Ming Xu,Lingfei Wu,Shuhui Qi,Jian Xu,Haiping Zhang,Yizhi Ren,Ning Zheng

DOI: https://doi.org/10.1007/s11416-012-0175-y

2013-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Code obfuscating technique plays a significant role to produce new obfuscated malicious programs, generally called malware variants, from previously encountered malwares. However, the traditional signature-based malware detecting method is hard to recognize the up-to-the-minute obfuscated malwares. This paper proposes a method to identify the malware variants based on the function-call graph. Firstly, the function-call graphs were created from the disassembled codes of program; then the caller–callee relationships of functions and the operational code (opcode) information about functions, combining the graph coloring techniques were used to measure the similarity metric between two function-call graphs; at last, the similarity metric was utilized to identify the malware variants from known malwares. The experimental results show that the proposed method is able to identify the obfuscated malicious softwares effectively.

Cuiying Gao,Minghui Cai,Shuijun Yin,Gaozhun Huang,Heng Li,Wei Yuan,Xiapu Luo

DOI: https://doi.org/10.1109/tifs.2023.3302509

IF: 7.231

2023-08-22

IEEE Transactions on Information Forensics and Security

Abstract:Existing Android malware detection methods are usually hard to simultaneously resist various obfuscation techniques. Therefore, bytecode-based code obfuscation becomes an effective means to circumvent Android malware analysis. Building obfuscation-resilient Android malware analysis methods is a challenging task, due to the fact that various obfuscation techniques have vastly different effects on code and detection features. To mitigate this problem, we propose combining multiple features that are complementary in combating code obfuscation. Accordingly, we develop an obfuscation-resilient Android malware analysis method CorDroid, based on two new features: Enhanced Sensitive Function Call Graph (E-SFCG) and Opcode-based Markov transition Matrix (OMM). The first describes sensitive function call relationships, while the second reflects transition probabilities among opcodes. Combining E-SFCG and OMM can well characterize the runtime behavior of Android apps from different perspectives, hence increasing the difficulty of misleading malware analysis through using code obfuscation to affect detection features. To evaluate CorDroid, we generate 74, 138 obfuscated samples with 14 different obfuscation techniques, and compare CorDroid with the state-of-the-art detection methods (e.g., MaMaDroid, RevealDroid and APIGraph). In terms of average F1-Score, CorDroid is 29.69% higher than MaMaDroid, 21.80% higher than APIGraph, and 9.71% higher than RevealDroid, respectively. Experiments also validate the complementarity between E-SFCG and OMM, and exhibit the high execution efficiency of CorDroid.

computer science, theory & methods,engineering, electrical & electronic

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

S M Rakib Hasan,Aakar Dhakal

2024-04-03

Abstract:In the era of the internet and smart devices, the detection of malware has become crucial for system security. Malware authors increasingly employ obfuscation techniques to evade advanced security solutions, making it challenging to detect and eliminate threats. Obfuscated malware, adept at hiding itself, poses a significant risk to various platforms, including computers, mobile devices, and IoT devices. Conventional methods like heuristic-based or signature-based systems struggle against this type of malware, as it leaves no discernible traces on the system. In this research, we propose a simple and cost-effective obfuscated malware detection system through memory dump analysis, utilizing diverse machine-learning algorithms. The study focuses on the CIC-MalMem-2022 dataset, designed to simulate real-world scenarios and assess memory-based obfuscated malware detection. We evaluate the effectiveness of machine learning algorithms, such as decision trees, ensemble methods, and neural networks, in detecting obfuscated malware within memory dumps. Our analysis spans multiple malware categories, providing insights into algorithmic strengths and limitations. By offering a comprehensive assessment of machine learning algorithms for obfuscated malware detection through memory analysis, this paper contributes to ongoing efforts to enhance cybersecurity and fortify digital ecosystems against evolving and sophisticated malware threats. The source code is made open-access for reproducibility and future research endeavours. It can be accessed at

