Signal Processing - March 2016 - 110

Authors
Lakshmanan Nataraj (lakshmanan_nataraj@ece.ucsb.edu) received his Ph.D.
degree in electrical and computer engineering from the University of California,
Santa Barbara. His research interests
include malware analysis, image forensics,
and data hiding. He is currently a member
of research staff at Mayachitra, Inc.
B.S. Manjunath (manj@ece.ucsb.
edu) is a professor in the Department of
Electrical and Computer Engineering,
University of California, Santa Barbara.
His research interests include bioimaging,
informatics, media forensics and security,
steganography, large-scale image and video sensor networks, and multimedia databases. He is a Fellow of the IEEE.

100
RP + NN
GIST + NN
GIST + SRC
RP + SRC

Accuracy

95
90

RP+NN
GIST+NN
GIST+SRC
RP+SRC

85
80

0

50

100

150

200

250 300 350
Dimensions
(a)

400

450

500

550

100

Accuracy

95
90

RP + NN
GIST + NN
GIST + SRC
RP + SRC

85
80

0

50

100

150

200

250 300 350
Dimensions
(b)

400

450

References

500

[1] (2015, Dec.). Sony hack: Obama vows response as
FBI blames North Korea. [Online]. Available: http://
www.bbc.com/news/world-us-canada-30555997

550

figuRE 7. Experimental results on (a) Malimg data set and (b) Malheur data set with features using
RPs and GIST, and classification algorithms using SRC and NN.

The accuracies for GIST for both classifiers are almost the same. In [15], we
extend this approach using a simple
thresholding scheme to reject potential
outliers in a data set.

Future directions
While we explored signal- and imagebased analysis of malware data, a natural complement is to treat the malware
as audio-like 1-D signals and leverage
automated audio descriptors. Another
possible approach is computing image
similarity descriptors and/or random
projections on all the sections and represent a malware as a bag of descriptors, which can then be used for better
characterization of malware. Using the
error model in the sparse representation-based malware classification
framework, we can determine the exact
positions in which the malware variant
differs from another variant. This
approach can also be used to find the
exact source from which a malware variant evolves. Patched malware that
attaches to benign software can be identified using this method.
110

Conclusions
In this article, we explored orthogonal
methods to analyze malware motivated
by signal and image processing. Malware
samples are represented as images or signals. Image- and signal-based features are
extracted to characterize malware. Our
extensive experiments demonstrate the
efficacy of our methods on malware classification and retrieval. We believe that
our techniques will open the scope of signal- and image-based methods to broader
fields in computer security.

Acknowledgments
We would like to thank Prof. Giovanni
Vigna and Prof. Christopher Kruegel of
UCSB Seclab for providing the malware data and for their valuable suggestions. We are thankful to our
colleagues who worked in this project:
Dr. Gregoire Jacob, Dr. Dhilung Kirat
and Dr. S. Karthikeyan. We would also
like to thank Dr. Sukarno Mertoguno of
the Office of Naval Research (ONR) for
fruitful discussions. This work is supported by grants ONR N00014-11-10111 and
ONR N00014-14-1-0027.
IEEE Signal Processing Magazine

