Octavian Grigorescu,Andreea Nica,Mihai Dascalu,Razvan Rughinis

DOI: https://doi.org/10.3390/a15090314

2022-09-01

Algorithms

Abstract:Since cyber-attacks are ever-increasing in number, intensity, and variety, a strong need for a global, standardized cyber-security knowledge database has emerged as a means to prevent and fight cybercrime. Attempts already exist in this regard. The Common Vulnerabilities and Exposures (CVE) list documents numerous reported software and hardware vulnerabilities, thus building a community-based dictionary of existing threats. The MITRE ATT&CK Framework describes adversary behavior and offers mitigation strategies for each reported attack pattern. While extremely powerful on their own, the tremendous extra benefit gained when linking these tools cannot be overlooked. This paper introduces a dataset of 1813 CVEs annotated with all corresponding MITRE ATT&CK techniques and proposes models to automatically link a CVE to one or more techniques based on the text description from the CVE metadata. We establish a strong baseline that considers classical machine learning models and state-of-the-art pre-trained BERT-based language models while counteracting the highly imbalanced training set with data augmentation strategies based on the TextAttack framework. We obtain promising results, as the best model achieved an F1-score of 47.84%. In addition, we perform a qualitative analysis that uses Lime explanations to point out limitations and potential inconsistencies in CVE descriptions. Our model plays a critical role in finding kill chain scenarios inside complex infrastructures and enables the prioritization of CVE patching by the threat level. We publicly release our code together with the dataset of annotated CVEs.

English Else

Lingzi Li,Cheng Huang,Junren Chen

DOI: https://doi.org/10.1016/j.cose.2024.103815

IF: 5.105

2024-03-27

Computers & Security

Abstract:As cyber attacks are growing, Cyber Threat Intelligence (CTI) enhances the ability of security systems to resist novel cyber threats. However, since most CTI is unstructured data written in natural language, it needs to be understood and summarized by security experts to be effectively utilized. To address the problem, we adopt the ATT&CK matrix as the taxonomy to propose a method for automated mapping of unstructured threat intelligence to tactics and techniques. The proposed method contains a pre-processor for text denoising, a label extractor for classifying which tactics and techniques category the text belongs to, and a post-processor for correcting the classification results. The label extractor consists of two multi-label classifiers based on DistilBERT for tactics and techniques classification respectively. The post-processor corrects the classification results based on the relations between tactics, techniques, and sub-techniques in the matrix, eliminating errors caused by the independence between categories. In the evaluation, we collect the text data from the ATT&CK knowledge base and real cyber threat reports to build an experiment dataset, which contains 26,602 sentence samples. We apply the proposed method to the dataset to verify its effectiveness. The results show that the proposed method can accurately retrieve tactics and techniques with F0.5 score of 85.50% and 75.17% respectively, which outperforms the baseline method by about 10%.

computer science, information systems

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Yi-Ting Huang,Chi Yu Lin,Ying-Ren Guo,Kai-Chieh Lo,Yeali S. Sun,Meng Chang Chen,Ying-REN Guo

DOI: https://doi.org/10.1109/tdsc.2021.3119008

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cyber threats are one of the most pressing issues in the digital age. There has been a consensus on deploying a proactive defense to effectively detect and respond to adversary threats. The key to success is understanding the characteristics of malware, including their activities and manipulated resources on the target machines. The MITRE ATT&CK framework (ATT&CK), a popular source of open source intelligence (OSINT), provides rich information and knowledge about adversary lifecycles and attack behaviors. The main challenges of this study involve knowledge collection from ATT&CK, malicious behavior identification using deep learning, and the identification of associated API calls. A MITRE ATT&CK based Malicious Behavior Analysis system (MAMBA) for Windows malware is proposed, which incorporates ATT&CK knowledge and considers attentions on manipulated resources and malicious activities in the neural network model. To synchronize ATT&CK updates in a timely manner, knowledge collection can be an automatic and incremental process. Given these features, MAMBA achieves the best performance of malicious behavior discovery among all the compared learning-based methods and rule-based approaches on all datasets; it also yields a highly interpretable mapping from the discovered malicious behaviors to relevant ATT&CK techniques, as well as to the related API calls.

computer science, information systems, software engineering, hardware & architecture