Cryptography and Security,Computation and Language,Machine Learning

陈惠羽,茅兵,谢立

DOI: https://doi.org/10.3969/j.issn.1006-6675-B.2012.02.046

2012-01-01

Abstract:Metamorphism and polymorphism are often applied on some malwares to protect their programs against reverse engineering or detected by some anti virus products. However, data structure information based malware signatures invalidate traditional metamorphic technologies. In this paper, we propose a metamorphism tool, which obfuscates data structure in binary code level. This obfuscation technology is more flexible compared to the previous randomizations. Preliminary experimental results show that our tool could obfuscate data structure remarkably with little performance overhead.

Sidra Siddiqui,Tamim Ahmed Khan

DOI: https://doi.org/10.1007/s42979-024-02637-3

2024-03-16

SN Computer Science

Abstract:Obfuscation is a method to hide coding strategies for security and privacy. Despite its positive use, malware experts have also used this technique to develop malware applications. A variety of malware has taken over the market in recent times. This sophisticated malware uses different obfuscation and mutation techniques to deceive the detectors. Obfuscation and mutation attacks are technique variations in which the attacker uses java-reflection techniques and encryption to manipulate the malicious applications and force the classifier to do misclassification. Despite its positive use, malware experts have also used this technique to misguide classifiers. The obfuscated malware is difficult to tackle due to the complexity of there structure and behavior. A fresh look is needed at the available datasets and features used especially for Android obfuscated malware analysis. We investigate and provide a concise account of obfuscated malware detection techniques. We evaluate the importance and effectiveness of obfuscation for Android malware analysis by investigating the techniques, datasets, and feature sets used in the literature. We report supervised learning as more popular for analysis. The paper provides details on the use of datasets such as Debian, genome, Adrozoo, and CIC as the most commonly used in literature. We also investigate certain features, mostly static, considered for analysis and highlight the use of unconventional techniques, such as unsupervised learning and graph theory.

K. Mclaughlin,Philip O'Kane,S. Sezer

DOI: https://doi.org/10.1109/MSP.2011.98

2011-09-01

Abstract:A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of malware, undermine antimalware software, and thwart malware analysis. Malware writers use packers, polymorphic techniques, and metamorphic techniques to evade intrusion detection systems. The need exists for new antimalware approaches that focus on what malware is doing rather than how it's doing it.

Computer Science

Hassan Jameel Asghar,Benjamin Zi Hao Zhao,Muhammad Ikram,Giang Nguyen,Dali Kaafar,Sean Lamont,Daniel Coscia

2023-09-08

Abstract:Malware authors often use cryptographic tools such as XOR encryption and block ciphers like AES to obfuscate part of the malware to evade detection. Use of cryptography may give the impression that these obfuscation techniques have some provable guarantees of success. In this paper, we take a closer look at the use of cryptographic tools to obfuscate malware. We first find that most techniques are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. In order to clearly define an obfuscation technique's potential to evade detection we propose a principled definition of malware obfuscation, and then categorize instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. We find that schemes that are hard to de-obfuscate necessarily rely on a construct based on environmental keying. We also show that cryptographic notions of obfuscation, e.g., indistinghuishability and virtual black box obfuscation, may not guarantee evasion detection under our model. However, they can be used in conjunction with environmental keying to produce hard to de-obfuscate version of programs.

Cryptography and Security

zhiyin liang,tao wei,yu zong chen,xinhui han,jianwei zhuge,wanhong zou

2007-01-01

Abstract:In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative rate. Furthermore, comparing to dynamic analysis methods and model checking methods, our static method has the advantage of larger analytical coverage.

Alberto Redondo,David Rios Insua

DOI: https://doi.org/10.48550/arXiv.1911.03653

2019-11-09

Abstract:Malware constitutes a major global risk affecting millions of users each year. Standard algorithms in detection systems perform insufficiently when dealing with malware passed through obfuscation tools. We illustrate this studying in detail an open source metamorphic software, making use of a hybrid framework to obtain the relevant features from binaries. We then provide an improved alternative solution based on adversarial risk analysis which we illustrate describe with an example.

