Application of a Linear Time Method for Change Point Detection to the Classification of Software

Author

Bolton, Alexander ; Heard, Nick

Author_Institution

Dept. of Math., Imperial Coll. London, London, UK

fYear

2014

fDate

24-26 Sept. 2014

Firstpage

292

Lastpage

295

Abstract

A computer program´s dynamic instruction trace is the sequence of instructions it generates during run-time. This article presents a method for analysing dynamic instruction traces, with an application in malware detection. Instruction traces can be modelled as piecewise homogeneous Markov chains and an exact linear time method is used for detecting change points in the transition probability matrix. The change points divide the instruction trace into segments performing different functions. If segments performing malicious functions can be detected then the software can be classified as malicious. The change point detection method is applied to both a simulated dynamic instruction trace and the dynamic instruction trace generated by a piece of malware.

Keywords

Markov processes; invasive software; matrix algebra; probability; change point detection method; computer program dynamic instruction trace analysis; exact linear time method; instruction sequence; instruction trace modelling; malicious functions; malware detection; piecewise homogeneous Markov chains; simulated dynamic instruction trace; software classification; transition probability matrix; Computational modeling; Computers; Educational institutions; Heuristic algorithms; Malware; Markov processes; Software; PELT algorithm; change point analysis; malware; piecewise homogeneous Markov chain;

fLanguage

English

Publisher

ieee

Conference_Titel

Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint

Conference_Location

The Hague

Print_ISBN

978-1-4799-6363-8

Type

conf

DOI

10.1109/JISIC.2014.58

Filename

6975595