Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

白莉莉,庞建民,张一弛,岳峰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.09.048

2010-01-01

Abstract:Aiming at the problem that malware detection method based on signature can be easily subverted by obfuscation techniques,this paper proposes a detection method based on Critical Application Programming Interface Graph(CAG).By statically extracting nodes with critical API calling from Control Flow Graph(CFG) for each malware,each malicious behavior can be presented by one CAG.A matching algorithm based on CAG is used to determine whether a suspicious executable programming has the same malicious behavior as a malware does.Experimental results show that the method can detect malware variants efficiently with low false negative rate.

Chenzhong Yin,Hantang Zhang,Mingxi Cheng,Xiongye Xiao,Xinghe Chen,Xin Ren,Paul Bogdan

2023-12-20

Abstract:Malware represents a significant security concern in today's digital landscape, as it can destroy or disable operating systems, steal sensitive user information, and occupy valuable disk space. However, current malware detection methods, such as static-based and dynamic-based approaches, struggle to identify newly developed (``zero-day") malware and are limited by customized virtual machine (VM) environments. To overcome these limitations, we propose a novel malware detection approach that leverages deep learning, mathematical techniques, and network science. Our approach focuses on static and dynamic analysis and utilizes the Low-Level Virtual Machine (LLVM) to profile applications within a complex network. The generated network topologies are input into the GraphSAGE architecture to efficiently distinguish between benign and malicious software applications, with the operation names denoted as node features. Importantly, the GraphSAGE models analyze the network's topological geometry to make predictions, enabling them to detect state-of-the-art malware and prevent potential damage during execution in a VM. To evaluate our approach, we conduct a study on a dataset comprising source code from 24,376 applications, specifically written in C/C++, sourced directly from widely-recognized malware and various types of benign software. The results show a high detection performance with an Area Under the Receiver Operating Characteristic Curve (AUROC) of 99.85%. Our approach marks a substantial improvement in malware detection, providing a notably more accurate and efficient solution when compared to current state-of-the-art malware detection methods.

Cryptography and Security,Artificial Intelligence,Machine Learning

Shaswata Mitra,Stephen A. Torri,Sudip Mittal

DOI: https://doi.org/10.48550/arXiv.2305.08993

2023-06-21

Abstract:Malware is a significant threat to the security of computer systems and networks which requires sophisticated techniques to analyze the behavior and functionality for detection. Traditional signature-based malware detection methods have become ineffective in detecting new and unknown malware due to their rapid evolution. One of the most promising techniques that can overcome the limitations of signature-based detection is to use control flow graphs (CFGs). CFGs leverage the structural information of a program to represent the possible paths of execution as a graph, where nodes represent instructions and edges represent control flow dependencies. Machine learning (ML) algorithms are being used to extract these features from CFGs and classify them as malicious or benign. In this survey, we aim to review some state-of-the-art methods for malware detection through CFGs using ML, focusing on the different ways of extracting, representing, and classifying. Specifically, we present a comprehensive overview of different types of CFG features that have been used as well as different ML algorithms that have been applied to CFG-based malware detection. We provide an in-depth analysis of the challenges and limitations of these approaches, as well as suggest potential solutions to address some open problems and promising future directions for research in this field.

Cryptography and Security,Machine Learning

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Lixia Zhang,Tianxu Liu,Kaihui Shen,Cheng Chen