Cryptography and Security,Machine Learning

Umair Nawaz,Muhammad Aleem,Jerry Chun-Wei Lin

DOI: https://doi.org/10.7717/peerj-cs.1002

2022-06-21

PeerJ Computer Science

Abstract:The Android mobile platform is the most popular and dominates the cell phone market. With the increasing use of Android, malware developers have become active in circumventing security measures by using various obfuscation techniques. The obfuscation techniques are used to hide the malicious code in the Android applications to evade detection by anti-malware tools. Some attackers use the obfuscation techniques in isolation, while some attackers use a mixed approach (i.e., employing multiple obfuscation techniques simultaneously). Therefore, it is crucial to analyze the impact of the different obfuscation techniques, both when they are used in isolation and when they are combined as hybrid techniques. Several studies have suggested that the obfuscation techniques may be more effective when used in a mixed pattern. However, in most of the related works, the obfuscation techniques used for analysis are either based on individual or a combination of primitive obfuscation techniques. In this work, we provide a comprehensive evaluation of anti-malware tools to gauge the impact of complex hybrid code-obfuscations techniques on malware detection capabilities of the prominent anti-malware tools. The evaluation results show that the inter-category-wise hybridized code obfuscation results in more evasion as compared to the individual or simple hybridized code obfuscations (using multiple and similar code obfuscations) which most of the existing related work employed for the evaluation. Obfuscation techniques significantly impact the detection rate of any anti-malware tool. The remarkable result i.e., almost 100% best detection rate is observed for the seven out of 10 tools when analyzed using the individual obfuscation techniques, four out of 10 tools on category-wise obfuscation, and not a single anti-malware tool attained full detection (i.e., 100%) for inter-category obfuscations.

computer science, information systems, artificial intelligence, theory & methods

Sharmila S P,Aruna Tiwari,Narendra S Chaudhari

2024-08-23

Abstract:Providing security for information is highly critical in the current era with devices enabled with smart technology, where assuming a day without the internet is highly impossible. Fast internet at a cheaper price, not only made communication easy for legitimate users but also for cybercriminals to induce attacks in various dimensions to breach privacy and security. Cybercriminals gain illegal access and breach the privacy of users to harm them in multiple ways. Malware is one such tool used by hackers to execute their malicious intent. Development in AI technology is utilized by malware developers to cause social harm. In this work, we intend to show how Artificial Intelligence and Machine learning can be used to detect and mitigate these cyber-attacks induced by malware in specific obfuscated malware. We conducted experiments with memory feature engineering on memory analysis of malware samples. Binary classification can identify whether a given sample is malware or not, but identifying the type of malware will only guide what next step to be taken for that malware, to stop it from proceeding with its further action. Hence, we propose a multi-class classification model to detect the three types of obfuscated malware with an accuracy of 89.07% using the Classic Random Forest algorithm. To the best of our knowledge, there is very little amount of work done in classifying multiple obfuscated malware by a single model. We also compared our model with a few state-of-the-art models and found it comparatively better.

Cryptography and Security,Artificial Intelligence

Imtiyaz Gulbarga Mohammad,Nurlan Shaidullaev,,

DOI: https://doi.org/10.17015/aas.2023.231.49

2023-01-30

Alatoo Academic Studies

Abstract:Memory analysis is essential for spotting malicious programs since it can record a variety of traits and behaviors. The detection rate and sophisticated malware obfuscation are two major challenges in malware detection, even though there has been a lot of research in the area. An effective framework that focuses on identifying obfuscation and hidden malware is desperately needed because advanced malware employs obfuscation and other tactics to avoid detection. The VolMemLyzer has been improved in this study to focus on hidden and obfuscated malware when used with a stacked ensemble machine learning model to build a framework for effectively identifying malware. It is one of the most updated memory feature extractors for learning systems.