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Wanyu Li,Hailiang Tang,Hailin Zhu,Wenxiao Zhang,Chen Liu

DOI: https://doi.org/10.1016/j.cose.2024.103752

IF: 5.105

2024-02-14

Computers & Security

Abstract:The cyber ecosystem is facing severe threats from malware attacks, making it imperative to detect malware to safeguard a purified Internet environment. However, current studies primarily concentrate on examining the time-based correlation between APIs for malware detection while neglecting the contextual associations derived from API categories, resulting in inadequate detection performance. In this paper, we present TS-Mal, a novel Mal ware detection model incorporated T emporal and S tructural features learning. Particularly, TS-Mal first designs a temporal vector learning method to automatically capture the evolving representation from the non-repetitive API sequences, which can efficiently pursue the attack preferences of malware. Then TS-Mal introduces heterogeneous graphs to model the interactive relationships between APIs and presents a dense-interactive structural embedding approach to generate the fine-grained API structural representation, which is capable of utilizing API category interaction information to boost detection effectiveness. Finally, TS-Mal simultaneously integrates temporal and structural attack features to accurately identify the unknown malware, effectively defending against new malware attacks. Experimental results on real-world datasets demonstrate that our proposed TS-Mal model outperforms existing state-of-the-art methods.

computer science, information systems

Yi-Wei Ma,Jiann-Liang Chen,Wen-Han Kuo,Yu-Chen Chen

DOI: https://doi.org/10.1016/j.jisa.2021.103092

IF: 4.96

2022-03-01

Journal of Information Security and Applications

Abstract:Distinguishing among types of malware is important to understanding how they infect computing systems, the level of threat that they pose, and means of protecting against them. This study develops an intelligent framework, AI@nti-Malware, that combines artificial intelligence learning, data imbalance, and feature evaluation mechanisms to establish a malware classification model that is effective for defending against malware attacks. The SMOTEENN algorithm is used to generate training data for a minority of categories to solve the problem of model offset and to improve the effectiveness of the model. The results of an analysis using the CTU-13 open dataset show that the intelligent framework with the machine learning algorithm XGBoost can reach an accuracy of 99.98%, while that with the deep learning backpropagation algorithm has an accuracy of 98.88%.

computer science, information systems

Rawan Al-Shaer,Jonathan M. Spring,Eliana Christou

DOI: https://doi.org/10.1109/cns48642.2020.9162207

2020-06-01

Abstract:The MITRE ATT&CK Framework provides a rich and actionable repository of adversarial tactics, techniques, and procedures (TTP). However, this information would be highly useful for attack diagnosis (i.e., forensics) and mitigation (i.e., intrusion response) if we can reliably construct technique associations that will enable predicting unobserved attack techniques based on observed ones. In this paper, we present our statistical machine learning analysis on APT and Software attack data reported by MITRE ATT&CK to infer the technique clustering that represents the significant correlation that can be used for technique prediction. Due to the complex multidimensional relationships between techniques, many of the traditional clustering methods could not obtain usable associations. Our approach, using hierarchical clustering for inferring attack technique associations with 95% confidence, provides statistically significant and explainable technique correlations. Our analysis discovers 98 different technique associations (i.e., clusters) for both APT and Software attacks. Our evaluation results show that 78% of the techniques associated by our algorithm exhibit significant mutual information that indicates reasonably high predictability.

Liping Qian,Lin Cong

DOI: https://doi.org/10.3390/s24020580

IF: 3.9

2024-01-18

Sensors

Abstract:Malicious software (malware), in various forms and variants, continues to pose significant threats to user information security. Researchers have identified the effectiveness of utilizing API call sequences to identify malware. However, the evasion techniques employed by malware, such as obfuscation and complex API call sequences, challenge existing detection methods. This research addresses this issue by introducing CAFTrans, a novel transformer-based model for malware detection. We enhance the traditional transformer encoder with a one-dimensional channel attention module (1D-CAM) to improve the correlation between API call vector features, thereby enhancing feature embedding. A word frequency reinforcement module is also implemented to refine API features by preserving low-frequency API features. To capture subtle relationships between APIs and achieve more accurate identification of features for different types of malware, we leverage convolutional neural networks (CNNs) and long short-term memory (LSTM) networks. Experimental results demonstrate the effectiveness of CAFTrans, achieving state-of-the-art performance on the mal-api-2019 dataset with an F1 score of 0.65252 and an AUC of 0.8913. The findings suggest that CAFTrans improves accuracy in distinguishing between various types of malware and exhibits enhanced recognition capabilities for unknown samples and adversarial attacks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Wang, Runzheng

