Zhenhe Guo,Zhengkai Liu,Ying Tan

DOI: https://doi.org/10.1007/978-3-540-28648-6_108

2004-01-01

Abstract:Detection of unknown malicious executables is one of most important tasks of Computer Immune System (CIS) studies. By using non-self detection, anomaly detection based on thickness, diversity of anti-body (Ab) and artificial neural networks, this paper proposes an NN-based malicious executables detection algorithm. This algorithm includes three parts, i.e., detector generation, anomaly information extraction and classification. At last, a number of experiments illustrate that this algorithm has high detection rate with very low the false positive rate.

Jungwon Kim,Julie Greensmith,Jamie Twycross,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1003.4142

2010-03-22

Abstract:The analysis of system calls is one method employed by anomaly detection systems to recognise malicious code execution. Similarities can be drawn between this process and the behaviour of certain cells belonging to the human immune system, and can be applied to construct an artificial immune system. A recently developed hypothesis in immunology, the Danger Theory, states that our immune system responds to the presence of intruders through sensing molecules belonging to those invaders, plus signals generated by the host indicating danger and damage. We propose the incorporation of this concept into a responsive intrusion detection system, where behavioural information of the system and running processes is combined with information regarding individual system calls.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

LI Hua,LIU Zhi,QIN Zheng,ZHANG Xiao-song

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.03.094

2011-01-01

Abstract:This paper proposed a new approach that could effectively detect and restrict(unknown) malware,and implemented a prototype system.First,used support vector machine to build classifier,which could judge whether a program was malicious or not,and extracted the malware's signature.Agents running in host could detect malware and stop its execution.To analyze precise behaviors,put samples in virtual machines for executions.Experiment results show compared with naive Bayes and decision tree,our system yields low false positives as well false negatives,and the distributed architecture accelerates restriction.

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Caiming Liu,Xiaojie Liu,Tao Li,Jinquan Zeng,Lingxi Peng,Yan Zhang

2007-01-01

Abstract:An artificial immunity-based method for dynamic script-virus detection is presented. Antigen and antibody in the environment of virus detection are defined. Processes of self-tolerance and clone selection are simulated. Self and memory antibody are evolved dynamically. The mechanism of dynamic production and elimination of mature antibody is set up. The experiment result shows that the method can detect virus well, andmutated and unknown script-virus can be detected.

Jianguo Ding,Jian Jin,Pascal Bouvry,Yongtao Hu,Haibing Guan

DOI: https://doi.org/10.1109/ICIMP.2009.20

2009-01-01

Abstract:With the rising popularity of the Internet, the resulting increase in the number of available vulnerable machines, and the elevated sophistication of the malicious code itself, the detection and prevention of unknown malicious codes meet great challenges. Traditional anti-virus scanner employs static features to detect malicious executable codes and is hard to detect the unknown malicious codes effectively. We propose behavior-based dynamic heuristic analysis approach for proactive detection of unknown malicious codes. The behavior of malicious codes is identified by system calling through virtual emulation and the changes in system resources. A statistical detection model and mixture of expert (MoE) model are designed to analyze the behavior of malicious codes. The experiment results demonstrate the behavior-based proactive detection is efficient in detecting unknown malicious executable codes.

Fei Chen,Yan Fu

DOI: https://doi.org/10.1109/DBTA.2009.127

2009-01-01

Abstract:In this paper, we propose a new approach for the dynamic detection of malicious executables on the platform of Windows. Our approach extracts signatures of malicious executable's behaviors by using API (Application Program Interface) interception technique which makes possible the detection of unknown malicious executables. The dynamic detection of unknown malicious executables is achieved in three major steps: getting the sequence of API function calls of the executable, processing the API sequence to generate a vector, calculating the similarity between the vector and the feature library constructed by security policies to verify if the executable is malicious. The experiment confirms that this approach is effective in detection of unknown malicious executables.

鲍欣龙,马建辉,罗文坚,曹先彬,王煦法

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.01.021

2005-01-01

Computer Science

Abstract:Lacking the ability of recognizing and processing the unknown viruses is one of the major limitations of common anti-virus technologies. Inspired by the vertebrate immune system,this paper puts forward and accomplished a novel immune recognition model and algorithm. Referencing the immune evolutionary learning mechanic and posi- tive/negative selection mechanic,this model and algorithm make the detectors and "self" to change by self-adaptation. This paper gives out the detailed implementation of this algorithm. Experiments on several real viruses prove that this algorithm has a good ability on recognizing unknown viruses and wide prospective application fields.