Reza Mirzazadeh,Mohammad Hossein Moattar,Majid Vafaei Jahan

DOI: https://doi.org/10.48550/arXiv.1811.04304

2018-11-11

Abstract:The most common malware detection approaches which are based on signature matching and are not sufficient for metamorphic malware detection, since virus kits and metamorphic engines can produce variants with no resemblance to one another. Metamorphism provides an efficient way for eluding malware detection software kits. Code obfuscation methods like dead-code insertion are also widely used in metamorphic malware. In order to address the problem of detecting mutated generations, we propose a method based on Opcode Graph Similarity (OGS). OGS tries to detect metamorphic malware using the similarity of opcode graphs. In this method, all nodes and edges have a respective effect on classification, but in the proposed method, edges of graphs are pruned using Linear Discriminant Analysis (LDA). LDA is based on the concept of searching for a linear combination of predictors that best separates two or more classes. Most distinctive edges are identified with LDA and the rest of edges are removed. The metamorphic malware families considered here are NGVCK and metamorphic worms that we denote these worms as MWOR. The results show that our approach is capable of classifying metamorphosed instances with no or minimum false alarms. Also, our proposed method can detect NGVCK and MWOR with high accuracy rate.

Cryptography and Security

Shanhu Shang,Ning Zheng,Jian Xu,Ming Xu,Haiping Zhang

DOI: https://doi.org/10.1109/malware.2010.5665787

2010-01-01

Abstract:Currently, signature-based malware scanning is still the dominant approach to identify malware samples in the wild due to its low false positive rate. However, this approach concentrates on programs' specific instructions, and lacks insight into high level semantics; it is enduring challenges from advanced code obfuscation techniques such as polymorphism and metamorphism. To overcome this shortcoming, this paper extracts a program's function-call graph as its signature. The paper presents a method to compute similarity between two binaries on basis of their function-call graph similarity. The proposed method relies on static analysis of a program, it first disassembles the program into assemble code, and then it uses a novel algorithm to construct the function-call graph from the assembly instructions. After that, it proposes a simple but effective graph matching method to compute similarity between two binaries. A prototype is implemented and evaluated on several well-known malware families and benign programs.

Jiang Ming,Zhi Xin,Pengwei Lan,Dinghao Wu,Peng Liu,Bing Mao

DOI: https://doi.org/10.1007/s11416-016-0281-3

2016-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and also clearly stand out from other programs. Although the traditional malware specifications based on syntactic signatures are efficient, they can be easily defeated by various obfuscation techniques. Since the malicious behavior is often stable across similar malware instances, behavior-based specifications which capture real malicious characteristics during run time, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from the system call dependence graph that a malware sample invokes. In this paper, we present replacement attacks to camouflage similar behaviors by poisoning behavior-based specifications. The key method of our attacks is to replace a system call dependence graph to its semantically equivalent variants so that the similar malware samples within one family turn out to be different. As a result, malware analysts have to put more efforts into reexamining the similar samples which may have been investigated before. We distil general attacking strategies by mining more than 5200 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate the effectiveness of our approach to impede various behavior-based malware analysis tasks, such as similarity comparison and malware clustering. In the end, we also discuss possible countermeasures in order to strengthen existing malware defense.

