TY - JOUR
T1 - A Hybrid Wrapper-Filter Approach for Malware Detection
AU - Alazab, Mamoun
AU - Huda, Shamsul
AU - Abawajy, Jemal
AU - Islam, Rafiqul
AU - Yearwood, John
AU - Venkatraman, S
AU - Broadhurst, Roderic
PY - 2014
Y1 - 2014
N2 - This paper presents an efficient and novel approach for malware detection. The proposed approach uses a hybrid wrapper-filter model for malware feature selection, which combines Maximum Relevance (MR) filter heuristics and Artificial Neural Net Input Gain Measurement Approximation (ANNIGMA) wrapper heuristic for sub-set selection by capitalizing on each classifier’s strengths. The novelty of the proposed approach is that it injects the intrinsic characteristics of data obtained by the filter into the wrapper stage and combines this with wrapper’s heuristic score. This in turn can reduce the search space and guide the search for the most significant malware features that assist in detection. Extensive cross-validated experimental investigations on actual malware datasets were conducted to evaluate the performance of the proposed model. The model was compared with several existing models including independent wrapper and filter approaches. The results of the model’s performance on both obfuscated malware as well as benign datasets showed that the proposed hybrid MRANNIGMA model out-performed the independent filter and wrapper approaches by achieving the highest accuracy of 97%. Furthermore, this hybrid model improved execution time by using a more compact set of operation code features, and also reduced the rate of false positives. Index Terms—Malware, opcodes, feature selection, wrapperfilter, neural network, multi-layer perceptron networks
AB - This paper presents an efficient and novel approach for malware detection. The proposed approach uses a hybrid wrapper-filter model for malware feature selection, which combines Maximum Relevance (MR) filter heuristics and Artificial Neural Net Input Gain Measurement Approximation (ANNIGMA) wrapper heuristic for sub-set selection by capitalizing on each classifier’s strengths. The novelty of the proposed approach is that it injects the intrinsic characteristics of data obtained by the filter into the wrapper stage and combines this with wrapper’s heuristic score. This in turn can reduce the search space and guide the search for the most significant malware features that assist in detection. Extensive cross-validated experimental investigations on actual malware datasets were conducted to evaluate the performance of the proposed model. The model was compared with several existing models including independent wrapper and filter approaches. The results of the model’s performance on both obfuscated malware as well as benign datasets showed that the proposed hybrid MRANNIGMA model out-performed the independent filter and wrapper approaches by achieving the highest accuracy of 97%. Furthermore, this hybrid model improved execution time by using a more compact set of operation code features, and also reduced the rate of false positives. Index Terms—Malware, opcodes, feature selection, wrapperfilter, neural network, multi-layer perceptron networks
U2 - 10.4304/jnw.9.11.2878-2891
DO - 10.4304/jnw.9.11.2878-2891
M3 - Article
VL - 9
SP - 2878
EP - 2891
JO - Journal of Networks
JF - Journal of Networks
IS - 11
ER -