2024-10-12

Abstract:With the rapid advancement of Internet technology, the threat of malware to computer systems and network security has intensified. Malware affects individual privacy and security and poses risks to critical infrastructures of enterprises and nations. The increasing quantity and complexity of malware, along with its concealment and diversity, challenge traditional detection techniques. Static detection methods struggle against variants and packed malware, while dynamic methods face high costs and risks that limit their application. Consequently, there is an urgent need for novel and efficient malware detection techniques to improve accuracy and robustness. This study first employs the minhash algorithm to convert binary files of malware into grayscale images, followed by the extraction of global and local texture features using GIST and LBP algorithms. Additionally, the study utilizes IDA Pro to decompile and extract opcode sequences, applying N-gram and tf-idf algorithms for feature vectorization. The fusion of these features enables the model to comprehensively capture the behavioral characteristics of malware. In terms of model construction, a CNN-BiLSTM fusion model is designed to simultaneously process image features and opcode sequences, enhancing classification performance. Experimental validation on multiple public datasets demonstrates that the proposed method significantly outperforms traditional detection techniques in terms of accuracy, recall, and F1 score, particularly in detecting variants and obfuscated malware with greater stability. The research presented in this paper offers new insights into the development of malware detection technologies, validating the effectiveness of feature and model fusion, and holds promising application prospects.

Cryptography and Security,Artificial Intelligence

Haoran Guo,Jianmin Pang,Yichi Zhang,Feng Yue

DOI: https://doi.org/10.1109/icicisys.2010.5658586

2010-01-01

Abstract:Malware has become one of the most serious threats to computer information system. In this paper, we describe HERO (Hybrid security extension of binary translation), a novel framework that exploits static and dynamic binary translation features to detect broad spectrum malware and prevent its execution. By operating directly on binary code without any assumption on the availability of source code, HERO is appropriate for translating low-level binary code to high-level proper representation, obtaining CFG (Control Flow Graph) and other high-level Control Structure by static binary translation-based analyzer. Then Critical API Graph based on CFG is generated to do sub-graph matching with the defined Malware Behavior Template. If static analysis cannot finish generating CFG because of code obfuscation used in malware, the dynamic binary translation based analyzer in HERO is called to undertake the process to take on the remaining code analysis. Compared with other detection approaches, HERO is found to be very efficient in terms of detection capability and false alarm rate.

JiaJing Li,Tao Wei,Wei Zou,Jian Mao

DOI: https://doi.org/10.1109/isecs.2009.148

2009-01-01

Abstract:Existing techniques based on behavior semantics for information theft malware detection have the main shortcomings of low path coverage and disability of finding hidden malicious behaviors. In this paper we propose a static method for the detection of information theft malware to overcome these shortcomings. It is particularly efficient for inter-procedure taint analysis, and it is suitable for complicated malware detection, such as Trojan and Bot. Its static style makes it able to find hidden malicious behaviors. We also present an implementation of our method that works on x86 executables and a set of experimental studies validate its good efficiency and effectiveness.

Hugo Daniel Macedo,Tayssir Touili

DOI: https://doi.org/10.48550/arXiv.1312.4814

2013-12-17

Abstract:The number of malicious software (malware) is growing out of control. Syntactic signature based detection cannot cope with such growth and manual construction of malware signature databases needs to be replaced by computer learning based approaches. Currently, a single modern signature capturing the semantics of a malicious behavior can be used to replace an arbitrarily large number of old-fashioned syntactical signatures. However teaching computers to learn such behaviors is a challenge. Existing work relies on dynamic analysis to extract malicious behaviors, but such technique does not guarantee the coverage of all behaviors. To sidestep this limitation we show how to learn malware signatures using static reachability analysis. The idea is to model binary programs using pushdown systems (that can be used to model the stack operations occurring during the binary code execution), use reachability analysis to extract behaviors in the form of trees, and use subtrees that are common among the trees extracted from a training set of malware files as signatures. To detect malware we propose to use a tree automaton to compactly store malicious behavior trees and check if any of the subtrees extracted from the file under analysis is malicious. Experimental data shows that our approach can be used to learn signatures from a training set of malware files and use them to detect a test set of malware that is 5 times the size of the training set.