Mohammad Mahdi Maghouli,Mohamadreza Fereydooni,Monireh Abdoos,Mojtaba Vahidi-Asl

DOI: https://doi.org/10.48550/arXiv.2111.09975

2022-02-23

Abstract:With the advent of new technologies, using various formats of digital gadgets is becoming widespread. In today's world, where everyday tasks are inevitable without technology, this extensive use of computers paves the way for malicious activity. As a result, it is important to provide solutions to defend against these threats. Malware is one of the well-known and widely used means utilized for doing destructive activities by malicious attackers. Producing malware from scratch is somewhat difficult, so attackers tend to obfuscate existing malware and prepare it to become an unrecognizable program. Since creating new malware from an old one using obfuscation is a creative task, there are some drawbacks to identifying obfuscated malwares. In this research, we propose a solution to overcome this problem by converting the code to an image in the first step and then using a semi-supervised approach combined with contrastive learning. In this case, an obfuscation in the malware bytecode corresponds to an augmentation in the image. Hence, by utilizing meaningful augmentations, which simulate some obfuscation changes and combine them to generate complex ambiguity procedures, our proposed solution is able to construct, learn, and detect a wide range of obfuscations. This work addresses two issues: 1) malware classification despite the data deficiency and 2) obfuscated malware detection by training on non-obfuscated malwares. According to the results, the proposed method overcomes the data shortage problem in malware classification, as its accuracy is 90.1% when just 10% of data is used for training the model. Moreover, training on basic malwares without obfuscation achieved 96.21 percent accuracy in detecting obfuscated malware.

Cryptography and Security

Felipe N. Ducau,Ethan M. Rudd,Tad M. Heppner,Alex Long,Konstantin Berlin

DOI: https://doi.org/10.48550/arXiv.1905.06262

IF: 5.414

2019-05-15

Machine Learning

Abstract:With the rapid proliferation and increased sophistication of malicious software (malware), detection methods no longer rely only on manually generated signatures but have also incorporated more general approaches like machine learning detection. Although powerful for conviction of malicious artifacts, these methods do not produce any further information about the type of threat that has been detected neither allows for identifying relationships between malware samples. In this work, we address the information gap between machine learning and signature-based detection methods by learning a representation space for malware samples in which files with similar malicious behaviors appear close to each other. We do so by introducing a deep learning based tagging model trained to generate human-interpretable semantic descriptions of malicious software, which, at the same time provides potentially more useful and flexible information than malware family names. We show that the malware descriptions generated with the proposed approach correctly identify more than 95% of eleven possible tag descriptions for a given sample, at a deployable false positive rate of 1% per tag. Furthermore, we use the learned representation space to introduce a similarity index between malware files, and empirically demonstrate using dynamic traces from files' execution, that is not only more effective at identifying samples from the same families, but also 32 times smaller than those based on raw feature vectors.

Lannan Luo,Jiang Ming,Dinghao Wu,Peng Liu,Sencun Zhu

DOI: https://doi.org/10.1145/2635868.2635900

2014-11-11

Abstract:Existing code similarity comparison methods, whether source or binary code based, are mostly not resilient to obfuscations. In the case of software plagiarism, emerging obfuscation techniques have made automated detection increasingly difficult. In this paper, we propose a binary-oriented, obfuscation-resilient method based on a new concept, longest common subsequence of semantically equivalent basic blocks, which combines rigorous program semantics with longest common subsequence based fuzzy matching. We model the semantics of a basic block by a set of symbolic formulas representing the input-output relations of the block. This way, the semantics equivalence (and similarity) of two blocks can be checked by a theorem prover. We then model the semantics similarity of two paths using the longest common subsequence with basic blocks as elements. This novel combination has resulted in strong resiliency to code obfuscation. We have developed a prototype and our experimental results show that our method is effective and practical when applied to real-world software.

Keith Dillon

DOI: https://doi.org/10.48550/arXiv.2002.05517

2020-02-10

Abstract:We consider the problem of detecting malware with deep learning models, where the malware may be combined with significant amounts of benign code. Examples of this include piggybacking and trojan horse attacks on a system, where malicious behavior is hidden within a useful application. Such added flexibility in augmenting the malware enables significantly more code obfuscation. Hence we focus on the use of static features, particularly Intents, Permissions, and API calls, which we presume cannot be ultimately hidden from the Android system, but only augmented with yet more such features. We first train a deep neural network classifier for malware classification using features of benign and malware samples. Then we demonstrate a steep increase in false negative rate (i.e., attacks succeed), simply by randomly adding features of a benign app to malware. Finally we test the use of data augmentation to harden the classifier against such attacks. We find that for API calls, it is possible to reject the vast majority of attacks, where using Intents or Permissions is less successful.

Cryptography and Security,Machine Learning