DOI: https://doi.org/10.1007/s10207-023-00699-7

2023-05-15

International Journal of Information Security

Abstract:At present, the trend of familiarization of malicious code is becoming more and more obvious, and the research on the homology of malware (the classification of malicious code family) is of great significance for maintaining network security. In order to better express the overall characteristics of malicious code and improve the effect of detection and homology analysis, this paper proposes a method for detection and homology analysis of malware based on heterogeneous graphs of assembly instructions (AIHGAT). We take the assembly instructions of malicious families as the research object and analyze the importance and correlation of assembly instructions of different malicious families. The malware detection and homology analysis are carried out in three aspects: feature extraction, feature preprocessing, and model construction. In the feature extraction of malicious code, in order to alleviate the problem that it is difficult to extract static features of malicious samples that contain countermeasures such as packing and obfuscation, we obtain binary files from dynamic memory through sandbox and then, analyze its assembly instruction set. In feature preprocessing, we divide the assembly instructions into N-tuples and construct a heterogeneous graph based on assembly instructions according to the internal correlation of the gene sequence composed of the assembly N-grams features. Finally, in terms of model construction, we analyze the homology determination effect of the traditional graph neural network and construct the Graph Attention Network based on residual connection named ResGAT to analyze the homology of malicious code. The experimental results show that the ResGAT can gather the core characteristics of malicious families and enhance the ability to recognize malicious family variants. Our model has an accuracy rate of 98.83%, which is better than traditional machine learning detection methods, and can effectively determine the homology of malicious code families.

computer science, information systems, theory & methods, software engineering

Hong Huang,Rui Du,Zhaolian Wang,Xin Li,Guotao Yuan

DOI: https://doi.org/10.3390/s23167084

IF: 3.9

2023-08-11

Sensors

Abstract:To address the challenges of weak model generalization and limited model capacity adaptation in traditional malware detection methods, this article presents a novel malware detection approach based on stacked depthwise separable convolutions and self-attention, termed CoAtNet. This method combines the strengths of the self-attention module's robust model adaptation and the convolutional networks' powerful generalization abilities. The initial step involves transforming the malicious code into grayscale images. These images are subsequently processed using a detection model that employs stacked depthwise separable convolutions and an attention mechanism. This model effectively recognizes and classifies the images, automatically extracting essential features from malicious software images. The effectiveness of the method was validated through comparative experiments using both the Malimg dataset and the augmented Blended+ dataset. The approach's performance was evaluated against popular models, including XceptionNet, EfficientNetB0, ResNet50, VGG16, DenseNet169, and InceptionResNetV2. The experimental results highlight that the model surpasses other malware detection models in terms of accuracy and generalization ability. In conclusion, the proposed method addresses the limitations of traditional malware detection approaches by leveraging stacked depthwise separable convolutions and self-attention. Comprehensive experiments demonstrate its superior performance compared to existing models. This research contributes to advancing the field of malware detection and provides a promising solution for enhanced accuracy and robustness.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jian Zhang,Shengquan Liu,Zhihua Liu

DOI: https://doi.org/10.1371/journal.pone.0304066

IF: 3.7

2024-06-27

PLoS ONE

Abstract:In recent years, with the development of the Internet, the attribution classification of APT malware remains an important issue in society. Existing methods have yet to consider the DLL link library and hidden file address during the execution process, and there are shortcomings in capturing the local and global correlation of event behaviors. Compared to the structural features of binary code, opcode features reflect the runtime instructions and do not consider the issue of multiple reuse of local operation behaviors within the same APT organization. Obfuscation techniques more easily influence attribution classification based on single features. To address the above issues, (1) an event behavior graph based on API instructions and related operations is constructed to capture the execution traces on the host using the GNNs model. (2) ImageCNTM captures the local spatial correlation and continuous long-term dependency of opcode images. (3) The word frequency and behavior features are concatenated and fused, proposing a multi-feature, multi-input deep learning model. We collected a publicly available dataset of APT malware to evaluate our method. The attribution classification results of the model based on a single feature reached 89.24% and 91.91%. Finally, compared to single-feature classifiers, the multi-feature fusion model achieves better classification performance.

