Rayan Mosli,Rui Li,Bo Yuan,Yin Pan

DOI: https://doi.org/10.1007/978-3-319-67208-3_11

2017-01-01

Abstract:Malware is the fastest growing threat to information technology systems. Although a single absolute solution for defeating malware is improbable, a stacked arsenal against malicious software enhances the ability to maintain security and privacy. This research attempts to reinforce the anti-malware arsenal by studying a behavioral activity common to software -the use of handles. The characteristics of handle usage by benign and malicious software are extracted and exploited in an effort to distinguish between the two classes. An automated malware detection mechanism is presented that utilizes memory forensics, information retrieval and machine learning techniques. Experimentation with a malware dataset yields a malware detection rate of 91.4% with precision and recall of 89.8% and 91.1%, respectively.

Felipe N. Ducau,Ethan M. Rudd,Tad M. Heppner,Alex Long,Konstantin Berlin

DOI: https://doi.org/10.48550/arXiv.1905.06262

IF: 5.414

2019-05-15

Machine Learning

Abstract:With the rapid proliferation and increased sophistication of malicious software (malware), detection methods no longer rely only on manually generated signatures but have also incorporated more general approaches like machine learning detection. Although powerful for conviction of malicious artifacts, these methods do not produce any further information about the type of threat that has been detected neither allows for identifying relationships between malware samples. In this work, we address the information gap between machine learning and signature-based detection methods by learning a representation space for malware samples in which files with similar malicious behaviors appear close to each other. We do so by introducing a deep learning based tagging model trained to generate human-interpretable semantic descriptions of malicious software, which, at the same time provides potentially more useful and flexible information than malware family names. We show that the malware descriptions generated with the proposed approach correctly identify more than 95% of eleven possible tag descriptions for a given sample, at a deployable false positive rate of 1% per tag. Furthermore, we use the learned representation space to introduce a similarity index between malware files, and empirically demonstrate using dynamic traces from files' execution, that is not only more effective at identifying samples from the same families, but also 32 times smaller than those based on raw feature vectors.

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Ying Cao,Qiguang Miao,Jiachen Liu,Lin Gao

DOI: https://doi.org/10.1007/s11416-013-0186-3

2013-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Dynamic behavior-based malware analysis and detection is considered to be one of the most promising ways to combat with the obfuscated and unknown malwares. To perform such analysis, behavioral feature abstraction plays a fundamental role, because how to specify program formally to a large extend determines what kind of algorithm can be used. In existing research, graph-based methods keep a dominant position in specifying malware behaviors. However, they restrict the detection algorithm to be chosen from graph mining algorithm. In this paper, we build a complete virtual environment to capturemalware behaviors, especially that to stimulate network behaviors of a malware. Then, we study the problem of abstracting constant behavioral features from API call sequences and propose a minimal security-relevant behavior abstraction way, which absorbs the advantages of prevalent graph-based methods in behavior representation and has the following advantages: first API calls are aggregated by data dependence, therefore it is resistent to redundant data and is a kind of more constant feature. Second, API call arguments are also abstracted particularly, this further contributes to common and constant behavioral features of malware variants. Third, it is a moderate degree aggregation of a small group of API calls with a constructing criterion that centering on an independent operation on a sensitive resource. Fourth, it is very easy to embed the extracted behaviors in a high dimensional vector space, so that it can be processed by almost all of the prevalent statistical learning algorithms. We then evaluate these minimal security-relevant behaviors in three kinds of test, including similarity comparison, clustering and classification. The experimental results show that our method has a capacity in distinguishing malwares from different families and also from benign programs, and it is useful for many statistical learning algorithms.

Nicola Loi,Claudio Borile,Daniele Ucci

DOI: https://doi.org/10.48550/arXiv.2106.05625

2021-06-10

Cryptography and Security

Abstract:The constant growth in the number of malware - software or code fragment potentially harmful for computers and information networks - and the use of sophisticated evasion and obfuscation techniques have seriously hindered classic signature-based approaches. On the other hand, malware detection systems based on machine learning techniques started offering a promising alternative to standard approaches, drastically reducing analysis time and turning out to be more robust against evasion and obfuscation techniques. In this paper, we propose a malware taxonomic classification pipeline able to classify Windows Portable Executable files (PEs). Given an input PE sample, it is first classified as either malicious or benign. If malicious, the pipeline further analyzes it in order to establish its threat type, family, and behavior(s). We tested the proposed pipeline on the open source dataset EMBER, containing approximately 1 million PE samples, analyzed through static analysis. Obtained malware detection results are comparable to other academic works in the current state of art and, in addition, we provide an in-depth classification of malicious samples. Models used in the pipeline provides interpretable results which can help security analysts in better understanding decisions taken by the automated pipeline.

