Zhongqiang Chen,Mema Roussopoulos,Zhanyan Liang,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1016/j.jss.2012.02.015

2012-01-01

Abstract:Malware encyclopedias now play a vital role in disseminating information about security threats. Coupled with categorization and generalization capabilities, such encyclopedias might help better defend against both isolated and clustered specimens.In this paper, we present Malware Evaluator, a classification framework that treats malware categorization as a supervised learning task, builds learning models with both support vector machines and decision trees and finally, visualizes classifications with self-organizing maps. Malware Evaluator refrains from using readily available taxonomic features to produce species classifications. Instead, we generate attributes of malware strains via a tokenization process and select the attributes used according to their projected information gain. We also deploy word stemming and stopword removal techniques to reduce dimensions of the feature space. In contrast to existing approaches, Malware Evaluator defines its taxonomic features based on the behavior of species throughout their life-cycle, allowing it to discover properties that previously might have gone unobserved. The learning and generalization capabilities of the framework also help detect and categorize zero-day attacks. Our prototype helps establish that malicious strains improve their penetration rate through multiple propagation channels as well as compact code footprints; moreover, they attempt to evade detection by resorting to code polymorphism and information encryption. Malware Evaluator also reveals that breeds in the categories of Trojan, Infector, Backdoor, and Worm significantly contribute to the malware population and impose critical risks on the Internet ecosystem.

Benjamin Andow,Adwait Nadkarni,Blake Bassett,William Enck,Tao Xie

DOI: https://doi.org/10.1109/spw.2016.40

2016-01-01

Abstract:While there have been various studies identifying and classifying Android malware, there is limited discussion of the broader class of apps that fall in a gray area. Mobile grayware is distinct from PC grayware due to differences in operating system properties. Due to mobile grayware's subjective nature, it is difficult to identify mobile grayware via program analysis alone. Instead, we hypothesize enhancing analysis with text analytics can effectively reduce human effort when triaging grayware. In this paper, we design and implement heuristics for seven main categories of grayware. We then use these heuristics to simulate grayware triage on a large set of apps from Google Play. We then present the results of our empirical study, demonstrating a clear problem of grayware. In doing so, we show how even relatively simple heuristics can quickly triage apps that take advantage of users in an undesirable way.

Zhuo Chen,Lei Wu,Yubo Hu,Jing Cheng,Yufeng Hu,Yajin Zhou,Zhushou Tang,Yexuan Chen,Jinku Li,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3329205

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Mobile applications (apps) are extensively involved in online scams. Previous studies mainly target malicious apps that either compromise victims' devices ( e.g. , malware and ransomware), or lead to privacy leakage and abuse ( e.g. , creepware). Recently, an emerging kind of app makes profits by providing scam services rather than compromising devices or abusing privacy . We name these apps as scamware due to their deceptive behavior, which poses a new threat to (mobile) users. However, the characteristics and the ecosystem of scamware remain mysterious. This paper takes the first step toward systematically studying scamware. In total, 1262 ground-truth scamware are collected from December 1, 2020, to May 1, 2022. Specifically, we first investigate the social tricks used by scamware, and then analyze the participants and their relationships to demystify the ecosystem behind scamware. Finally, we reveal the scamware development features to facilitate the detection of scamware. Our study also gives some interesting findings, e.g. , 1) the crowd-sourcing strategy is adopted to develop scamware, i.e. , the scammers are the core members, while other participants are hired as peripherals; and 2) the online app generators have been abused to facilitate development; and 3) the money mule based payment is prevalent, and the case study shows the money flow is around $ 2593346 per day. We believe that our findings will facilitate the community and law enforcement agencies to mitigate this threat, and we will release the source code of our tools to engage the community.

