JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 15

Malware detection using OWA measure

M. Eskandari, B. Hosseini, S. Hashemi and A. Salajegheh

Abstract—Threats from malwares are growing everyday hence new methods with higher performance and lower overloads for
processing time and memory complexity making it possible to discover malicious activities in a faster and reliable manner based
on static feature analysis instead of execution of frustrating dynamic analysis.the problem here is making a decision wether
any operations are malicious or not hence, here we introduce a new method using OWA operator to make the process of
decision making much realistic with maximum dispersion that is impressed by all factors of decision with least false positive and
better detection rate in compare with previous mere analysis. OWA while showing maximum entropy over all possibility of
occurance on the other hand scales down the dimension of decision and has efficient fusion of multiple features into one that
reduces partial relations and magnifies the hidden but significant relations also causes pretty reduction in false detections while
maintaing acceptable in true detections. The succeeding empirical results prove this claim.

Index Terms—Classification, Data mining, Detection, Malicious, Malware, Ordered weighting aggregation, OWA.

——————————  ——————————

1 INTRODUCTION

T he term computer virus was first used in a science

fiction novel by David Gerrold in 1972 [1]. Computer
virus detection has evolved into malicious program
detection since Cohen first formalized the term computer
virus in 1983 [2]. Malicious programs can be classified
into viruses, worms, trojans, spywares, adwares and a
variety of other classes and subclasses that sometimes
overlap and blur the boundaries among these classes [3].
Both traditional signature based detection and genera-
lized approaches can be used to identify these malicious
programs. To avoid detection by the traditional signature-
based algorithms, a number of stealth techniques have
been developed by the malicious code writers. The inabil-
ity of traditional signature based detection approaches to
catch these new breed of malicious programs has shifted
the focus of virus research to find more generalized and
scalable features that can identify malicious behavior as a
process instead of a single signature action.
In detection approaches based on data mining me-
thods different variations of features are utilized. These
fetures are gained through static and dynamic anlaysis.
Dynamic analysis executes the program and monitors its
behaviour, then extracts the program behaviour attributes
as data mining feature. While in static analysis, features
are extracted without actually executing the program, in
the other words static analysis works on program source
code or binary code directly. Dynamic analysis needs
more computation power, putting the host system under
risk of any suspective code executions for detection also
imposes overloads of cocuurent execution with any pro-
gram as dynamic monitoring but makes more flexible
deciosion through execution on the other hand static me-
thods don’t need such resources however they are fixed
————————————————
 M. Eskandari, Islamic Azad university south Tehran branch, and also APA
Malware Research and Education Center at Shiraz University
 B. Hosseini, APA Malware Research and Education Center at Shiraz
University
 S. Hashemi, Department of Computer and IT of Shiraz University and also gram under investigation in the form of control flow
APA Malware Research and Education Center at Shiraz University
 A. Salajegheh, Islamic Azad university south Tehran branch
decision makers needing to be as precise as possible.
In this paper, we focus on static analysis method, as-
sembly instructions and API calls are used as fetures like
previous works, but with innovation on the importance
weight factor in feature selection phase. We modify a new
feature selection measure that detects malwares more accu-
rate and has faster detection process, comparing with re-
vealed methods.
The instruction of this paper is as follow, in Section 2
describes related works in malware detection based on
data mining approaches. Section 3 discusses the proposed
method, an overview of our malware detection approach,
feature extraction, feature selection use OWA measure and
classification algorithms used in experiments. The system
evaluation is presented in Section 4 whose results are in-
terpreted and commented in same section. Section 5 con-
cludes our achievements, future works and summarizes
the results.
2 RELATED WORK
Bergeron et al. used a static misuse detection scheme
where they used program slicing to extract program re-
gions that are critcal from a security point of view. Prior
to this, the programs were disassembled and converted to
an intermediate representation. Once the program slices
are obtained, their behavior was checked against a pre-
defined security policy to detect the presence of mali-
ciousness [4].
Bergeron et al. in other work extracted an API call
graph instead of the program slices to test against the
security policy. The programs were disassembled first
and then a control graph is created from the disassembly.
Next step was to extract the API call graph from the con-
trol graph [5].
Lo et al. proposed the idea of tell-tale signs which were
heuristic signatures of malicious program behaviors.