Chan Woo Kim

DOI: https://doi.org/10.48550/arXiv.1802.05412

2018-05-20

Abstract:As computing systems become increasingly advanced and as users increasingly engage themselves in technology, security has never been a greater concern. In malware detection, static analysis, the method of analyzing potentially malicious files, has been the prominent approach. This approach, however, quickly falls short as malicious programs become more advanced and adopt the capabilities of obfuscating its binaries to execute the same malicious functions, making static analysis extremely difficult for newer variants. The approach assessed in this paper is a novel dynamic malware analysis method, which may generalize better than static analysis to newer variants. Inspired by recent successes in Natural Language Processing (NLP), widely used document classification techniques were assessed in detecting malware by doing such analysis on system calls, which contain useful information about the operation of a program as requests that the program makes of the kernel. Features considered are extracted from system call traces of benign and malicious programs, and the task to classify these traces is treated as a binary document classification task of system call traces. The system call traces were processed to remove the parameters to only leave the system call function names. The features were grouped into various n-grams and weighted with Term Frequency-Inverse Document Frequency. This paper shows that Linear Support Vector Machines (SVM) optimized by Stochastic Gradient Descent and the traditional Coordinate Descent on the Wolfe Dual form of the SVM are effective in this approach, achieving a highest of 96% accuracy with 95% recall score. Additional contributions include the identification of significant system call sequences that could be avenues for further research.

Cryptography and Security,Computation and Language

Hongying Tang,Bo Zhu,Kui Ren

DOI: https://doi.org/10.1007/978-3-642-02617-1_24

2010-01-01

Abstract:Malware has become one of the most serious threats to computer users. Early techniques based on syntactic signatures can be easily bypassed using program obfuscation. A promising direction is to combine Control Flow Graph (CFG) with instruction-level information. However, since previous work includes only coarse information, i.e., the classes of instructions of basic blocks, it results in false positives during the detection. To address this issue, we propose a new approach that generates formalized expressions upon assignment statements within basic blocks. Through combining CFG with the functionalities of basic blocks, which are represented in terms of upper variables with their corresponding formalized expressions and system calls (if any), our approach can achieve more accurate malware detection compared to previous CFG-based solutions.

Mathew Ashik,A. Jyothish,S. Anandaram,P. Vinod,Francesco Mercaldo,Fabio Martinelli,Antonella Santone

DOI: https://doi.org/10.3390/electronics10141694

IF: 2.9

2021-07-15

Electronics

Abstract:Malware is one of the most significant threats in today’s computing world since the number of websites distributing malware is increasing at a rapid rate. Malware analysis and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. This software exploits the system’s vulnerabilities to steal valuable information without the user’s knowledge, and stealthily send it to remote servers controlled by attackers. Traditionally, anti-malware products use signatures for detecting known malware. However, the signature-based method does not scale in detecting obfuscated and packed malware. Considering that the cause of a problem is often best understood by studying the structural aspects of a program like the mnemonics, instruction opcode, API Call, etc. In this paper, we investigate the relevance of the features of unpacked malicious and benign executables like mnemonics, instruction opcodes, and API to identify a feature that classifies the executable. Prominent features are extracted using Minimum Redundancy and Maximum Relevance (mRMR) and Analysis of Variance (ANOVA). Experiments were conducted on four datasets using machine learning and deep learning approaches such as Support Vector Machine (SVM), Naïve Bayes, J48, Random Forest (RF), and XGBoost. In addition, we also evaluate the performance of the collection of deep neural networks like Deep Dense network, One-Dimensional Convolutional Neural Network (1D-CNN), and CNN-LSTM in classifying unknown samples, and we observed promising results using APIs and system calls. On combining APIs/system calls with static features, a marginal performance improvement was attained comparing models trained only on dynamic features. Moreover, to improve accuracy, we implemented our solution using distinct deep learning methods and demonstrated a fine-tuned deep neural network that resulted in an F1-score of 99.1% and 98.48% on Dataset-2 and Dataset-3, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xia Xiao-Ling,Ding Yu-Xin,Jiang Jing-Zhi,Zeng Rong

DOI: https://doi.org/10.1109/ICMLC.2017.8107737

2017-01-01

Abstract:Malware in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. So how to describe the behavior knowledge of malware is an interesting and meaningful work. In recent years, different ontology technologies have been proposed to represent domain knowledge. In the study, we apply ontology techniques into the field of malware detection, and propose the malware detection method based on ontology. This method is based on the behavior of malicious code, and makes a knowledge representation of the malware behaviors from a variety of perspectives. We use the common behaviors of individuals to represent the behaviors of a malware family, and use the ontology reasoning mechanism to detect unknown malware samples. Experiments show that the method has high malicious code detection rate and low false alarm rate.