|

March 2016

|

[2] G. Jacob, P. M. Comparetti, M. Neugschwandtner,
C. Kruegel, and G. Vigna, "A static, packer-agnostic
filter to detect similar malware samples," in Proc. 9th
Int. Conf. Detection of Intrusions and Malware, and
Vulnerability Assessment, July 2012, pp. 102-122.
[3] A. Oliva and A. Torralba, "Modeling the shape of
the scene: A holistic representation of the spatial envelope," Int. J. Comput. Vision, vol. 42, no. 3,
pp. 145-175, May 2001.
[4] A. Torralba, K. P. Murphy, W. T. Freeman, and
M. Rubin, "Context-based vision system for place
and object recognition," in Proc. 9th IEEE Int. Conf.
Computer Vision, Oct. 2003, vol. 1, pp. 273-280.
[5] M. Douze, H. Jgou, H. Sandhawalia, L. Amsaleg,
and M. Schmid, "Evaluation of GIST descriptors for
Web-scale Image Search," in Proc. ACM Int. Conf.
Image and Video Retrieval, July 2009, no. 19, pp. 1-8.
[6] L. Nataraj, S. Karthikeyan, G. Jacob, and B. S.
Manjunath, "Malware images: Visualization and automatic classification," in Proc. 8th Int. Symp. Visualization for
Cyber Security, July 2011, no. 4, pp. 1-7.
[7] Y. Zhou and X. Jiang, "Dissecting Android malware:
Characterization and evolution," in Proc. IEEE Symp.
Security and Privacy, May 2012, no. 15, pp. 95-109.
[8] (2015, Dec.). Malimg Dataset. [Online].
Available: http://old.vision.ece.ucsb.edu/spam/
malimg.shtml
[9] K. Rieck, P. Trinius, C. Willems, and T. Holz,
"Automatic analysis of malware behavior using
machine learning," J. Comput. Security, vol. 19, no.
4, pp. 639-668, Dec. 2011.
[10] (2015, Dec.). VirusShare. [Online]. Available:
http://www.virusshare.com
[11] L. Nataraj, V. Yegneswaran, P. Porras, and J.
Zhang, "A comparative assessment of malware classification using binary texture analysis and dynamic
analysis," in Proc. 4th ACM Workshop on Security
and Artificial Intelligence, Oct. 2011, pp. 21-30.
[12] D. Kirat, L. Nataraj, G. Vigna, and B. S.
Manjunath, "SigMal: A static signal processing based
malware triage," in Proc. 29th Annu. Computer
Security Applications Conf., Dec. 2013, pp. 89-98.

(continued on page 117)



http://http:// http://www.bbc.com/news/world-us-canada-30555997 http://old.vision.ece.ucsb.edu/spam/ http://www.virusshare.com