They created an intermediate representation of the pro-
graph. The CFG was verified against the tell-tale signs to
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
detect any malicious activity. The approach was imple-
mented in their system called Malicious Code Filter
(MCF) [6].
Sung et al. implemented signatures in the form of API
calls in a technique called Static Analysis for Vicious Ex-
ecutables (SAVE). The API calls from any program under
investigation were compared against the signature calls
using Euclidean distance [7].
3 THE PROPOSED APPROACH
In the first step we extract the features and normalize
them. After that, we apply the OWA operator on feature
vector weights to select the best feature distribution
which has the maximum entropy over all constratints.
And in the final phase, we use a classification algorithm
to make decision whether an input file is malicious or not.
3.1 Extracting features
Fetures used in this study are divided into two main
classes, first the assembly instructions and the second
class is API calls. In order to extract both of these types, at
the first step we disassembled input file, with one of
COTS disassemblers. In the next phase called normaliza-
tion phase, unnecessary instructions are removed, all
conditional jumps are replaced with one jump instruction,
procedure call and “return” instructions are converted to
equivalent jumps, and stack elimination is performed in
order to remove push, pop, pushf, popf, etc. Afterward
the normalized file is scaned, instructions and their repe-
tition rate are saved to an instruction repository. This re-
petition rate is range by the devision of number of each
specific instruction over amount of all instruction.
To extract the called APIs, first find the API call in-
struction and get its parameters, then add the called API
name into an API repository.
To create a feature vector dataset, the API repository
and instruction repository are combined.
3.2 OWA Defintion
The Oredered Weighted Averaging is an aggregation op-
erator originally founded by Yager [8] to provide a means
for aggregating scores associated with the satisfacion of
multiple criteria in decision making, which unifies in one
operator the conjunctive and disjunctive behavior. A pret-
ty survey over the weights determination was written by
Xu [10]. Various applications have been improved by
OWA operator modifications. Some recent ones include
ching [11] using OWA reordering for classifications also
Emrouznejad [9] made some advantages of OWA in doc-
ument similarity detection and Sadiq [20] used this func-
tion for optimum source distribution with criteria.
The OWA operator of dimension n is a mapping such as:
F: Rn →R and is given by:
n
OWA( x1 , x2 ,..., xn )   w j x ( j ) (1)
j 1
where σ is a permutation that orders the elements in the
following order, x σ(1) ≤ x σ(2) ≤ x σ(3) ≤ x σ(4) ≤ … ≤ x σ(n).
The weights are all non-negative (wi > 0) and their sum equals
to one (∑ni=1 wi =1).
16
This operator has been proved to be very useful, because
of its versatility, the OWA operators provide a paramete-
rized family of aggregation operators, which include any
of the well-known operators such as the maxium, mini-
mum, the k-order statistics, the median and the arithmetic
mean. In order to obtain these particular operators we
should simply choose particular weights. The Ordered
Weighted Averaging operators are commutative, mono-
tone, idempotent, they are stable for positive linear trans-
formations, and they have a compensatory behavior. This
last property translates the fact that the aggregation done
by an OWA operator always is between the maximum
and the minimum. It can be seen as a parameterized way
to go from the min to the max. In this context, a degree of
maxness (initially called orness) was introduced in [8],
defined by
1 n
maxness( w1 , w2 ,..., wn )   (n  i)wi
n  1 i 1
(2)
where the minimum, maxness (1, 0, . . . , 0) = 0 and for the
maximum maxness (0, . . . , 0, 1) = 1. A simple class of
OWA operators as exponential class of OWA operators
was introduced to generate the OWA weights satisfying a
given degree of maxness. The optimistic and pessimistic
exponential OWA operators were correspondingly
intrduced to proportionally figure out what the result of
aggregation would be with most and less importance
over the ordered entering units. This is a means for
weight vector reordering to maximize relational decisions
constraint with highest dispersion.
3.2 Features weight reordering using owa
Assume there is a collection of m samples observations
each comprised of a n-tuple of arguments (ak1, ak2, ..., akn),
and an associated aggregated value, dk. We denote the
reordered objects of the kth sample by (bk1, bk2, ..., bkn)
where bkj is the jth largest element of the argument collec-
tion (ak1, ak2, ..., akn). Using these ordered arguments, we
need to find a vector of the OWA weights w = (w1, w2, ...,
wn)T to satisfy the following condition as faithfully as
possible:
bk1w1  bk2w2  bk3w3    bknwn  dk , k 1,,m (3)
We relax the above condition by looking for a vector of
OWA weights that approximates the aggregation opera-
tor by minimizing the instantaneous errors:
1
 bk1w1  bk2w2   bknwn  dk  , k 1,...,m
2
ek  (4)
2
with respect to the weights wi ,i=(1, 2, ..., n) regarding to
wi such that wi є [0,1] and (∑ni=1 wi = 1). Now Let λi, i=(1,