Yanchen Qiao,Xiaochun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/TrustCom.2016.0158

2016-01-01

Abstract:APT (Advanced Persistent Threat) attacks are developing rapidly and become severe threats nowadays. In this paper, homologous malware mean that they are developed and programmed by the same author or organization. To identify the homology of malware adopted by different APT attacks is conducive to constructing attack scenario, tracking attackers and even defending against new APT attacks. Currently, homology identification still relies on manual analysis and security experts' experience in the anti-malware industry. It is persuasive, but inefficient and time-consuming. In order to improve the effectiveness and efficiency, an automatic malware homology identification method is proposed in this paper. Six types of API (Application Programming Interface) call behaviors are defined according to programming habits, and extracted from the binary samples by static analysis. Based on the API call behaviors, the homologous degree of different malware is calculated using Jaccard similarity coefficient. Then the homology is identified by comparing the homologous degree with a threshold. Experimental evaluations on real-world samples show that this method achieves high accuracy rate and acceptable recall rate.

Zhenglin Li,Haibei Zhu,Houze Liu,Jintong Song,Qishuo Cheng

DOI: https://doi.org/10.62051/ijcsit.v2n1.01

2024-03-26

Abstract:This study conducts a thorough examination of malware detection using machine learning techniques, focusing on the evaluation of various classification models using the Mal-API-2019 dataset. The aim is to advance cybersecurity capabilities by identifying and mitigating threats more effectively. Both ensemble and non-ensemble machine learning methods, such as Random Forest, XGBoost, K Nearest Neighbor (KNN), and Neural Networks, are explored. Special emphasis is placed on the importance of data pre-processing techniques, particularly TF-IDF representation and Principal Component Analysis, in improving model performance. Results indicate that ensemble methods, particularly Random Forest and XGBoost, exhibit superior accuracy, precision, and recall compared to others, highlighting their effectiveness in malware detection. The paper also discusses limitations and potential future directions, emphasizing the need for continuous adaptation to address the evolving nature of malware. This research contributes to ongoing discussions in cybersecurity and provides practical insights for developing more robust malware detection systems in the digital era.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xiao Chen,Zhengwei Jiang,Shuwei Wang,Rongqi Jing,Chen Ling,Qiuyun Wang

DOI: https://doi.org/10.1007/978-3-031-17551-0_20

2022-01-01

Abstract:The amount of malware has proliferated in recent years because malware developers can easily exploit existing malware to develop new ones. To identify the interrelationships between old and new malware and unify the defense, researchers have continuously tried to automatically classify malware families, and deep neural networks have proven to be a reliable solution to this problem, but as the number of families increases, the robustness of the model is susceptible to data drift and deteriorates, and the validation work of deep neural networks remains insufficient. In this paper, we classify malware families based on semantic learning of disassembled code and graph neural networks, and also provide a judgment basis for family classification so that analysts can quickly verify the classification results. Experiments show that our model can effectively classify families and is robust to data drift.

Ashu Sharma,Sanjay K. Sahay

DOI: https://doi.org/10.48550/arXiv.1606.06897

2016-06-22

Cryptography and Security

Abstract:Combating malware is very important for software/systems security, but to prevent the software/systems from the advanced malware, viz. metamorphic malware is a challenging task, as it changes the structure/code after each infection. Therefore in this paper, we present a novel approach to detect the advanced malware with high accuracy by analyzing the occurrence of opcodes (features) by grouping the executables. These groups are made on the basis of our earlier studies [1] that the difference between the sizes of any two malware generated by popular advanced malware kits viz. PS-MPC, G2 and NGVCK are within 5 KB. On the basis of obtained promising features, we studied the performance of thirteen classifiers using N-fold cross-validation available in machine learning tool WEKA. Among these thirteen classifiers we studied in-depth top five classifiers (Random forest, LMT, NBT, J48 and FT) and obtain more than 96.28% accuracy for the detection of unknown malware, which is better than the maximum detection accuracy (95.9%) reported by Santos et al (2013). In these top five classifiers, our approach obtained a detection accuracy of 97.95% by the Random forest.