Zhuo Chen,Lei Wu,Jing Cheng,Yubo Hu,Yajin Zhou,Zhushou Tang,Yexuan Chen,Jinku Li,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2106.05756

2021-06-11

Abstract:Mobile apps are extensively involved in cyber-crimes. Some apps are malware which compromise users' devices, while some others may lead to privacy leakage. Apart from them, there also exist apps which directly make profit from victims through deceiving, threatening or other criminal actions. We name these apps as CULPRITWARE. They have become emerging threats in recent years. However, the characteristics and the ecosystem of CULPRITWARE remain mysterious. This paper takes the first step towards systematically studying CULPRITWARE and its ecosystem. Specifically, we first characterize CULPRITWARE by categorizing and comparing them with benign apps and malware. The result shows that CULPRITWARE have unique features, e.g., the usage of app generators (25.27%) deviates from that of benign apps (5.08%) and malware (0.43%). Such a discrepancy can be used to distinguish CULPRITWARE from benign apps and malware. Then we understand the structure of the ecosystem by revealing the four participating entities (i.e., developer, agent, operator and reaper) and the workflow. After that, we further reveal the characteristics of the ecosystem by studying the participating entities. Our investigation shows that the majority of CULPRITWARE (at least 52.08%) are propagated through social media rather than the official app markets, and most CULPRITWARE (96%) indirectly rely on the covert fourth-party payment services to transfer the profits. Our findings shed light on the ecosystem, and can facilitate the community and law enforcement authorities to mitigate the threats. We will release the source code of our tools to engage the community.

Cryptography and Security

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen

DOI: https://doi.org/10.1093/comjnl/bxp040

2009-01-01

The Computer Journal

Abstract:The dictionary of common vulnerabilities and exposures (CVEs) is a compilation of known security loopholes whose objective is to both facilitate the exchange of security-related information and expedite vulnerability analysis of computer systems. Its lack of categorization and generalization capability renders the dictionary ineffective when it comes to developing defense strategies for clustered vulnerabilities instead of individual exploits. To address this issue, we propose a CVE categorization framework termed CVE Classifier that transforms the dictionary into a classifier that not only categorizes CVEs with respect to diverse taxonomic features but can also evaluate general trends in the evolution of vulnerabilities. With the help of support vector machines, CVE Classifier builds learning models for taxonomic features based on training data automatically extracted from pertinent vulnerability databases including BID, X-Force and Secunia, and CVE entries containing telltale keywords unique to taxonomic features. We use word-stemming and stopword-removal techniques to reduce the dimensions of the feature space formed by CVEs and develop a data fusion and cleansing process to eliminate data inconsistencies to improve classification performance. The CVE classification produced by the proposed framework reveals that the majority of the Internet security loopholes are harbored by a small set of services. Moreover, it becomes evident that the widespread deployment of security devices provides many additional attack points as such devices demonstrate a great mount of vulnerabilities. Finally, the CVE Classifier points out that remotely exploitable security loopholes continue to dominate the CVEs landscape.

Zongwei Wang,Min Gao,Jundong Li,Junwei Zhang,Jiang Zhong

DOI: https://doi.org/10.1145/3512352

IF: 5

2022-03-22

ACM Transactions on Intelligent Systems and Technology

Abstract:Recommender systems are essential components of many information services, which aim to find relevant items that match user preferences. Several studies have shown shilling attacks can significantly weaken the robustness of recommender systems by injecting fake user profiles. Traditional shilling attacks focus on creating hand-engineered fake user profiles, but these profiles can be detected effortlessly by advanced detection methods. Adversarial learning, emerged in recent years, can be leveraged to generate powerful and intelligent attack models. To this end, in this paper, we explore potential risks of recommender systems and shed light on a gray-box shilling attack model based on generative adversarial networks, named GSA-GANs. Specifically, we aim to generate fake user profiles that can achieve two goals: unnoticeable and offensive. Towards these goals, there are several challenges that we need to address: (1) learn complex user behaviors from user-item rating data; (2) adversely influence the recommendation results without knowing the underlying recommendation algorithms. To tackle these challenges, two essential GAN modules are respectively designed to make generated fake profiles more similar to real ones and harmful to recommendation results. Experimental results on three public datasets demonstrate that the proposed GSA-GANs framework outperforms baseline models in attack effectiveness, transferability, and camouflage. In the end, we also provide several possible defensive strategies against GSA-GANs. The exploration and analysis in our work will contribute to the defense research of recommender systems.

computer science, information systems, artificial intelligence

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Ahmet Aksoy,Luis Valle,Gorkem Kar