2, ..., n) be n parameters, and set the initial values λi(0)=0,
i=(1, 2, ..., n), then the procedure used at each iteration is
suggested as follows:
1. Calculate the current estimates of the λi(l) ,i=(1, 2,
..., n) and a new observation consisting of the or-
dered arguments bk1, bk2, ..., bkn.
2. Use the λi(l), i=(1, 2, ..., n) to provide a current es-
timate of the weights by Equation (5).
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
3. Utilize the estimated weights along with the or-
dered arguments to get a calculated aggregated
value using Equation (6).
4. Update the estimates of the λi according to Equa-
tion (7).
e i ( l )
wi (l )  n
, i  1, 2,..., m
e
 j (l )
j 1
dˆk bk1w1  l  bk2w2  l   bknwn  l , k 1,2,..n
i (l  1)  i (l )   w i (l )(bki  dˆk )(dˆk  d k )
Clearly, the parameters λi, determining the OWA
weights are updated by propagation of the error
( dˆ k  d k ) between the current estimated aggregated val-
ue and the actual aggregated value with factors wi and
( b k i  dˆ k ).
So we have a normalized solution here to find the
weights according to the importance of the API calls and
the instructions orders applied during the code synthesis
to maximize the enthropy or dispersion factor over all
weights at the first iteration to begin a homogenous
weight for all features and the initial order of the input
vector is not affected by the order of the input location of
entrance.
From this step the reordering process will be followed
to change the structure entrance orderings. Instructions
and API calls due to their optimistic OWA weights are
organized. The solution is found by solving the following
linear objective programming model:
n used for binomial regression. Like many forms of regres-
min J   (ek  ek ), k  1, 2,..., m
k 1
n
s.t. bkj w j  d k  ek  ek  0, k  1, 2,..., m
j 1
w H
n Many researchers, in this field, used an imbalanced data-
wi  0, i  1, 2,..., n , w
i 1
i 1
ek  0, ek  0, k  1, 2,..., m
where, e k and e k are the upper and lower deviation va-
riables of dk, respectively. By solving the above linear ob-
jective programming model, we can obtain the vector of
the OWA weights. Regarding to each data set applicative
weights are gained. Now by the aid of new orders mod-
ified by the relationship between instructions we have a
better detection of related classes of equal functions. Here
the Orness amount is equal to ½ in order to have a normal
and symmetric vector space. Then we begin by modifing
the λi(0)=0 ,due to Xu [10] amount of β= 0.37 will give the
best practical results . As practical experiment proceeds
0.251 is the amount found suitable in final step with least
error rate for e k = e k = 0.001 now these optimum weights
will meet our needs for aggregation of selected features
17
regarding their repetation rate.
3.3 Classification Models
A naive Bayes classifier assumes that the presence (or
absence) of a particular feature of a class is unrelated to
the presence (or absence) of any other feature.
(5) Bayesian networks belong to the family of probabilistic
graphical models. These graphical structures are used to
represent knowledge about an uncertain domain. In par-
ticular, each node in the graph represents a random vari-
(6) able, while the edges between the nodes represent proba-
bilistic dependencies among the corresponding random
variables. These conditional dependencies in the graph
(7) are often estimated by using known statistical and com-
putational methods. Hence, bayesian networks combine
principles from graph theory, probability theory, com-
puter science, and statistics [12].
A random tree is a tree or arborescence that is formed
by a stochastic process. Different types of random trees
include: uniform spanning tree, random minimal span-
ning tree, random binary tree, random recursive tree,
treap or randomized binary search tree, rapidly exploring
random tree, Brownian tree, random forest and branching
process [13].
Sequential minimal optimization (SMO) is an algo-
rithm for solving large quadratic programming (QP) op-
timization problems, widely used for the training of sup-
port vector machines. SMO breaks up large QP problems
into a series of smallest possible QP problems, which are
then solved analytically [14].
Logistic regression is used for prediction of the proba-
bility of occurrence of an event by fitting data to a logit
function logistic curve. It is a generalized linear model
(8) sion analysis, it makes use of several predictor variables
that may be either numerical or categorical.
(9) 4 EXPERIMENTAL RESULTS
4.1 Data Collection
set in their experiments in which number of malwares is
much more than the number of benign files [15, 16, 17].
We thought, however, that the above assumption does
stand in real world domain, in which number of mali-
cious binaries is at most as much that of benign files.
Clearly, it can be conclude that those methods, in which
we have considerable amount of malicious binaries com-
pared to the benign ones, provide better accuracy. Ac-
cording to this thought we collect 537 benign Windows
PE-files and select 563 malwares from malware repository
of APA malware research center at Shiraz University.
4.2 Evaluation measures
We define “Detection Rate” as the percentage of all input
files labeled “malicious” that can receive correct label by
the system, as illustrate in Equation (10).
TP
DetectionRate ( Dt.Rate)  (10)
TP  FN
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 18

