniques are utilized by legitimate and malicious software.
Most of the existing solutions use the traditional term of frequency-inverse document frequency (TF-IDF) technique or its concept to represent malware behaviors. However, the traditional TF-IDF and the developed techniques represent the features, especially the shared ones, inaccurately because those techniques calculate a weight for each feature without considering its distribution in each class; instead, the generated weight is generated based on the distribution of the feature among all the documents. Such presumption can reduce the meaning of those features, and when those features are used to classify malware, they lead to a high false alarms.
This study proposes a Kullback-Liebler Divergence-based Term Frequency-Probability Class Distribution (KLD-based TF-PCD) algorithm to represent the extracted features based on the differences between the probability distributions of the terms in malware and benign classes. Unlike the existing solution, the proposed algorithm increases the weights of the important features by using the Kullback-Liebler Divergence tool to measure the differences between their probability distributions in malware and benign classes.
The experimental results show that the proposed KLD-based TF-PCD algorithm achieved an accuracy of 0.972, the false positive rate of 0.037, and the F-measure of 0.978. Such results were significant compared to the related work studies. Thus, the proposed KLD-based TF-PCD algorithm contributes to improving the security of cyberspace.
New meaningful characteristics have been added by the proposed algorithm to promote the learned knowledge of the classifiers, and thus increase their ability to classify malicious behaviors accurately.
恶意软件是数字领域主要的安全隐患。传统的网络安全解决方案受到复杂恶意行为的挑战。当前,恶意行为与合法行为之间的重叠使得将这些行为界定为恶意或合法活动变得更加困难。例如,逃避检测的恶意软件常常模仿合法行为,并且合法软件和恶意软件都会使用逃避技术。
现有的大多数解决方案使用传统的词频逆文档频率(TF-IDF)技术或其概念来表示恶意软件行为。然而,传统的TF-IDF及其改进技术无法准确表示特征,尤其是共享特征,因为这些技术在计算每个特征的权重时没有考虑其在每个类别中的分布;相反,生成的权重是基于该特征在所有文档中的分布生成的。这种假设会降低这些特征的意义,并且当这些特征用于对恶意软件进行分类时,会导致高误报率。
本研究提出了一种基于库尔贝克-莱布勒散度的词频-概率类分布(基于KLD的TF-PCD)算法,用于根据恶意软件和良性类别中词项概率分布的差异来表示提取的特征。与现有解决方案不同,该算法通过使用库尔贝克-莱布勒散度工具来测量恶意软件和良性类别中其概率分布的差异,从而增加重要特征的权重。
实验结果表明,所提出的基于KLD的TF-PCD算法的准确率为0.972,误报率为0.037,F值为0.978。与相关工作研究相比,这些结果非常显著。因此,所提出的基于KLD的TF-PCD算法有助于提高网络空间的安全性。
所提出的算法添加了新的有意义的特征,以促进分类器所学知识的提升,从而提高其准确分类恶意行为的能力。