Cryptography and Security,Artificial Intelligence,Logic in Computer Science

Wei Yang,Deguang Kong,Tao Xie,Carl A. Gunter

DOI: https://doi.org/10.1145/3134600.3134642

2017-01-01

Abstract:Existing techniques on adversarial malware generation employ feature mutations based on feature vectors extracted from malware. However, most (if not all) of these techniques suffer from a common limitation: feasibility of these attacks is unknown. The synthesized mutations may break the inherent constraints posed by code structures of the malware, causing either crashes or malfunctioning of malicious payloads. To address the limitation, we present Malware Recomposition Variation (MRV), an approach that conducts semantic analysis of existing malware to systematically construct new malware variants for malware detectors to test and strengthen their detection signatures/models. In particular, we use two variation strategies (i.e., malware evolution attack and malware confusion attack) following structures of existing malware to enhance feasibility of the attacks. Upon the given malware, we conduct semantic-feature mutation analysis and phylogenetic analysis to synthesize mutation strategies. Based on these strategies, we perform program transplantation to automatically mutate malware bytecode to generate new malware variants. We evaluate our MRV approach on actual malware variants, and our empirical evaluation on 1,935 Android benign apps and 1,917 malware shows that MRV produces malware variants that can have high likelihood to evade detection while still retaining their malicious behaviors. We also propose and evaluate three defense mechanisms to counter MRV.

Weizhong Qiang,Lin Yang,Hai Jin

DOI: https://doi.org/10.1016/j.cose.2022.102871

2022-08-10

Abstract:Nowadays, the rapid growth of the number and variety of malware brings great security challenges. Machine learning has become a mainstream tool for effective malware detection, which can mainly be classified into static and dynamic analysis methods. The purpose of malware detection is to have a good and stable detection performance for different software forms. However, many static analysis methods are easily affected by packing and other code obfuscation techniques, and dynamic analysis methods are commonly believed more robust, while the impact of packing on them has received little attention. In addition, adversarial sample attacks against dynamic analysis methods have also been conducted. This indicates the need to investigate more accurate and robust malware classification methods. In this paper, we propose a new robust dynamic analysis method for malware detection by using specific fine-grained behavioral features, i.e., control flow traces. Further, a malware classifier is constructed by converting control flow traces into byte sequences and applying a combination of convolutional neural networks and long short term memory . The proposed classifier can effectively detect malware with an accuracy of up to 95.7%, as well as detect unseen malware with an accuracy of 94.6% (indicating a good performance in handling the evolution of malware). Meanwhile, it is first found experimentally that packing has specific interference with existing behavior-based malware classifiers, resulting in even worse performance than static classifiers in some cases. However, the proposed classifier performs well in terms of robustness, showing stable performance under the interference of an uneven packing distribution in the dataset, with a 26.3% higher true positive rate for unpacked samples compared to the API call-based classifier. In addition, the classifier is also more robust against adversarial samples, with a detection rate of at least 83%.

computer science, information systems

Yang Zhao,Zeng Qingkai

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.04.001

2013-01-01

Abstract:This paper proposes a method to automatically detect anti-analysis malware.This approach records the traces of system calls and instructions executed by malware across four different analysis platform based on two monitoring and recording technologies.At first,the system call traces are compared.If a deviation exists,further comparison on instruction traces is needed to determine whether the root cause is anti-analysis or not.Experimental results have demonstrated that the approach can detect varies of analysis evasion technology.

Zhou Ruili,Pan Jianfeng,Tan Xiaobin,Xi Hongsheng

DOI: https://doi.org/10.1109/cis.2008.100

2008-01-01

Abstract:Malware detection is a crucial aspect of software security. Traditional signature-based detection method cannot detect zero-day attacks and some malware adopting some circumvention techniques such as polymorphic, metamorphic, obfuscation and packer. So some anomaly-based detection techniques are introduced to overcome this drawback, but these techniques have high false alarm rate and the complexity involved in determining what features should be learned in the training phase. In order to overcome these shortcomings, we propose a malware detection system based on expert systems in this paper. This system integrates signature-based analysis and anomaly-detection technique together. The signature is anomaly behavioral signatures. Accord to expertise about malware’s major suspicious behaviors, we build the knowledge base of the expert system. And we design a behavior gathering component to intercept anomaly behaviors happened in the operating system and get significant traces leaved by malware, then present these behaviors and traces as facts. The expert system uses the knowledge base and behaviors facts to infer and give the results. This system can detect not only known malware, but some zero-day attacks using known techniques and also malware adopting low-level techniques, such as polymorphic and packer.