Yiheng Duan,Xiao Fu,Bin Luo,Ziqi Wang,Jin Shi,Xiaojiang (James) Du

DOI: https://doi.org/10.1109/icc.2015.7249229

2015-01-01

Abstract:Current memory forensic methods mainly focus on evidence collection and data recovery. A little work is about how to automatically identify malwares from many unknown processes and analyze their behaviors in high semantic level so as to collect related evidences. In fact, in real cases, investigators are often faced with large number of processes that they have no knowledge of. Although current malware detection tools could provide some help, they usually can't illustrate the purposes, abilities and behavior details of malwares and are thus often not fit for the forensic requirements. In this paper, we present a framework named Detective to cope with these issues. Given a set of unknown processes, Detective can classify benign and malware processes automatically. This is implemented by HNB classifying algorithm and a Dynamic-Link Libraries-based model. Detective could then explain malware behaviors in high semantic level through clustering and frequent item sets mining techniques. Besides, Detective sheds light on evidence collection by the information obtained from previous steps. Detective is applicable for both online and offline forensic scenarios. Experiments on real-world malware set have proved that the accuracy of Detective is above 90% and the time cost is only several seconds.

Wu Liu,Ping Ren,Ke Liu,Hai-xin Duan

DOI: https://doi.org/10.1109/IWCDM.2011.17

2011-01-01

Abstract:Malware, such as Trojan Horse, Worms and Spy ware severely threatens Internet. We observed that although malware and its variants may vary a lot from content signatures, they share some behavior features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the technique of malware behavior extraction, presents the formal Malware Behavior Feature (MBF) extraction method, and proposes the malicious behavior feature based malware detection algorithm. Finally we designed and implemented the MBF based malware detection system, and the experimental results show that it can detect newly appeared unknown malwares.

Jeet Patil

DOI: https://doi.org/10.22214/ijraset.2023.57836

2024-01-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Among the more well-known types of automatic detection technology, malware detection includes detection and protection methods against viruses caused by viruses, worms, Trojan horses, spyware, and various types of malicious code. Failure to find a malware program at its inception leaves a space where it will send a significant threat and value to online security not only for individuals, organizations but also the community and the nation. And it seems that antivirus software may fail to detect viruses if it is not updated on a website with an anti-virus engine. The great struggle is to find a new virus because when it encounters new malware behavior, it takes a series of steps based on established law. If the rule of law determines thatthe new behavior is safe the virus remains undetected.

English Else

Pascal Maniriho,Abdun Naser Mahmood,Mohammad Jabed Morshed Chowdhury

2024-07-18

Abstract:In this work, we propose EarlyMalDetect, a novel approach for early Windows malware detection based on sequences of API calls. Our approach leverages generative transformer models and attention-guided deep recurrent neural networks to accurately identify and detect patterns of malicious behaviors in the early stage of malware execution. By analyzing the sequences of API calls invoked during execution, the proposed approach can classify executable files (programs) as malware or benign by predicting their behaviors based on a few shots (initial API calls) invoked during execution. EarlyMalDetect can predict and reveal what a malware program is going to perform on the target system before it occurs, which can help to stop it before executing its malicious payload and infecting the system. Specifically, EarlyMalDetect relies on a fine-tuned transformer model based on API calls which has the potential to predict the next API call functions to be used by a malware or benign executable program. Our extensive experimental evaluations show that the proposed approach is highly effective in predicting malware behaviors and can be used as a preventive measure against zero-day threats in Windows systems.