Bo Yun Zhang,Xi Ai Yan,De Quan Tang

DOI: https://doi.org/10.1088/1742-6596/1087/6/062026

2018-09-01

Journal of Physics: Conference Series

Abstract:This paper describes the research status and progress of malicious code intelligent detection techniques. It introduced the research background of the malicious code detection. Then the classified and analyzed research work from the theoretical research on malicious code detection, malicious code static detection and dynamic detection, integrated detection and based on biological immune detection techniques are described in detail. The contrastive analysis of different detection methods principle and further study on the future directions are discussed.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Wei Wang,Peng-tao Zhang,Ying Tan,Xin-gui He

DOI: https://doi.org/10.1631/jzus.c1000445

2011-01-01

Journal of Zhejiang University SCIENCE C

Abstract:Along with the evolution of computer viruses, the number of file samples that need to be analyzed has constantly increased. An automatic and robust tool is needed to classify the file samples quickly and efficiently. Inspired by the human immune system, we developed a local concentration based virus detection method, which connects a certain number of two-element local concentration vectors as a feature vector. In contrast to the existing data mining techniques, the new method does not remember exact file content for virus detection, but uses a non-signature paradigm, such that it can detect some previously unknown viruses and overcome the techniques like obfuscation to bypass signatures. This model first extracts the viral tendency of each fragment and identifies a set of statical structural detectors, and then uses an information-theoretic preprocessing to remove redundancy in the detectors’ set to generate ‘self’ and ‘nonself’ detector libraries. Finally, ‘self’ and ‘nonself’ local concentrations are constructed by using the libraries, to form a vector with an array of two elements of local concentrations for detecting viruses efficiently. Several standard data mining classifiers, including K-nearest neighbor (KNN), radial basis function (RBF) neural networks, and support vector machine (SVM), are leveraged to classify the local concentration vector as the feature of a benign or malicious program and to verify the effectiveness and robustness of this approach. Experimental results show that the proposed approach not only has a much faster speed, but also gives around 98% of accuracy.

Jinrong Bai,Junfeng Wang,Guozhong Zou

DOI: https://doi.org/10.1155/2014/260905

Abstract:Malware has become one of the most serious threats to computer information system and the current malware detection technology still has very significant limitations. In this paper, we proposed a malware detection approach by mining format information of PE (portable executable) files. Based on in-depth analysis of the static format information of the PE files, we extracted 197 features from format information of PE files and applied feature selection methods to reduce the dimensionality of the features and achieve acceptable high performance. When the selected features were trained using classification algorithms, the results of our experiments indicate that the accuracy of the top classification algorithm is 99.1% and the value of the AUC is 0.998. We designed three experiments to evaluate the performance of our detection scheme and the ability of detecting unknown and new malware. Although the experimental results of identifying new malware are not perfect, our method is still able to identify 97.6% of new malware with 1.3% false positive rates.

Mengsong Song Zou,Lan-sheng Han,Qi-wen Liu,Ming Liu

DOI: https://doi.org/10.1109/YCICT.2009.5382354

2009-01-01

Abstract:As more polymorphic malicious codes coming into being, traditional anti-virus methods can not satisfy the current need. In order to achieve some specific functions, malicious codes must have some behaviors which are different from that of the normal programs. Focus on the difference between normal programs and the malicious codes the paper applies Support Vector Machine (SVM) and creates a space of virus API feature vector and a hyper-plane to divide the API space into two parts: malicious codes and normal program. Moreover, behaviors of different kinds of malicious codes are collected and 1-v-1 Multi-class SVM is introduced to detect those behaviors. Furthermore the paper constructs the application structure and selects large amount of test executable samples. Through statistics, analysis and calculation on those samples, the results verify our method. ©2009 IEEE.

Zongqu Zhao,Junfeng Wang,Chonggang Wang

DOI: https://doi.org/10.1002/sec.524

IF: 1.968

2012-02-28

Security and Communication Networks

Abstract:The traditional malware detection schemes based on specific signature give an unsatisfactory performance as disposing the previously unknown malware, so the general features of binary files should be explored to solve this problem. Recently, classification algorithms were employed successfully to choose the features in unknown malicious code, and most of the works use byte or operation code sequence n‐gram representation of the executables. However, these n‐gram representations are heavily dependent on the training data. In this paper, we present a graph‐based method to detect unknown malware. The function call graph of an executable, which includes the functions and the call relations between them, is selected as the representation of the executable in this method. The features are defined according to both the statistical information and the topology of the function call graph. They are extracted and processed through machine learning to classify unknown Portable Executable files. For the sake of fixed sum of the features, the graph‐based method can avoid so many features found in other methods. In our experiments, three types of malware datasets were tested, and as high as 96.8% accuracy can be achieved. Furthermore, it can achieve 92.1% accuracy when only 5% of the dataset is served as training set. Copyright © 2012 John Wiley & Sons, Ltd. To detect the unknown malware, the features of graph‐based method are predefined from function call graph of software, and then the rules are built with these features to classify an executable as the benign or the malware. The quantity and the contents of these features are independent of testing dataset, and this peculiarity enables our experiment results to nearly reflect the situation of unknown malware detection. The design can provide a high malware detection accuracy by using a small set of training set.

computer science, information systems,telecommunications

Tzu-Ling Wan,Tao Ban,Shin-Ming Cheng,Yen-Ting Lee,Bo Sun,Ryoichi Isawa,Takeshi Takahashi,Daisuke Inoue