Pascal Maniriho,Abdun Naser Mahmood,Mohammad Jabed Morshed Chowdhury

2024-07-18

Abstract:In this work, we propose EarlyMalDetect, a novel approach for early Windows malware detection based on sequences of API calls. Our approach leverages generative transformer models and attention-guided deep recurrent neural networks to accurately identify and detect patterns of malicious behaviors in the early stage of malware execution. By analyzing the sequences of API calls invoked during execution, the proposed approach can classify executable files (programs) as malware or benign by predicting their behaviors based on a few shots (initial API calls) invoked during execution. EarlyMalDetect can predict and reveal what a malware program is going to perform on the target system before it occurs, which can help to stop it before executing its malicious payload and infecting the system. Specifically, EarlyMalDetect relies on a fine-tuned transformer model based on API calls which has the potential to predict the next API call functions to be used by a malware or benign executable program. Our extensive experimental evaluations show that the proposed approach is highly effective in predicting malware behaviors and can be used as a preventive measure against zero-day threats in Windows systems.

Cryptography and Security

Yun Gao,Hirokazu Hasegawa,Yukiko Yamaguchi,Hajime Shimada

DOI: https://doi.org/10.1109/access.2022.3215267

IF: 3.9

2022-11-04

IEEE Access

Abstract:With society's increasing reliance on computer systems and network technology, the threat of malicious software grows more and more serious. In the field of information security, malware detection has been a key problem that academia and industry are committed to solving. Machine learning is an effective method for processing large-scale data, such as the Gradient Boosting Decision Tree (GBDT) and deep neural network technology. Although these types of detection methods can deal with cyber threats, most feature extraction methods are based on the statistical information features of portable executable (PE) files and thus lack the decompiled code and execution flow structure of the PE samples. Therefore, we propose a Control-Flow Graph (CFG)- and Graph Isomorphism Network (GIN)-based malware classification system. The feature vectors of CFG basic blocks are generated using the large-scale pre-trained language model MiniLM, which is beneficial for the GIN to further learn and compress the CFG-based representation, and classified with multi-layer perceptron. In addition, we evaluated the effectiveness of the representation under different dimensions and classifiers. To evaluate our method, we set up a CFG-based malware detection graph dataset from a PE file of the Blue Hexagon Open Dataset for Malware Analysis (BODMAS), which we call the Malware Geometric Binary Dataset (MGD-BINARY) and collected the experimental results of CFG representation in different dimensions and classifier settings. The evaluation results show that our proposal has proved an Accuracy metric of 0.99160 and achieved 0.99148 Area Under the Curve (AUC) results.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jieren Cheng,Jiachen Zheng,Xiaomei Yu

DOI: https://doi.org/10.1002/int.22310

IF: 8.993

2020-10-13

International Journal of Intelligent Systems

Abstract:<p>Malicious code is an ever‐growing security threats to computer systems and networks, while malware detection provides effective defense against malicious codes. In this paper, a brief overview is presented on currently prevalent methods to detect malicious codes, including signature‐based methods, behavioral‐based detection and machine learning (ML) based ones. More specifically, the potentially effective malicious features are summarized and the novel methods using ML are deeply discussed. Furthermore, an ensemble interpretable framework is explored for automatic and efficient malicious code detection. Based on the knowledge graph of malware, the novel framework inclines to achieve robust malware detection even confronted with unseen malicious codes. Finally, both advantages and disadvantages are discussed and experimental results are outlined to verify the effectiveness of the novel methods.</p>

