Blake Anderson,Subharthi Paul,David McGrew

DOI: https://doi.org/10.48550/arXiv.1607.01639

2016-07-06

Abstract:The use of TLS by malware poses new challenges to network threat detection because traditional pattern-matching techniques can no longer be applied to its messages. However, TLS also introduces a complex set of observable data features that allow many inferences to be made about both the client and the server. We show that these features can be used to detect and understand malware communication, while at the same time preserving the privacy of benign uses of encryption. These data features also allow for accurate malware family attribution of network communication, even when restricted to a single, encrypted flow. To demonstrate this, we performed a detailed study of how TLS is used by malware and enterprise applications. We provide a general analysis on millions of TLS encrypted flows, and a targeted study on 18 malware families composed of thousands of unique malware samples and ten-of-thousands of malicious TLS flows. Importantly, we identify and accommodate the bias introduced by the use of a malware sandbox. The performance of a malware classifier is correlated with a malware family's use of TLS, i.e., malware families that actively evolve their use of cryptography are more difficult to classify. We conclude that malware's usage of TLS is distinct from benign usage in an enterprise setting, and that these differences can be effectively used in rules and machine learning classifiers.

Cryptography and Security

Gibran Gomez,Platon Kotzias,Matteo Dell'Amico,Leyla Bilge,Juan Caballero

DOI: https://doi.org/10.1155/2023/3676692

IF: 1.968

2023-01-14

Security and Communication Networks

Abstract:Malware abuses TLS to encrypt its malicious traffic, preventing examination by content signatures and deep packet inspection. Network detection of malicious TLS flows is important, but it is a challenging problem. Prior works have proposed supervised machine learning detectors using TLS features. However, by trying to represent all malicious traffic, supervised binary detectors produce models that are too loose, thus introducing errors. Furthermore, they do not distinguish flows generated by different malware. On the other hand, supervised multiclass detectors produce tighter models and can classify flows by the malware family but require family labels, which are not available for many samples. To address these limitations, this work proposes a novel unsupervised approach to detect and cluster malicious TLS flows. Our approach takes input network traces from sandboxes. It clusters similar TLS flows using 90 features that capture properties of the TLS client, TLS server, certificate, and encrypted payload and uses the clusters to build an unsupervised detector that can assign a malicious flow to the cluster it belongs to, or determine if it is benign. We evaluate our approach using 972K traces from a commercial sandbox and 35M TLS flows from a research network. Our clustering shows very high precision and recall with an F1 score of 0.993. We compare our unsupervised detector with two state-of-the-art approaches, showing that it outperforms both. The false detection rate of our detector is 0.032% measured over four months of traffic.

computer science, information systems,telecommunications

Rui Dai,Chuan Gao,Bo Lang,Lixia Yang,Hongyu Liu,Shaojie Chen

DOI: https://doi.org/10.1145/3371676.3371697

2019-01-01

Abstract:In recent years, as more and more softwares use SSL encryption protocol to improve the security and integrity of communications, the encrypted traffic is growing, which brings new challenges to cyber attack detection. Since most of the SSL traffic is unreadable ciphertext, traditional pattern recognition and deep packet inspection are not applicable. In addition, the current machine learning methods are not fully applicable to encrypted traffic detection. The detection of encrypted malicious traffic is still an open problem. In this paper, we propose an SSL malicious traffic detection method based on multi-view features. Our method comprehensively extracts features from multiple views, including flow statistics, SSL handshake field, and certificate to retain key original information. We test four machine learning models, i.e., SVM, Decision Tree, Random Forest, and XGBoost on the CTU Malware dataset. The results show that XGBoost performs best reaching an accuracy of 97.71%, which is better than other studies on the CTU dataset.

Wang Tao,Yu Shunzheng,Xie Bailin

DOI: https://doi.org/10.1109/ifita.2010.173

2010-01-01

Abstract:Malicious web pages are a widely-recognized threat to the security of the web. Malicious web pages launch so-called drive-by download attacks that are able to gain complete control of a user’s computer for illegitimate purpose. Even a single visit to a malicious web page enables an automatically download and installation of malicious malware executables. In this paper, we propose a novel approach for classifying web pages automatically as either malicious or benign based on a supervised machine learning. Our approach learns to detect malicious web pages exclusively based on HTTP session information (e.g., HTTP session headers, domains of requests and responses). With the corpus of 50,000 benign web pages and 500 malicious web pages, we are capable of successfully detecting 92.2% of the malicious web pages with a low false positive rate 0.1%.