Table of Contents for the Digital Edition of Signal Processing - March 2016

Signal Processing - March 2016 - Cover1
Signal Processing - March 2016 - Cover2
Signal Processing - March 2016 - 1
Signal Processing - March 2016 - 2
Signal Processing - March 2016 - 3
Signal Processing - March 2016 - 4
Signal Processing - March 2016 - 5
Signal Processing - March 2016 - 6
Signal Processing - March 2016 - 7
Signal Processing - March 2016 - 8
Signal Processing - March 2016 - 9
Signal Processing - March 2016 - 10
Signal Processing - March 2016 - 11
Signal Processing - March 2016 - 12
Signal Processing - March 2016 - 13
Signal Processing - March 2016 - 14
Signal Processing - March 2016 - 15
Signal Processing - March 2016 - 16
Signal Processing - March 2016 - 17
Signal Processing - March 2016 - 18
Signal Processing - March 2016 - 19
Signal Processing - March 2016 - 20
Signal Processing - March 2016 - 21
Signal Processing - March 2016 - 22
Signal Processing - March 2016 - 23
Signal Processing - March 2016 - 24
Signal Processing - March 2016 - 25
Signal Processing - March 2016 - 26
Signal Processing - March 2016 - 27
Signal Processing - March 2016 - 28
Signal Processing - March 2016 - 29
Signal Processing - March 2016 - 30
Signal Processing - March 2016 - 31
Signal Processing - March 2016 - 32
Signal Processing - March 2016 - 33
Signal Processing - March 2016 - 34
Signal Processing - March 2016 - 35
Signal Processing - March 2016 - 36
Signal Processing - March 2016 - 37
Signal Processing - March 2016 - 38
Signal Processing - March 2016 - 39
Signal Processing - March 2016 - 40
Signal Processing - March 2016 - 41
Signal Processing - March 2016 - 42
Signal Processing - March 2016 - 43
Signal Processing - March 2016 - 44
Signal Processing - March 2016 - 45
Signal Processing - March 2016 - 46
Signal Processing - March 2016 - 47
Signal Processing - March 2016 - 48
Signal Processing - March 2016 - 49
Signal Processing - March 2016 - 50
Signal Processing - March 2016 - 51
Signal Processing - March 2016 - 52
Signal Processing - March 2016 - 53
Signal Processing - March 2016 - 54
Signal Processing - March 2016 - 55
Signal Processing - March 2016 - 56
Signal Processing - March 2016 - 57
Signal Processing - March 2016 - 58
Signal Processing - March 2016 - 59
Signal Processing - March 2016 - 60
Signal Processing - March 2016 - 61
Signal Processing - March 2016 - 62
Signal Processing - March 2016 - 63
Signal Processing - March 2016 - 64
Signal Processing - March 2016 - 65
Signal Processing - March 2016 - 66
Signal Processing - March 2016 - 67
Signal Processing - March 2016 - 68
Signal Processing - March 2016 - 69
Signal Processing - March 2016 - 70
Signal Processing - March 2016 - 71
Signal Processing - March 2016 - 72
Signal Processing - March 2016 - 73
Signal Processing - March 2016 - 74
Signal Processing - March 2016 - 75
Signal Processing - March 2016 - 76
Signal Processing - March 2016 - 77
Signal Processing - March 2016 - 78
Signal Processing - March 2016 - 79
Signal Processing - March 2016 - 80
Signal Processing - March 2016 - 81
Signal Processing - March 2016 - 82
Signal Processing - March 2016 - 83
Signal Processing - March 2016 - 84
Signal Processing - March 2016 - 85
Signal Processing - March 2016 - 86
Signal Processing - March 2016 - 87
Signal Processing - March 2016 - 88
Signal Processing - March 2016 - 89
Signal Processing - March 2016 - 90
Signal Processing - March 2016 - 91
Signal Processing - March 2016 - 92
Signal Processing - March 2016 - 93
Signal Processing - March 2016 - 94
Signal Processing - March 2016 - 95
Signal Processing - March 2016 - 96
Signal Processing - March 2016 - 97
Signal Processing - March 2016 - 98
Signal Processing - March 2016 - 99
Signal Processing - March 2016 - 100
Signal Processing - March 2016 - 101
Signal Processing - March 2016 - 102
Signal Processing - March 2016 - 103
Signal Processing - March 2016 - 104
Signal Processing - March 2016 - 105
Signal Processing - March 2016 - 106
Signal Processing - March 2016 - 107
Signal Processing - March 2016 - 108
Signal Processing - March 2016 - 109
Signal Processing - March 2016 - 110
Signal Processing - March 2016 - 111
Signal Processing - March 2016 - 112
Signal Processing - March 2016 - 113
Signal Processing - March 2016 - 114
Signal Processing - March 2016 - 115
Signal Processing - March 2016 - 116
Signal Processing - March 2016 - 117
Signal Processing - March 2016 - 118
Signal Processing - March 2016 - 119
Signal Processing - March 2016 - 120
Signal Processing - March 2016 - 121
Signal Processing - March 2016 - 122
Signal Processing - March 2016 - 123
Signal Processing - March 2016 - 124
Signal Processing - March 2016 - 125
Signal Processing - March 2016 - 126
Signal Processing - March 2016 - 127
Signal Processing - March 2016 - 128
Signal Processing - March 2016 - Cover3
Signal Processing - March 2016 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201809
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201807
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201805
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201803
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201801
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1117
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0917
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0717
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0517
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0317
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0117
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1116
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0916
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0716
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0516
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0316
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0116
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1115
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0915
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0715
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0515
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0315
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0115
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1114
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0914
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0714
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0514
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0314
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0114
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1113
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0913
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0713
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0513
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0313
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0113
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1112
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0912
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0712
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0512
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0312
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0112
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1111
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0911
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0711
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0511
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0311
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0111
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1110
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0910
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0710
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0510
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0310
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0110
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1109
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0909
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0709
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0509
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0309
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0109
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1108
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0908
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0708
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0508
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0308
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0108
https://www.nxtbookmedia.com