DOI: https://doi.org/10.3390/electronics13020293

IF: 2.9

2024-01-10

Electronics

Abstract:The cybersecurity landscape presents daunting challenges, particularly in the face of Denial of Service (DoS) attacks such as DoS Http Unbearable Load King (HULK) attacks and DoS GoldenEye attacks. These malicious tactics are designed to disrupt critical services by overwhelming web servers with malicious requests. In contrast to DoS attacks, there exists nefarious Operating System (OS) scanning, which exploits vulnerabilities in target systems. To provide further context, it is essential to clarify that NMAP, a widely utilized tool for identifying host OSes and vulnerabilities, is not inherently malicious but a dual-use tool with legitimate applications, such as asset inventory services in company networks. Additionally, Domain Name System (DNS) botnets can be incredibly damaging as they harness numerous compromised devices to inundate a target with malicious DNS traffic. This can disrupt online services, leading to downtime, financial losses, and reputational damage. Furthermore, DNS botnets can be used for other malicious activities like data exfiltration, spreading malware, or launching other cyberattacks, making them a versatile tool for cybercriminals. As attackers continually adapt and modify specific attributes to evade detection, our paper introduces an automated detection method that requires no expert input. This innovative approach identifies the distinct characteristics of DNS botnet attacks, DoS HULK attacks, DoS GoldenEye attacks, and OS-Scanning, explicitly using the NMAP tool, even when attackers alter their tactics. By harnessing a representative dataset, our proposed method ensures robust detection of such attacks against varying attack parameters or behavioral shifts. This heightened resilience significantly raises the bar for attackers attempting to conceal their malicious activities. Significantly, our approach delivered outstanding outcomes, with a mid 95% accuracy in categorizing NMAP OS scanning and DNS botnet attacks, and 100% for DoS HULK attacks and DoS GoldenEye attacks, proficiently discerning between malevolent and harmless network packets. Our code and the dataset are made publicly available.

engineering, electrical & electronic,computer science, information systems,physics, applied

Quincy Card,Kshitiz Aryal,Maanak Gupta

2024-05-07

Abstract:In recent years, there has been a surge in malware attacks across critical infrastructures, requiring further research and development of appropriate response and remediation strategies in malware detection and classification. Several works have used machine learning models for malware classification into categories, and deep neural networks have shown promising results. However, these models have shown its vulnerabilities against intentionally crafted adversarial attacks, which yields misclassification of a malicious file. Our paper explores such adversarial vulnerabilities of neural network based malware classification system in the dynamic and online analysis environments. To evaluate our approach, we trained Feed Forward Neural Networks (FFNN) to classify malware categories based on features obtained from dynamic and online analysis environments. We use the state-of-the-art method, SHapley Additive exPlanations (SHAP), for the feature attribution for malware classification, to inform the adversarial attackers about the features with significant importance on classification decision. Using the explainability-informed features, we perform targeted misclassification adversarial white-box evasion attacks using the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) attacks against the trained classifier. Our results demonstrated high evasion rate for some instances of attacks, showing a clear vulnerability of a malware classifier for such attacks. We offer recommendations for a balanced approach and a benchmark for much-needed future research into evasion attacks against malware classifiers, and develop more robust and trustworthy solutions.

Cryptography and Security

Swati Sharma,Varsha Sharma

DOI: https://doi.org/10.1007/s11277-024-10952-4

IF: 2.017

2024-04-04

Wireless Personal Communications

Abstract:The internet utilization has been developing quickly, mostly in previous eras. Though, by way of the internet develops an important section of the daily life routine, cybercrime is similarly on the grow. The prices of cybercrime will approximately five lakh crores dollars per year through 2022 according to cyber security endeavours details in 2021. The cyber attackers exploit some internet resources as a principal way of transformation through a victim system; therefore intruders generate benefit based on economic, promotional and many more through developing the susceptibilities over devices. The computing cybercrime threats and providing security procedures through physical schemes utilizing previous methodological techniques and moreover examinations have unsuccessful many times to govern cybercrime threats. The previous literature in field of cybercrime threats agonizes from absence of evaluation schemes to guess the cybercrimes, mainly on unstructured information. Hence, an Improved Grey-wolf Optimization based Classification Model (IGO-CM) is developed with the help of chaos system and information entropy utilizing machine learning schemes for cybercrime data analysis to compute the rate of cybercrime by classifying the cybercrime data. The protection examinations by means of the relationship of data analysis methodologies provide services to examine and classify crime data in unstructured form taking from India. The implementation of IGO-CM is performed on MATLAB 2021a tool for unstructured cybercrime data and the outcomes describe the superior performance of IGO-CM depending on accuracy, F-Measure, standard deviation, purity index, intra-cluster distance, root mean square error, and time complexity against a popular classification scheme K-Means, and some optimization schemes like ACO, ALO, PSO and GO.