Rongfeng Zheng,Jiayong Liu,Kai Li,Shan Liao,Liang Liu

DOI: https://doi.org/10.1109/ICICN51133.2020.9205087

2020-01-01

Abstract:For highly camouflaged Command and Control (C&C) communications, especially those using the Transport Security Layer (TLS) protocol, traditional classifiers which only based on statistical features or TLS handshake features gradually fail to detect such behavior. In this context, exploring features of other dimensions to build a more targeted recognition model is one of the ways to alleviate this problem. This paper proposed a new method of detecting malicious TLS traffic by using the communication channel as the detection unit, and a new set of modeling features for the communication channel was designed, including distribution features, the consistency features and statistical features of TLS communication channel. Experiments show that compared with other two types of features, the consistency features contribute most, and combining these three types of features together can train a better classifier which the precision reaches 92.57%. Comparative experiments show that the proposed method is more advantageous when faced with highly camouflaged TLS flows because the proposed method also achieved highest F1 score, and the accuracy is about 2% higher than the classifier based on the TLS handshake features, and 12% higher than the clustering model based on the statistical features of flow.

Mathew Ashik,A. Jyothish,S. Anandaram,P. Vinod,Francesco Mercaldo,Fabio Martinelli,Antonella Santone

DOI: https://doi.org/10.3390/electronics10141694

IF: 2.9

2021-07-15

Electronics

Abstract:Malware is one of the most significant threats in today’s computing world since the number of websites distributing malware is increasing at a rapid rate. Malware analysis and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. This software exploits the system’s vulnerabilities to steal valuable information without the user’s knowledge, and stealthily send it to remote servers controlled by attackers. Traditionally, anti-malware products use signatures for detecting known malware. However, the signature-based method does not scale in detecting obfuscated and packed malware. Considering that the cause of a problem is often best understood by studying the structural aspects of a program like the mnemonics, instruction opcode, API Call, etc. In this paper, we investigate the relevance of the features of unpacked malicious and benign executables like mnemonics, instruction opcodes, and API to identify a feature that classifies the executable. Prominent features are extracted using Minimum Redundancy and Maximum Relevance (mRMR) and Analysis of Variance (ANOVA). Experiments were conducted on four datasets using machine learning and deep learning approaches such as Support Vector Machine (SVM), Naïve Bayes, J48, Random Forest (RF), and XGBoost. In addition, we also evaluate the performance of the collection of deep neural networks like Deep Dense network, One-Dimensional Convolutional Neural Network (1D-CNN), and CNN-LSTM in classifying unknown samples, and we observed promising results using APIs and system calls. On combining APIs/system calls with static features, a marginal performance improvement was attained comparing models trained only on dynamic features. Moreover, to improve accuracy, we implemented our solution using distinct deep learning methods and demonstrated a fine-tuned deep neural network that resulted in an F1-score of 99.1% and 98.48% on Dataset-2 and Dataset-3, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ietezaz Ul Hassan,Raja Hashim Ali,Zain Ul Abideen,Talha Ali Khan,Rand Kouatly

DOI: https://doi.org/10.3390/digital2040027

2022-10-31

Digital

Abstract:It is hard to trust any data entry on online websites as some websites may be malicious, and gather data for illegal or unintended use. For example, bank login and credit card information can be misused for financial theft. To make users aware of the digital safety of websites, we have tried to identify and learn the pattern on a dataset consisting of features of malicious and benign websites. We treated the problem of differentiation between malicious and benign websites as a classification problem and applied several machine learning techniques, for example, random forest, decision tree, logistic regression, and support vector machines to this data. Several evaluation metrics such as accuracy, precision, recall, F1 score, and false positive rate, were used to evaluate the performance of each classification technique. Since the dataset was imbalanced, the machine learning models developed a bias during training toward a specific class of websites. Multiple data balancing techniques, for example, undersampling, oversampling, and SMOTE, were applied for balancing the dataset and removing the bias. Our experiments showed that after balancing the data, the random forest algorithm using the oversampling technique showed the best results in all evaluation metrics for the benign and malicious website feature dataset.