TABLE 1
The “False Alarm Rate” is the percentage labeled “nor- EXPERIMENTAL RESULTS ON MENTIONED DATASET WITH DIFFER-
ENT CLASSIFIERS AND COMPARISION WITH OWA BASED CLAS-
mal” that likewise receive the wrong label by the system,
SIFIERS
as illustrate in Equation (11).
FP
FalseAlarmRate ( FA.Rate)  (11) Model Dt. Rate FA. Rate Accuracy AUC
TN  FP
The “Accuracy” is the overall accuracy of the system to
detect malwares and benign files, as illustrate in Equation Baye net 81.3 59.7 60.8 85.3
(12).
TP  TN Baye net 91.7 57.7 67.5 87.5
Accuracy  (12)
TP  TN  FP  FN With OWA
The “cross validation”, is a technique for assessing how
the results of a statistical analysis will generalize to an Random 85.1 22.5 81.3 86.4
independent data set. It is mainly used in settings where
Tree
the goal is prediction, and one wants to estimate how ac-
curately a predictive model will perform in practice. One
round of cross validation involves partitioning a sample Random 92.2 12.5 89.9 90.6
of data into complementary subsets, performing the anal- Tree With
ysis on one subset that called the training set, and validat- OWA
ing the analysis on the other subset that called the testing
set. To reduce variability, multiple rounds of cross valida-
tion are performed using different partitions, and the va- Bayesian 88.6 19.8 84.4 87.5
lidation results are averaged over the rounds, we called Logistic
each round as a fold [18]. Regression
The “ROC curve”, is a graphical plot of true positive
rate, versus false positive rate, for a binary classifier sys-
tem as its discrimination threshold is varied. The area Bayesian 97.9 6.1 95.9 95.9
under the “ROC curve”, called “AUC”. The “AUC” is Logistic
equal to the probability that a classifier will rank a ran- Regression
domly chosen positive instance higher than a randomly With OWA
chosen negative one [19].