DOI: https://doi.org/10.1109/ojcs.2020.3033974

2020-01-01

IEEE Open Journal of the Computer Society

Abstract:Simple implementation and autonomous operation features make the Internet-of-Things (IoT) vulnerable to malware attacks. Static analysis of IoT malware executable files is a feasible approach to understanding the behavior of IoT malware for mitigation and prevention. However, current analytic approaches based on opcodes or call graphs typically do not work well with diversity in central processing unit (CPU) architectures and are often resource intensive. In this paper, we propose an efficient method for leveraging machine learning methods to detect and classify IoT malware programs. We show that reliable and efficient detection and classification can be achieved by exploring the essential discriminating information stored in the byte sequences at the entry points of executable programs. We demonstrate the performance of the proposed method using a large-scale dataset consisting of 111K benignware and 111K malware programs from seven CPU architectures. The proposed method achieves near optimal generalization performance for malware detection (99.96 accuracy) and for malware family classification (98.47 accuracy). Moreover, when CPU architecture information is considered in learning, the proposed method combined with support vector machine classifiers can yield even higher generalization performance using fewer bytes from the executable files. The findings in this paper are promising for implementing light-weight malware protection on IoT devices with limited resources.

Wei Wang,Pengtao Zhang,Ying Tan,Xingui He

DOI: https://doi.org/10.1109/CIS.2009.57

2009-01-01

Abstract:As viruses become more complex, existing antivirus methods are inefficient to detect various forms of viruses, especially new variants and unknown viruses. Inspired by immune system, a hierarchical artificial immune system (AIS) model, which is based on matching in three layers, is proposed to detect a variety of forms of viruses. In the bottom layer, a non-stochastic but guided candidate virus gene library is generated by statistical information of viral key codes. Then a detecting virus gene library is upgraded from the candidate virus gene library using negative selection. In the middle layer, a novel storage method is used to keep a potential relevance between different signatures on the individual level, by which the mutual cooperative information of each instruction in a virus program can be collected. In the top layer, an overall matching process can reduce the information loss considerably. Experimental results indicate that the proposed model can recognize obfuscated viruses efficiently with an averaged recognition rate of 94%, including new variants of viruses and unknown viruses.

Chen Zhongmin,Wang Yu,Xu Baowen

DOI: https://doi.org/10.1109/wicom.2007.446

2007-01-01

Abstract:Mobile agent technology could be used to solve the problems on intrusion detection in network security area, while immune principle could supply reference to algorithm design of agent for detecting and analyzing data. In this paper, the detecting algorithm based on the immune principle, including the definition of problem domain, computation of affinity between the antibody and antigen,as well as between antibody, the generation of the detectors, has been elaborated. The algorithm of negative selection used in the agent has been improved The experimental result indicates that the algorithm is more adaptive than the original one.

Jing Tao,Yan Zhang,Pengfei Cao,Zheng Wang,Qiqi Zhao

DOI: https://doi.org/10.1007/978-3-319-65482-9_26

2017-01-01

Abstract:At present, Android malwares become more and more subtle and intelligent, after their invasion, they often detect whether the running environment is a real environment, to decide whether to perform their malicious behavior. Therefore, malware tend to execute different behavior when running in different environments. Benign applications will perform the same functions in different environments, their behaviors have a strong consistency. Based on this basic idea, we design an Android malware detection method based on behavior comparison analysis. First, design and development a number of specific different running environments, and then execute application in these environments. With the same event input, record and compare the behaviors of this application, calculate the difference, determine whether it is malicious. Under the guidance of this thought, we design and development the Android malware detection system EmuProtect. We evaluate EmuProtect system from the aspects of accuracy and validity, the results show that this system can effectively detect Android malicious applications.

zhiyin liang,tao wei,yu zong chen,xinhui han,jianwei zhuge,wanhong zou

2007-01-01

Abstract:In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative rate. Furthermore, comparing to dynamic analysis methods and model checking methods, our static method has the advantage of larger analytical coverage.

Amir Djenna,Ahmed Bouridane,Saddaf Rubab,Ibrahim Moussa Marou

DOI: https://doi.org/10.3390/sym15030677

2023-03-09

Symmetry

Abstract:Malware, a lethal weapon of cyber attackers, is becoming increasingly sophisticated, with rapid deployment and self-propagation. In addition, modern malware is one of the most devastating forms of cybercrime, as it can avoid detection, make digital forensics investigation in near real-time impossible, and the impact of advanced evasion strategies can be severe and far-reaching. This makes it necessary to detect it in a timely and autonomous manner for effective analysis. This work proposes a new systematic approach to identifying modern malware using dynamic deep learning-based methods combined with heuristic approaches to classify and detect five modern malware families: adware, Radware, rootkit, SMS malware, and ransomware. Our symmetry investigation in artificial intelligence and cybersecurity analytics will enhance malware detection, analysis, and mitigation abilities to provide resilient cyber systems against cyber threats. We validated our approach using a dataset that specifically contains recent malicious software to demonstrate that the model achieves its goals and responds to real-world requirements in terms of effectiveness and efficiency. The experimental results indicate that the combination of behavior-based deep learning and heuristic-based approaches for malware detection and classification outperforms the use of static deep learning methods.

multidisciplinary sciences