telecommunications

Xiang Ling,Lingfei Wu,Jiangyu Zhang,Zhenqing Qu,Wei Deng,Xiang Chen,Yaguan Qian,Chunming Wu,Shouling Ji,Tianyue Luo,Jingzheng Wu,Yanjun Wu

DOI: https://doi.org/10.1016/j.cose.2023.103134

2023-02-17

Abstract:Malware has been one of the most damaging threats to computers that span across multiple operating systems and various file formats. To defend against ever-increasing and ever-evolving malware, tremendous efforts have been made to propose a variety of malware detection that attempt to effectively and efficiently detect malware so as to mitigate possible damages as early as possible. Recent studies have shown that, on the one hand, existing machine learning (ML) and deep learning (DL) techniques enable superior solutions in detecting newly emerging and previously unseen malware. However, on the other hand, ML and DL models are inherently vulnerable to adversarial attacks in the form of adversarial examples, which are maliciously generated by slightly and carefully perturbing the legitimate inputs to misbehave. Adversarial attacks are initially studied in the domain of computer vision like image classification, and then quickly extended to other domains, including natural language processing, audio recognition, and even malware detection. In this paper, we focus on malware with the file format of portable executable (PE) in the family of Windows operating systems, namely Windows PE malware , as a representative case to study the adversarial attack methods in such adversarial settings. To be specific, we start by first outlining the general learning framework of Windows PE malware detection based on ML/DL and subsequently highlighting three unique challenges of performing adversarial attacks in the context of Windows PE malware. Then, we conduct a comprehensive and systematic review to categorize the state-of-the-art adversarial attacks against PE malware detection, as well as corresponding defenses to increase the robustness of Windows PE malware detection. Finally, we conclude the paper by first presenting other related attacks against Windows PE malware detection beyond the adversarial attacks and then shedding light on future research directions and opportunities.

computer science, information systems

Durgesh Srivastava,Rajeshwar Singh,Chinmay Chakraborty,Sunil Kumar,Aaisha Makkar,Deepak Sinwar

DOI: https://doi.org/10.1016/j.micpro.2023.104964

IF: 3.503

2023-10-23

Microprocessors and Microsystems

Abstract:Recognition of the consequence for advanced tools and techniques to secure the network infrastructure from the security risks has prompted the advancement of many machine learning-based intrusion detection strategies. However, it is a big challenge for the researchers to make improvements in an Intrusion Detection System with desired advantages and constraints. This paper has developed a proficient soft computing framework using Grey Wolf Optimization and Entropy-Based Graph (GWO-EBG) to classify intrusion detection datasets to reduce the false rate. In the proposed scheme, initially, the input data is preprocessed by the data transformation and normalization procedure. After the preprocessing, optimal features have been chosen for the dimension reduction from the preprocessed data using the grey wolf optimization (GWO) algorithm. Then, the Entropy value has estimated from the idyllically selected features. Lastly, an Entropy-Based Graph (EBG) has been constructed to classify data into intrusion or normal data. The experimental results demonstrate that the developed method outperforms other existing methods in various performance measures. The detection rate of the developed GWO-EBG is found to be 94.6 %, which is higher than 91.24% of EBG, 75.60% K-Nearest Neighbors (KNN), 73.36% of Support Vector Machine (SVM), and 74.88% of Generalized Regression Neural Network (GRNN) on 5000 connection vectors data obtained from KDD CUP'99 testing dataset. The false-positive rate of developed strategy (GWO-EBG) is 0.35% %, which is lower than 2.18% of EBG, 7.32% KNN, 8.15% of SVM, and 8.13% of GRNN with 5000 testing datasets.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Bo Yang,Xu Rao,Zhiyong Pei,Nuohan Li