Cryptography and Security

Ömer Aslan

DOI: https://doi.org/10.3390/electronics12081861

IF: 2.9

2023-04-15

Electronics

Abstract:The increased usage of the Internet raises cyber security attacks in digital environments. One of the largest threats that initiate cyber attacks is malicious software known as malware. Automatic creation of malware as well as obfuscation and packing techniques make the malicious detection processes a very challenging task. The obfuscation techniques allow malware variants to bypass most of the leading literature malware detection methods. In this paper, a more effective malware detection system is proposed. The goal of the study is to detect traditional as well as new and complex malware variants. The proposed approach consists of three modules. Initially, the malware samples are collected and analyzed by using dynamic malware analysis tools, and execution traces are collected. Then, the collected system calls are used to create malware behaviors as well as features. Finally, a proposed deep learning methodology is used to effectively separate malware from benign samples. The deep learning methodology consists of one input layer, three hidden layers, and an output layer. In hidden layers, 500, 64, and 32 fully connected neurons are used in the first, second, and third hidden layers, respectively. To keep the model simple as well as obtain optimal solutions, we have selected three hidden layers in which neurons are decreasing in the following subsequent layers. To increase the model performance and use more important features, various activation functions are used. The test results show that the proposed system can effectively detect the malware with more than 99% DR, f-measure, and 99.80 accuracy, which is substantially high when compared with other methods. The proposed system can recognize new malware variants that could not be detected with signature, heuristic, and some behavior-based detection techniques. Further, the proposed system has performed better than the well-known methods that are mentioned in the literature based on the DR, precision, recall, f-measure, and accuracy metrics.

engineering, electrical & electronic,computer science, information systems,physics, applied

Et al. Rajesh Yadav

DOI: https://doi.org/10.17762/ijritcc.v11i11s.9817

2023-11-30

International Journal on Recent and Innovation Trends in Computing and Communication

Abstract:The huge amounts of data and information that need to be analyzed for possible malicious intent are one ofthe big and significant challenges that the Web faces today. Malicious software, also referred to as malware developed by attackers, is polymorphic and metamorphic in nature which can modify the code as it spreads.In addition, the diversity and volume of their variants severely undermine the effectiveness of traditional defenses that typically use signature-based techniques and are unable to detect malicious executables previously unknown. Malware family variants share typical patterns of behavior that indicate their origin and purpose. The behavioral trends observed either statically or dynamically can be manipulated by usingmachine learning techniques to identify and classify unknown malware into their established families. Thissurvey paper gives an overview of the malware detection and analysis techniques and tools.

Amir Djenna,Ahmed Bouridane,Saddaf Rubab,Ibrahim Moussa Marou

DOI: https://doi.org/10.3390/sym15030677

2023-03-09

Symmetry

Abstract:Malware, a lethal weapon of cyber attackers, is becoming increasingly sophisticated, with rapid deployment and self-propagation. In addition, modern malware is one of the most devastating forms of cybercrime, as it can avoid detection, make digital forensics investigation in near real-time impossible, and the impact of advanced evasion strategies can be severe and far-reaching. This makes it necessary to detect it in a timely and autonomous manner for effective analysis. This work proposes a new systematic approach to identifying modern malware using dynamic deep learning-based methods combined with heuristic approaches to classify and detect five modern malware families: adware, Radware, rootkit, SMS malware, and ransomware. Our symmetry investigation in artificial intelligence and cybersecurity analytics will enhance malware detection, analysis, and mitigation abilities to provide resilient cyber systems against cyber threats. We validated our approach using a dataset that specifically contains recent malicious software to demonstrate that the model achieves its goals and responds to real-world requirements in terms of effectiveness and efficiency. The experimental results indicate that the combination of behavior-based deep learning and heuristic-based approaches for malware detection and classification outperforms the use of static deep learning methods.

multidisciplinary sciences

Renjie Lu

DOI: https://doi.org/10.48550/arXiv.1906.04593

2019-06-10

Abstract:Nowadays, with the booming development of Internet and software industry, more and more malware variants are designed to perform various malicious activities. Traditional signature-based detection methods can not detect variants of malware. In addition, most behavior-based methods require a secure and isolated environment to perform malware detection, which is vulnerable to be contaminated. In this paper, similar to natural language processing, we propose a novel and efficient approach to perform static malware analysis, which can automatically learn the opcode sequence patterns of malware. We propose modeling malware as a language and assess the feasibility of this approach. First, We use the disassembly tool IDA Pro to obtain opcode sequence of malware. Then the word embedding technique is used to learn the feature vector representation of opcode. Finally, we propose a two-stage LSTM model for malware detection, which use two LSTM layers and one mean-pooling layer to obtain the feature representations of opcode sequences of malwares. We perform experiments on the dataset that includes 969 malware and 123 benign files. In terms of malware detection and malware classification, the evaluation results show our proposed method can achieve average AUC of 0.99 and average AUC of 0.987 in best case, respectively.