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Doyen Sahoo,Chenghao Liu,Steven C.H. Hoi

DOI: https://doi.org/10.48550/arXiv.1701.07179

2019-08-21

Abstract:Malicious URL, a.k.a. malicious website, is a common and serious threat to cybersecurity. Malicious URLs host unsolicited content (spam, phishing, drive-by exploits, etc.) and lure unsuspecting users to become victims of scams (monetary loss, theft of private information, and malware installation), and cause losses of billions of dollars every year. It is imperative to detect and act on such threats in a timely manner. Traditionally, this detection is done mostly through the usage of blacklists. However, blacklists cannot be exhaustive, and lack the ability to detect newly generated malicious URLs. To improve the generality of malicious URL detectors, machine learning techniques have been explored with increasing attention in recent years. This article aims to provide a comprehensive survey and a structural understanding of Malicious URL Detection techniques using machine learning. We present the formal formulation of Malicious URL Detection as a machine learning task, and categorize and review the contributions of literature studies that addresses different dimensions of this problem (feature representation, algorithm design, etc.). Further, this article provides a timely and comprehensive survey for a range of different audiences, not only for machine learning researchers and engineers in academia, but also for professionals and practitioners in cybersecurity industry, to help them understand the state of the art and facilitate their own research and practical applications. We also discuss practical issues in system design, open research challenges, and point out some important directions for future research.

Machine Learning,Cryptography and Security

Rongfeng Zheng,Jiayong Liu,Liang Liu,Shan Liao,Kai Li,Jihong Wei,Li Li,Zhiyi Tian

DOI: https://doi.org/10.1371/journal.pone.0232696

IF: 3.7

2020-01-01

PLoS ONE

Abstract:The transport layer security (TLS) protocol is widely adopted by apps as well as malware. With the geometric growth of TLS traffic, accurate and efficient detection of malicious TLS flows is becoming an imperative. However, current studies focus on either detection accuracy or detection efficiency, and few studies take into account both indicators. In this paper, we propose a two-layer detection framework composed of a filtering model (FM) and a malware family classification model (MFCM). In the first layer, a new set of TLS handshake features is presented to train the FM, which is devised to filter out a majority of benign TLS flows. For identifying malware families, both TLS handshake features and statistical features are applied to construct the MFCM in the second layer. Comprehensive experiments are conducted to substantiate the high accuracy and efficiency of the proposed two-layer framework. A total of 96.32% of benign TLS flows can be filtered out by the FM with few malicious TLS flows being discarded provided the threshold of the FM is set to 0.01. Moreover, a multi-classifier is selected to construct the MFCM to provide better performance than a set of binary classifiers under the same feature set. In addition, when the ratio of benign and malicious TLS flows is set to 10:1, the detection efficiency of the two-layer framework is 188% faster than that of the single-layer framework, while the average detection accuracy reaches 99.45%.

Zhongyi Hu,Raymond Chiong,Ilug Pranata,Willy Susilo,Yukun Bao

DOI: https://doi.org/10.1109/cec.2016.7748347

2016-01-01

Abstract:Malicious web domains represent a big threat to web users' privacy and security. With so much freely available data on the Internet about web domains' popularity and performance, this study investigated the performance of well-known machine learning techniques used in conjunction with this type of online data to identify malicious web domains. Two datasets consisting of malware and phishing domains were collected to build and evaluate the machine learning classifiers. Five single classifiers and four ensemble classifiers were applied to distinguish malicious domains from benign ones. In addition, a binary particle swarm optimisation (BPSO) based feature selection method was used to improve the performance of single classifiers. Experimental results show that, based on the web domains' popularity and performance data features, the examined machine learning techniques can accurately identify malicious domains in different ways. Furthermore, the BPSO-based feature selection procedure is shown to be an effective way to improve the performance of classifiers.

Muhammad Shoaib Akhtar,Tao Feng

DOI: https://doi.org/10.3390/sym14112304

2022-11-04

Symmetry

Abstract:One of the most significant issues facing internet users nowadays is malware. Polymorphic malware is a new type of malicious software that is more adaptable than previous generations of viruses. Polymorphic malware constantly modifies its signature traits to avoid being identified by traditional signature-based malware detection models. To identify malicious threats or malware, we used a number of machine learning techniques. A high detection ratio indicated that the algorithm with the best accuracy was selected for usage in the system. As an advantage, the confusion matrix measured the number of false positives and false negatives, which provided additional information regarding how well the system worked. In particular, it was demonstrated that detecting harmful traffic on computer systems, and thereby improving the security of computer networks, was possible using the findings of malware analysis and detection with machine learning algorithms to compute the difference in correlation symmetry (Naive Byes, SVM, J48, RF, and with the proposed approach) integrals. The results showed that when compared with other classifiers, DT (99%), CNN (98.76%), and SVM (96.41%) performed well in terms of detection accuracy. DT, CNN, and SVM algorithms' performances detecting malware on a small FPR (DT = 2.01%, CNN = 3.97%, and SVM = 4.63%,) in a given dataset were compared. These results are significant, as malicious software is becoming increasingly common and complex.