DOI: https://doi.org/10.1142/s0129183124502176

2024-09-09

International Journal of Modern Physics C

Abstract:International Journal of Modern Physics C, Ahead of Print. In recent years, network science has received significant attention and application. As an important mesoscale structure of networks, community structure reveals the inherent modular structure and potential functionality of networks. Therefore, maintaining the community structure during attacks is crucial. Existing studies on community robustness primarily focus on two attack behaviors: malicious attacks and random failures. However, little is known on the community robustness in the more practical situations where the attackers have limited ability to access precise network information, leading to gray information attack behaviors. Hence, in this paper, we investigate the robustness of network communities under gray information attacks and the enhancing algorithms. Following the community robustness measure for the sequential attacks, we establish a unified evaluation framework for attacks with gray information by introducing a gray attack coefficient, which treats the usual random failures and malicious attacks as the two special situations in the proposed framework. Several enhancing algorithms with local search strategy are exquisitely devised. The efficacy of our framework and algorithms which significantly improve the community robustness against gray attacks is demonstrated by the experimental results on a variety of real-world networks. Our findings have important implications not only in enhancing the community robustness of existing networks but also in designing robust ones from the scratch, which paves the way to further understand and seek strategies and solutions for network community robustness with gray information.

physics, mathematical,computer science, interdisciplinary applications

Mahesh Datta Sai Ponnuru,Likhitha Amasala,Tanu Sree Bhimavarapu,Guna Chaitanya Garikipati

2023-12-15

Abstract:As the number and complexity of malware attacks continue to increase, there is an urgent need for effective malware detection systems. While deep learning models are effective at detecting malware, they are vulnerable to adversarial attacks. Attacks like this can create malicious files that are resistant to detection, creating a significant cybersecurity risk. Recent research has seen the development of several adversarial attack and response approaches aiming at strengthening deep learning models' resilience to such attacks. This survey study offers an in-depth look at current research in adversarial attack and defensive strategies for malware classification in cybersecurity. The methods are classified into four categories: generative models, feature-based approaches, ensemble methods, and hybrid tactics. The article outlines cutting-edge procedures within each area, assessing their benefits and drawbacks. Each topic presents cutting-edge approaches and explores their advantages and disadvantages. In addition, the study discusses the datasets and assessment criteria that are often utilized on this subject. Finally, it identifies open research difficulties and suggests future study options. This document is a significant resource for malware categorization and cyber security researchers and practitioners.

Cryptography and Security,Machine Learning

Xiang Ling,Zhiyu Wu,Bin Wang,Wei Deng,Jingzheng Wu,Shouling Ji,Tianyue Luo,Yanjun Wu

2024-07-03

Abstract:Given the remarkable achievements of existing learning-based malware detection in both academia and industry, this paper presents MalGuise, a practical black-box adversarial attack framework that evaluates the security risks of existing learning-based Windows malware detection systems under the black-box setting. MalGuise first employs a novel semantics-preserving transformation of call-based redividing to concurrently manipulate both nodes and edges of malware's control-flow graph, making it less noticeable. By employing a Monte-Carlo-tree-search-based optimization, MalGuise then searches for an optimized sequence of call-based redividing transformations to apply to the input Windows malware for evasions. Finally, it reconstructs the adversarial malware file based on the optimized transformation sequence while adhering to Windows executable format constraints, thereby maintaining the same semantics as the original. MalGuise is systematically evaluated against three state-of-the-art learning-based Windows malware detection systems under the black-box setting. Evaluation results demonstrate that MalGuise achieves a remarkably high attack success rate, mostly exceeding 95%, with over 91% of the generated adversarial malware files maintaining the same semantics. Furthermore, MalGuise achieves up to a 74.97% attack success rate against five anti-virus products, highlighting potential tangible security concerns to real-world users.