4.3 Analysis SMO 92.9 16.8 88.1 91.4

We illustrate the different acuracy rates over different
classification models and compare them with OWA oper-
ator at the same classification models in tabular form, as
illustrate in Table 1. These results obtained with 10 fold
cross validation test. The results indicate that the methods
based on OWA feature selection provide excellent acura-
cy than rival approaches. According to this comparison, search and Education Center at Shiraz University.
our approach has the best accuracy, among other detec-
tion methods.
REFERENCES
[1]
5 CONCLUSIONS [2]
In static approaches having least false detection is critical
whilst true detection precision should maintain in its [3]
highest efficiency. Here through using OWA operator, we
are able to have better feature selection on malwares detc- [4]
tion with no further overloads on computation time or
memory complexity in comparison with equivalent static
pure ones however the false detection is drastically
drawn off and somehow a sensible increment is seen in
true detection rate making this method best among rival [5]
approaches.
ACKNOWLEDGMENT
[6]
This work was supported in part by APA Malware Re-
SMO With 97.9 5.8 96.1 96.0
OWA
D. Gerrold, “When Harlie Was One,” Doubleday, 1972.
F. Cohen, “Computer Viruses,” PhD thesis, University of
Southern California, 1985.
P. Szor, “The Art of Computer Virus Research and Defense,”
Addison Wesley for Symantec Press, New Jersey, 2005.
J. Bergeron, M. Debbabi, M. M. Erhioui, and B. Ktari, “Static
Analysis of Binary Code to Isolate Malicious Behavior,” In Pro-
ceedings of the 8th Workshop on Enabling Technologies on In-
frastructure for Collaborative Enterprises (WETICE’99), pp.
184-189, 1999.
J. Bergeron, M. Debbabi, J. Desharnais, M. M. Erhioui, Y. La-
voie, and N. Tawbi, “Static Detection of Malicious Code in Ex-
ecutable Programs,” Symposium on Requirements Engineering
for Information Security (SREIS’01), 2001.
R.W. Lo, K.N. Levitt, and R.A. Olsson. “MCF: A Malicious
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 19

Code Filter,” Computers and Security, vol 14, no 6, pp 541-566,

1995.
[7] A.H. Sung, J. Xu, P. Chavez, and S. Mukkamala. “Static Ana-
lyzer of Vicious Executables,” In 20th Annual Computer Securi-
ty Applications Conference, pp 326-334, 2004.
[8] R.R. Yager, “On ordered weighted averaging aggregation oper-
ators in multi-criteria decision making,” IEEE transactions on
Systems, Man and Cybernetics, vol 18, pp 183–190, 1988.
[9] A. Emrouznejad, G.R. Amin, “Document Similarity: A New
Measure Using OWA, “Fuzzy Systems and Knowledge Discov-
ery, 2009. FSKD '09. Sixth International Conference on , vol 7,
no 1, pp.186-190, 14-16 Aug. 2009
[10] Z.S. Xu, “An overview of methods for determining OWA
weights,“ Int. J. Intelligent .System, vol 20, pp 843–865, 2005.
[11] C.H. Cheng, J.W. Wang, M.C. Wu, “OWA-weighted based
clustering method for classification problem,” Expert Systems
with Applications, vol 36, pp 4988–499, 2009.
[12] N.L. Zhang, D. Poole, “Exploiting causal independence in
Bayesian network inference,” Journal of Artificial Intelligence
Research vol 5, pp 301-328, 1996.
[13] T.G. Dietterich, “An Experimental Comparison of Three Me-
thods for Constructing Ensembles of Decision Trees: Bagging,
Boosting, and Randomization,” Machine Learning, vol 40, no
2, pp. 139-157, 2000.
[14] J.C. Platt, “Fast training of support vector machines using se-
quential minimal optimization,” In Advances in kernel me-
thods, pp. 185-208, MIT Press, Cambridge, MA, USA, 1999.
[15] G. Bonfante, M. Kaczmarek, and J. Marion, “Control Flow to
Detect Malware,” Inter-Regional Workshop on Rigorous Sys-
tem Development and Analysis, 2007.
[16] Y. Ye, D. Wang, T. Li, D. Ye, Q. Jiang, “An intelligent PE-
malware detection system based on association mining,” Jour-
nal of Computer Virology, Feb 2008.
[17] G. Bonfante, M. Kaczmarek, and J. Marion, “Architecture of a
morphological malware detector,” Journal of Computer Virolo-
gy, Sep 2008.
[18] R. Picard, D. Cook, “Cross-Validation of Regression Models,”
Journal of the American Statistical Association, pp 575-583,
1984.
[19] L.E. Dodd, M.S. Pepe, “Partial AUC Estimation and Regres-
sion,” Biometrics, pp 614-623, 2003.
[20] R. Sadiq, M.J. Rodríguez, S. Tesfamariam, “Integrating indica-
tors for performance assessment of small water utilities using
ordered weighted averaging (OWA) operators,” Expert Sys-
tems with Applications ,vol 37, pp 4881–4891, 2010.