Title: A Zero-Day Structural Knowledge-based Intelligent Malware Detection Framework ------------------------------------------------------------------------------------------- (1) the complete title of one (or more) paper(s) published in the open literature describing the work that the author claims describes a human-competitive result, 1. ELF-Miner: using structural knowledge and data mining methods to detect new (Linux) malicious executables, ------------------------------------------------------------------------------------------- (2) the name, complete physical mailing address, e-mail address, and phone number of EACH author of EACH paper, Name: Farrukh Shahzad Physical address: Next Generation Intelligent Networks Research Center National University of Computer & Emerging Sciences A.K. Brohi Road, Sector H-11/4, Islamabad, Pakistan Email: muhammad.shahzad@nexginrc.org Tel: +92 51 111 128 128 (Ext. 190) Name: Muddassar Farooq Physical address: Next Generation Intelligent Networks Research Center National University of Computer & Emerging Sciences A.K. Brohi Road, Sector H-11/4, Islamabad, Pakistan Email: muddassar.farooq@nexginrc.org Tel: +92 51 111 128 128 (Ext. 206) ------------------------------------------------------------------------------------------- (3) the name of the corresponding author (i.e., the author to whom notices will be sent concerning the competition), Farrukh Shahzad (farrukh.shahzad@nexginrc.org) ------------------------------------------------------------------------------------------- (4) the abstract of the paper(s), Title: ELF-Miner: using structural knowledge and data mining methods to detect new (Linux) malicious executables Linux malware can pose a significant threat -— its (Linux) penetration is exponentially increasing -— because little is known or understood about Linux OS vulnerabilities. We believe that now is the right time to devise non-signature based zero-day (previously unknown) malware detection strategies before Linux intruders take us by surprise. Therefore, in this paper, we first do a forensic analysis of Linux executable and linkable format (ELF) files. Our forensic analysis provides insight into different features that have the potential to discriminate malicious executables from benign ones. As a result, we select a features’ set of 383 features that are extracted from an ELF headers. We quantify the classification potential of features by using information gain and then remove redundant features by employing preprocessing filters. Finally, we do evaluation of a number of evolutionary learning classifiers —- cAnt Miner, UCS, XCS, and GAssist —- to select the best classifier for our system. (In the study, we also use machine learning classifiers as well.) We have evaluated our approach on an available collection of 709 Linux malware samples from VX heavens and Offensive Computing. Our experiments show that ELF-Miner provides more than 99% detection accuracy with less than 0.1% false alarm rate. ------------------------------------------------------------------------------------------- (5) a list containing one or more of the eight letters (A, B, C, D, E, F, G, or H) that correspond to the criteria (see above) that the author claims that the work satisfies, B,F,G ------------------------------------------------------------------------------------------- (6) a statement stating why the result satisfies the criteria that the contestant claims (see the examples below as a guide to aid in constructing this part of the submission), Security researchers and malware industry experts are trying to develop non-signature based intelligent detection systems with the ability to detect previously unseen malware (zero-day malware). The motivation comes from the fact that the number of new threats are exponentially increasing and hence existing signature-based techniques -- demanding forensic analysis by malware experts after they are launched -- are unable to scale. Since the beginning of 1990s, research is focusing on detecting zero-day malware; however, well know systems have three shortcomings that hinder their integration into anti-virus products: (1) high false alarm, (2) large scanning time (in the order of minutes), and (3) low reliability due to easy evasion. (See the references in ELF-Miner paper). The novel contribution of our ELF-Miner solution is that it uses information in the header of an executable (instead of its payload) to train classifiers (evolutionary and machine learning) to detect zero-day malware. In a related work on PE-Miner [1] that mines information in the header of windows executables, we have successfully demonstrated that the approach is generic and can be customized to any executable format. The results on more than 1 million windows and 700 Linux malicious executables respectively show that the proposed system achieves more than 99% detection accuracy with less than 0.1% false alarm rate. Moreover, its scanning time per file is less than 250 milliseconds (compared with $130$ milliseconds of antivirus solutions). Moreover, the scheme is robust to any evasion attempts by crafty malware experts -- attempting to forge the header information -- once the technique is published. We have developed functional prototypes of PE-Miner and ELF-Miner systems and are planning their beta release. These contributions substantiate our claims that the contributions satisfy B,F,G. ------------------------------------------------------------------------------------------ (7) a full citation of the paper (that is, author names; publication date; name of journal, conference, technical report, thesis, book, or book chapter; name of editors, if applicable, of the journal or edited book; publisher name; publisher city; page numbers, if applicable); Farrukh Shahzad, Muddassar Farooq, ELF-Miner: Using structural knowledge and data mining methods to detect new (Linux) malicious executables, Springer's Journal of Knowledge and Information Systems, DOI: 10.1007/s10115-011-0393-5 (online available at http://www.springerlink.com/content/g5935153567g0mj3/). ------------------------------------------------------------------------------------------- (8) a statement either that "any prize money, if any, is to be divided equally among the co-authors" OR a specific percentage breakdown as to how the prize money, if any, is to be divided among the co-authors. Any prize money, if any, will be divided equally among the co-authors. ------------------------------------------------------------------------------------------- (9) a statement stating why the judges should consider the entry as "best" in comparison to other entries that may also be "human-competitive." The realtime zero-day malware detection is a decades old unsolved research problem because the proposed techniques suffer from three shortcomings (as mentioned before) -- high false alarm, large scanning time and low robustness and reliability against evasion attempts. The proposed solutions -- PE-Miner and ELF-Miner -- are realtime deployable systems with high detection accuracy and low false alarm rate. Moreover their features are robust against evasion attempts by crafty attackers. As a result, our developed systems can be utilized by malware industry in three ways: (1) use them as a front-end gatekeeper service to filter unseen malware that classical ant-virus solutions are unable to detect, (2) due to very small processing overhead, the solutions are ideally suited for resource constrained mobile devices (Nokia N890), and (3) the solutions can be easily embedded in the kernel of an operating system to detect a malicious executable before its execution starts. The project has attracted the attention of National ICT R&D Fund of Ministry of IT, Government of Pakistan, which provided a generous funding of US$250,000 for the project. (http://www.ictrdf.org.pk/fp-isk.htm), (http://isk.nexginrc.org). Moreover, a research paper based on this work have been accepted by Springer's Journal of Knowledge and Information System (Impact Factor = 2.2). This shows that the approach is considered novel by researchers working in application of data mining for Security. References ---------- [1] M. Zubair Shafiq, S. Momina Tabish, Fauzan Mirza and Muddassar Farooq. PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In Lecture Notes in Computer Science, 2009, Volume 5758/2009, 121-141, DOI: 10.1007/978-3-642-04342-0_7