Cryptography and Security

Zhiguo Chen,Shuangshuang Xing,Xuanyu Ren

DOI: https://doi.org/10.3389/fpls.2023.1123696

2023-02-15

Abstract:Due to developments in science and technology, the field of plant protection and the information industry have become increasingly integrated, which has resulted in the creation of plant protection information systems. Plant protection information systems have modernized how pest levels are monitored and improved overall control capabilities. They also provide data to support crop pest monitoring and early warnings and promote the sustainable development of plant protection networks, visualization, and digitization. However, cybercriminals use technologies such as code reuse and automation to generate malware variants, resulting in continuous attacks on plant protection information terminals. Therefore, effective identification of rapidly growing malware and its variants has become critical. Recent studies have shown that malware and its variants can be effectively identified and classified using convolutional neural networks (CNNs) to analyze the similarity between malware binary images. However, the malware images generated by such schemes have the problem of image size imbalance, which affects the accuracy of malware classification. In order to solve the above problems, this paper proposes a malware identification and classification scheme based on bicubic interpolation to improve the security of a plant protection information terminal system. We used the bicubic interpolation algorithm to reconstruct the generated malware images to solve the problem of image size imbalance. We used the Cycle-GAN model for data augmentation to balance the number of samples among malware families and build an efficient malware classification model based on CNNs to improve the malware identification and classification performance of the system. Experimental results show that the system can significantly improve malware classification efficiency. The accuracy of RGB and gray images generated by the Microsoft Malware Classification Challenge Dataset (BIG2015) can reach 99.76% and 99.62%, respectively.

Jian Yu,Yuewang He,Qiben Yan,Xiangui Kang

DOI: https://doi.org/10.1109/tifs.2021.3124725

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the rapid development of automation tools including polymorphic and metamorphic engines, generic packers, and genetic programming, many variants of malware have emerged, which pose a significant threat to the Internet security. To effectively detect malware variants, researchers have developed visualization-based approaches that can visualize malware adaptations for in-depth malware analysis. However, most existing visualization approaches rely on the binary image of a malware sample, which fail to provide an effective texture feature representation and thus often result in low efficiency in coping with challenging malware samples. In this paper, we propose SpecView, a malware spectrum visualization framework with singular spectrum transformation. SpecView converts malware binary code into one-dimensional time series spectrum data, and leverages the singular spectrum transformation method to obtain the structural changes preserved in the time series spectrum data. Then, we utilize the particle swarm optimization algorithm to optimize the singular spectrum transformation performance in SpecView. We apply SpecView in the task of malware classification. Extensive experimental results show that SpecView is effective and efficient in malware classification on the Malimg, Malheur, Drebin, and PRAGuard Malgenome Class Encryption datasets, with classification accuracy exceeding 99%, and it can effectively identify malware variants that use evasive techniques such as packer and encryption obfuscation. The proposed method outperforms the state-of-the-art methods on all datasets and the classification accuracy reaches 100% for 5 malware families packed by the UPX packer on the Malimg dataset, as well as 9 malware families that use Class Encryption obfuscation techniques on the PRAGuard Malgenome Class Encryption datasets.

computer science, theory & methods,engineering, electrical & electronic

Ziyu Wang,Wanjiang Han,Yue Lu,Jingfeng Xue

DOI: https://doi.org/10.1007/978-3-030-62223-7_4

2020-01-01

Abstract:Malware has become a serious threat to network security. Traditional static analysis methods usually cannot effectively detect packers, obfuscations, and variants. Dynamic analysis is not efficient when dealing with large amounts of malware. Aiming at the shortcomings of the existing methods, this paper proposes a method for analyzing malware based on the capsule network. It uses a supervised learning method to train the capsule network with a large number of malware samples with existing category labels. In the process of constructing features, this paper adopts a method of combining static features and dynamic features to extract the operation code information based on static analysis, and extract the API call sequence information based on general analysis. Both characteristics can well represent the structure and behavior of malware. Then use N-Gram to construct sequence features, visualize the N-Gram sequence, generate malware images, and finally use the capsule network for classification detection. In addition, this paper improves the original capsule network and verifies the effect of the improved model.

Edward Raff,Charles Nicholas

DOI: https://doi.org/10.48550/arXiv.2006.09271

2020-11-16

Abstract:Malware classification is a difficult problem, to which machine learning methods have been applied for decades. Yet progress has often been slow, in part due to a number of unique difficulties with the task that occur through all stages of the developing a machine learning system: data collection, labeling, feature creation and selection, model selection, and evaluation. In this survey we will review a number of the current methods and challenges related to malware classification, including data collection, feature extraction, and model construction, and evaluation. Our discussion will include thoughts on the constraints that must be considered for machine learning based solutions in this domain, and yet to be tackled problems for which machine learning could also provide a solution. This survey aims to be useful both to cybersecurity practitioners who wish to learn more about how machine learning can be applied to the malware problem, and to give data scientists the necessary background into the challenges in this uniquely complicated space.

Cryptography and Security,Machine Learning,Applications