Adebayo Oshingbesan,Courage Ekoh,Chukwuemeka Okobi,Aime Munezero,Kagame Richard

DOI: https://doi.org/10.48550/arXiv.2209.09630

2022-09-13

Abstract:In detecting malicious websites, a common approach is the use of blacklists which are not exhaustive in themselves and are unable to generalize to new malicious sites. Detecting newly encountered malicious websites automatically will help reduce the vulnerability to this form of attack. In this study, we explored the use of ten machine learning models to classify malicious websites based on lexical features and understand how they generalize across datasets. Specifically, we trained, validated, and tested these models on different sets of datasets and then carried out a cross-datasets analysis. From our analysis, we found that K-Nearest Neighbor is the only model that performs consistently high across datasets. Other models such as Random Forest, Decision Trees, Logistic Regression, and Support Vector Machines also consistently outperform a baseline model of predicting every link as malicious across all metrics and datasets. Also, we found no evidence that any subset of lexical features generalizes across models or datasets. This research should be relevant to cybersecurity professionals and academic researchers as it could form the basis for real-life detection systems or further research work.

Cryptography and Security,Machine Learning

Linxiao Yu,Jun Tao,Yifan Xu,Weice Sun,Zuyan Wang

DOI: https://doi.org/10.1016/j.comnet.2024.110475

IF: 5.493

2024-05-08

Computer Networks

Abstract:Recently, more and more applications have adopted security protocols like Transport Layer Security (TLS) for data encryption. However, these privacy-enhancing approaches have also been abused by the attackers to deliver malicious payloads. Many existing encrypted network classification methods suffer from the imbalanced volume of normal and malicious traffic, which leads to bad model robustness. In this paper, we propose a novel TLS fingerprinting approach to capture the characteristics of encrypted network traffic. The fingerprints are attributed graphs obtained from TLS sessions, which can simultaneously take into consideration the sequential and statistical features of these sessions. As the communication patterns of different applications differ considerably, the graphs representing TLS connections could be used to characterize the network with the help of the graph kernel method, which results in a model with high accuracy in malicious TLS session detection and application discrimination. Moreover, we adopt Locality-Sensitive Hashing (LSH) and filtering techniques to reduce the time cost of our model. Model evaluation on real-world datasets shows that our model is more robust than existing methods presented in this work when the malicious traffic takes up an extremely small portion of the whole traffic.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Priyank Singhal,Nataasha Raul

DOI: https://doi.org/10.5121/ijnsa.2012.4106

2012-02-08

Abstract:Malicious software is abundant in a world of innumerable computer users, who are constantly faced with these threats from various sources like the internet, local networks and portable drives. Malware is potentially low to high risk and can cause systems to function incorrectly, steal data and even crash. Malware may be executable or system library files in the form of viruses, worms, Trojans, all aimed at breaching the security of the system and compromising user privacy. Typically, anti-virus software is based on a signature definition system which keeps updating from the internet and thus keeping track of known viruses. While this may be sufficient for home-users, a security risk from a new virus could threaten an entire enterprise network. This paper proposes a new and more sophisticated antivirus engine that can not only scan files, but also build knowledge and detect files as potential viruses. This is done by extracting system API calls made by various normal and harmful executable, and using machine learning algorithms to classify and hence, rank files on a scale of security risk. While such a system is processor heavy, it is very effective when used centrally to protect an enterprise network which maybe more prone to such threats.

Cryptography and Security,Machine Learning

Amanda Thomson,Leandros Maglaras,Naghmeh Moradpoor

2024-10-05

Abstract:Malicious domains are part of the landscape of the internet but are becoming more prevalent and more dangerous to both companies and individuals. They can be hosted on variety of technologies and serve an array of content, ranging from Malware, command and control, and complex Phishing sites that are designed to deceive and expose. Tracking, blocking and detecting such domains is complex, and very often involves complex allow or deny list management or SIEM integration with open-source TLS fingerprinting techniques. Many fingerprint techniques such as JARM and JA3 are used by threat hunters to determine domain classification, but with the increase in TLS similarity, particularly in CDNs, they are becoming less useful. The aim of this paper is to adapt and evolve open-source TLS fingerprinting techniques with increased features to enhance granularity, and to produce a similarity mapping system that enables the tracking and detection of previously unknown malicious domains. This is done by enriching TLS fingerprints with HTTP header data and producing a fine grain similarity visualisation that represented high dimensional data using MinHash and local sensitivity hashing. Influence was taken from the Chemistry domain, where the problem of high dimensional similarity in chemical fingerprints is often encountered. An enriched fingerprint was produced which was then visualised across three separate datasets. The results were analysed and evaluated, with 67 previously unknown malicious domains being detected based on their similarity to known malicious domains and nothing else. The similarity mapping technique produced demonstrates definite promise in the arena of early detection of Malware and Phishing domains.