Cryptography and Security,Software Engineering

Hugo Daniel Macedo,Tayssir Touili

DOI: https://doi.org/10.48550/arXiv.1312.4814

2013-12-17

Abstract:The number of malicious software (malware) is growing out of control. Syntactic signature based detection cannot cope with such growth and manual construction of malware signature databases needs to be replaced by computer learning based approaches. Currently, a single modern signature capturing the semantics of a malicious behavior can be used to replace an arbitrarily large number of old-fashioned syntactical signatures. However teaching computers to learn such behaviors is a challenge. Existing work relies on dynamic analysis to extract malicious behaviors, but such technique does not guarantee the coverage of all behaviors. To sidestep this limitation we show how to learn malware signatures using static reachability analysis. The idea is to model binary programs using pushdown systems (that can be used to model the stack operations occurring during the binary code execution), use reachability analysis to extract behaviors in the form of trees, and use subtrees that are common among the trees extracted from a training set of malware files as signatures. To detect malware we propose to use a tree automaton to compactly store malicious behavior trees and check if any of the subtrees extracted from the file under analysis is malicious. Experimental data shows that our approach can be used to learn signatures from a training set of malware files and use them to detect a test set of malware that is 5 times the size of the training set.

Cryptography and Security,Artificial Intelligence,Logic in Computer Science

Joseph Sexton,Curtis Storlie,Blake Anderson

DOI: https://doi.org/10.1007/s11416-015-0258-7

2015-12-21

Journal of Computer Virology and Hacking Techniques

Abstract:Statistical detection of mass malware has been shown to be highly successful. However, this type of malware is less interesting to cyber security officers of larger organizations, who are more concerned with detecting malware indicative of a targeted attack. Here we investigate the potential of statistically based approaches to detect such malware using a malware family associated with a large number of targeted network intrusions. Our approach is complementary to the bulk of statistical based malware classifiers, which are typically based on measures of overall similarity between executable files. One problem with this approach is that a malicious executable that shares some, but limited, functionality with known malware is likely to be misclassified as benign. Here a new approach to malware classification is introduced that classifies programs based on their similarity with known malware subroutines. It is illustrated that malware and benign programs can share a substantial amount of code, implying that classification should be based on malicious subroutines that occur infrequently, or not at all in benign programs. Various approaches to accomplishing this task are investigated, and a particularly simple approach appears the most effective. This approach simply computes the fraction of subroutines of a program that are similar to malware subroutines whose likes have not been found in a larger benign set. If this fraction exceeds around 1.5 %, the corresponding program can be classified as malicious at a 1 in 1000 false alarm rate. It is further shown that combining a local and overall similarity based approach can lead to considerably better prediction due to the relatively low correlation of their predictions.

Dima Rabadi,Sin G. Teo

DOI: https://doi.org/10.1145/3427228.3427242

2020-12-07

Abstract:Application Programming Interfaces (APIs) are still considered the standard accessible data source and core wok of the most widely adopted malware detection and classification techniques. API-based malware detectors highly rely on measuring API’s statistical features, such as calculating the frequency counter of calling specific API calls or finding their malicious sequence pattern (i.e., signature-based detectors). Using simple hooking tools, malware authors would help in failing such detectors by interrupting the sequence and shuffling the API calls or deleting/inserting irrelevant calls (i.e., changing the frequency counter). Moreover, relying on API calls (e.g., function names) alone without taking into account their function parameters is insufficient to understand the purpose of the program. For example, the same API call (e.g., writing on a file) would act in two ways if two different arguments are passed (e.g., writing on a system versus user file). However, because of the heterogeneous nature of API arguments, most of the available API-based malicious behavior detectors would consider only the API calls without taking into account their argument information (e.g., function parameters). Alternatively, other detectors try considering the API arguments in their techniques, but they acquire having proficient knowledge about the API arguments or powerful processors to extract them. Such requirements demand a prohibitive cost and complex operations to deal with the arguments. To overcome the above limitations, with the help of machine learning and without any expert knowledge of the arguments, we propose a light-weight API-based dynamic feature extraction technique, and we use it to implement a malware detection and type classification approach. To evaluate our approach, we use reasonable datasets of 7774 benign and 7105 malicious samples belonging to ten distinct malware types. Experimental results show that our type classification module could achieve an accuracy of , where our malware detection module could reach an accuracy of over , and outperforms many state-of-the-art API-based malware detectors.