computer science, artificial intelligence

Chao DAI,Jian-min PANG,Yi-chi ZHANG,Liang ZHU,Feng YUE,Hong-wei TAO

2017-01-01

Abstract:The malware behavior analysis is composed of analysis in disassembly level and system-call level.Out of the finer grain,the analysis in disassembly level is irreplaceable in characterizing the code behavior.However,the existing analysis technologies in disassembly level is not good at coping with discontinuous instruction sequences.In view of this situation and characteristics of binary code,this paper proposes a method of behavior analysis in disassembly level based on pattern matching with wildcards and gap-length constrains,called CFG-refinedSAIL.It reconstructs the code structure by the recursive traversal disassembly algorithm first.Then the algorithm compares the opcode sequences in each basicblock of control flow with the opcode sequences of malware behavior in a refined way to find out the malware behavior in disassembly level.Finally,the test validates the effectiveness the algorithm,and its performance is good,which could provide the basis for subsequent analysis of malware.

Shanhu Shang,Ning Zheng,Jian Xu,Ming Xu,Haiping Zhang

DOI: https://doi.org/10.1109/malware.2010.5665787

2010-01-01

Abstract:Currently, signature-based malware scanning is still the dominant approach to identify malware samples in the wild due to its low false positive rate. However, this approach concentrates on programs' specific instructions, and lacks insight into high level semantics; it is enduring challenges from advanced code obfuscation techniques such as polymorphism and metamorphism. To overcome this shortcoming, this paper extracts a program's function-call graph as its signature. The paper presents a method to compute similarity between two binaries on basis of their function-call graph similarity. The proposed method relies on static analysis of a program, it first disassembles the program into assemble code, and then it uses a novel algorithm to construct the function-call graph from the assembly instructions. After that, it proposes a simple but effective graph matching method to compute similarity between two binaries. A prototype is implemented and evaluated on several well-known malware families and benign programs.

Fabrizio Biondi,Thomas Given-Wilson,Axel Legay,Cassius Puodzius,Jean Quilbeuf

DOI: https://doi.org/10.1007/978-3-030-03418-4_34

2018-01-01

Abstract:This tutorial presents and motivates various malware detection tools and illustrates their usage on a clear example. We demonstrate how statically-extracted syntactic signatures can be used for quickly detecting simple variants of malware. Since such signatures can easily be obfuscated, we also present dynamically-extracted behavioral signatures which are obtained by running the malware in an isolated environment known as a sandbox. However, some malware can use sandbox detection to detect that they run in such an environment and so avoid exhibiting their malicious behavior. To counteract sandbox detection, we present concolic execution that can explore several paths of a binary. We conclude by showing how opaque predicates and JIT can be used to hinder concolic execution.

Fathi H. Amsaad,Junjie Zhang,M. Pk,Al Amin Hossain

DOI: https://doi.org/10.1109/NAECON61878.2024.10670668

2024-07-15

Abstract:The rapid evolution of cyber threats raises the inevitability of the advancement of innovative and effective approaches in cybersecurity. There are numerous cyber threats; among these threats, malicious code, including viruses, worms, and sophisticated malware, poses significant risks to digital systems. The existing threat detection methods often rely on signature-based techniques and need help to keep pace with the dynamic and evolving characteristics of malware. Large language models (LLMs) such as GPT-4, renowned for their ability to perform natural language processing, offer a promising alternative for enhancing malicious code detection. This research paper proposes a novel approach using large language models (LLMs) to detect unwanted malicious code in Java source code, leveraging the Mixtral architecture. The Mixtral model is trained on a diverse dataset of benign and malicious Java code, enabling it to learn complex patterns and characteristics of malicious code. Experimental results validate the efficiency of the proposed in identifying malicious code, outperforming existing static analysis tools.

Computer Science