Cryptography and Security

WANG Tao,YU Shun-zheng

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.01.019

2011-01-01

Computer Science

Abstract:Malicious Web pages impose increasing threats on Web security in recent years.Currently,there are mainly two client-side protection approaches including anti-virus software packages and blacklists of malicious sites.Anti-virus techniques commonly use signature-based approaches which might not be able to efficiently identify malicious HTML codes with encryption and obfuscation.Furthermore,blacklisting techniques are difficult to keep up-to-date.This paper presented a novel classification method for real-time detecting malicious Web pages which is independent with the contents of Web pages.Our approach characterizes malicious Web pages using HTTP session information.With representative statistical features and decision tree algorithm in machine learning,we built an effective classification model for online real-time detecting malicious Web pages.Experiment results demonstrate that we are able to successfully detect 89.7% of the malicious Web pages with a low false positive rate of 0.3%.

Chaitanya R. Vyawhare,Reshma Y. Totare,Prashant S. Sonawane,Purva B. Deshmukh

DOI: https://doi.org/10.22214/ijraset.2022.42050

2022-05-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Today the most important concern in the field of cyber security is finding the serious problems that make loss in secure information. It is mainly due to malicious URLs. Malicious URLs are generated daily. This URLs are having a short life span. Various techniques are used by researchers for detecting such threats in a timely manner. Blacklist method is famous among them. Researchers uses this blacklist method for easily identifying the harmful URLs. They are very simple and easy method. Due to their simplicity they are used as a traditional method for detecting such URLs. But this method suffers from many problems. The lack of ability in detecting newly generated malicious URLs is one of the main drawbacks of Blacklist method. Heuristic approach is also used for identifying some common attacks. It is an advanced technique of Blacklist method. But this method cannot be used for all type of attacks. So this method is used very shortly. For a good experience, the researchers introduce machine learning techniques. Machine Learning techniques go through several phases and detect the malicious URLs in an accurate manner. This method also gives the details about the false positive rate. This review paper studies the different phases such as feature extraction phase and feature representation phase of machine learning techniques for detecting malicious URLs. Different machine learning algorithms used for such detection is also discuss in this paper. And also gives a better understanding about the advantage of using machine learning over other techniques for detecting malicious URLs and problems it suffers. Keywords: Blacklist, Cyber Security, Malicious URL

Manoj D. Shelar*,Dr. S. Srinivasa Rao,,

DOI: https://doi.org/10.35940/ijitee.c8918.019320

2020-01-10

International Journal of Innovative Technology and Exploring Engineering

Abstract:Malware is a general problems faced in the present day. Malware is a file that may be on the client machine. Malware can root an uncorrectable risk to the safety and protection of personal workstation clients as an expansion in the spiteful threats. In this paper explain a malware threats detection using data mining and machine learning. Malware detection algorithms with machine learning approach and data file. Also explained break executable files, create instruction set and take a look at different machine learning and data mining algorithm for feature extraction, reduction for detection of malware. In the system precisely distinguishes both new and known malware occurrences even though the double distinction among malware and real software is ordinarily little. There is a demand to present a skeleton which can come across latest, malicious executable files.

Subhash Mondal,Subinoy Mukherjee,Suharta Banerjee

DOI: https://doi.org/10.1007/978-981-16-4435-1_30

2021-08-03

Abstract:Internet of Things is the most promising technology that is trying to transform the way in which we live and is expected to seamlessly get integrated into our environment. However, securing the IoT devices from attacks is the prime concern for researchers today. Securing IoT systems from malicious attacks is the most challenging task as attacks like DoS or DDoS are distributed in nature. In this paper we have proposed an architecture based on ML that will identify the malicious nodes which in turn will provide pre-authentication and access control, thus preventing unauthorized access of IoT resources. We have mainly emphasized on the trade-off between time, memory, and accuracy of ML algorithms for achieving better performance.