Liting Deng,Chengli Yu,Hui Wen,Mingfeng Xin,Yue Sun,Limin Sun,Hongsong Zhu

DOI: https://doi.org/10.1007/s11036-024-02383-z

2024-08-31

Mobile Networks and Applications

Abstract:Malware has now grown into one of the most important threats on the Internet. To meet this challenge, researchers regard malware classification as an effective method in malware analysis, which can classify the malicious samples with similar features into the same family. Although machine learning based malware classification models have great performance, they rely heavily on large-scale labeled datasets. In the real world, many malware families only have a small number of samples, which makes the traditional data-driven models perform poor results. In this paper, we propose an attention-based transductive learning network to solve the problem. In order to extract features, our approach first converts malware binaries into gray-scale images, and encodes them into feature maps using an embedding function. Then, we build a Gaussian similarity graph based on attention mechanism to transfer information from labeled instances to unknown instances. Through the end-to-end training, we demonstrate the effectiveness of the proposed approach on a malware dataset containing 11,236 samples with 30 different malware families. Comparing with state-of-the-art approaches, the experimental results show that our approach achieves a better performance.

computer science, information systems,telecommunications, hardware & architecture

Bolun Wu,Yuanhang Xu,Futai Zou

DOI: https://doi.org/10.1109/trustcom53373.2021.00084

2021-01-01

Abstract:Malware has become one of the biggest threats in the cyber world due to its ever-evolving nature. Machine learning-based methods rely on expertise in selecting handcrafted features which is time-consuming. Recent control flow graphs (CFGs) based method makes the best of graph neural network (GNN) on malware classification. But it ignores the semantic information inside CFGs and also relies on manually-designed features. To overcome these drawbacks, in this work, we introduce a malware classification model called MCBG that applies BERT and Graph Isomorphism Network with JumpingKnowledge (GIN-JK) to capture both semantic and structural features of CFGs. We conduct 5-fold cross-validation on Microsoft Malware Classification Challenge dataset to evaluate our model and it achieves an accuracy of 99.53%. The experimental results demonstrate that building semantic models on basic blocks is essential. Besides, MCBG outperforms the model which only considers CFG's structural information. Also, without using any manually-selected feature, it outperforms those of the state-of-the-art methods based on handcrafted malware features.

Yan-chen QIAO,Xiao-chun YUN,Yong-zheng ZHANG,Shu-hao LI

DOI: https://doi.org/10.3969/j.issn.0372-2112.2016.10.019

2016-01-01

Abstract:Malware homology identification is useful for malware authorship attribution,attack scenario restoration, and so on.Current malware homology identification methods still rely on manual analysis,which is inefficient and time-con-suming.In order to improve the effectiveness and efficiency,an automatic malware homology identification method is pro-posed.Based on 7-class calling behaviors,this method constructs a model of calling habits using data mining algorithms. Then it calculates the degree of homology based on Frequent Pattern Outlier Factor.Finally,it chooses the threshold values using k-means clustering algorithm to identify homology.The experimental evaluations on real-world malwares show our method achieves high accuracy (over 99%)and acceptable recall rate.

Ritik Mehta,Olha Jurečková,Mark Stamp

2023-07-08

Abstract:Many different machine learning and deep learning techniques have been successfully employed for malware detection and classification. Examples of popular learning techniques in the malware domain include Hidden Markov Models (HMM), Random Forests (RF), Convolutional Neural Networks (CNN), Support Vector Machines (SVM), and Recurrent Neural Networks (RNN) such as Long Short-Term Memory (LSTM) networks. In this research, we consider a hybrid architecture, where HMMs are trained on opcode sequences, and the resulting hidden states of these trained HMMs are used as feature vectors in various classifiers. In this context, extracting the HMM hidden state sequences can be viewed as a form of feature engineering that is somewhat analogous to techniques that are commonly employed in Natural Language Processing (NLP). We find that this NLP-based approach outperforms other popular techniques on a challenging malware dataset, with an HMM-Random Forrest model yielding the best results.

Cryptography and Security,Machine Learning