Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

ZHAO Yi,GONG Jian,YANG Wang

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.z1.011

2014-01-01

Abstract:The analysis of malicious code’s network behavior is an important research field of network security. This function of existed systems is incomplete and not deep. The functions of malicious code are summarized and a compre-hensive content is presented. Moreover the network behavior analysis function of existed analysis systems is introduced and CUCKOO which is able to satisfy the requirements of involved study is found. Finally the advantage and points of this application platform were summarized, and an expansion of the system was proposed.

Wen Wei-ping,Qing Si-han

DOI: https://doi.org/10.1007/bf02828623

2005-01-01

Abstract:With the explosive growth of network applications, the threat of the malicious code against network security becomes increasingly serious. In this paper we explore the mechanism of the malicious code by giving an attack model of the malicious code, and discuss the critical techniques of implementation and prevention against the malicious code. Theremaining problems and emerging trends in this area are also addressed in the paper.

ZHAO Yun-cheng,MU De-jun,DAI Hang

DOI: https://doi.org/10.3969/j.issn.1673-629X.2013.10.028

2013-01-01

Abstract:With the constantly accelerating process of global informationization,the computer network is widely applicable.Meanwhile,network security issues are also increasingly intensified.Static detection and dynamic detection are two major malware detection technologies.However,both techniques have their merits and shortcomings,cannot respond to changing network situation.Therefore,on the basis of fully integrated with the merits and shortcomings of these two kinds of detection technologies,propose a novel malware detection system based on the combination of the static and dynamic.Experimental verification shows that the system can be more efficient detection of malware,reducing the rate of false positives,and consuming less system resources.

Dongzhi Cao,Xinglan Zhang,Zhenhu Ning,Jianfeng Zhao,Fei Xue,Yongli Yang

DOI: https://doi.org/10.1145/3297156.3297246

2018-01-01

Abstract:With the rapid development of the Internet, people have variety in their life style. While the Internet is developing rapidly, some malware has also been generated, and the number of malicious codes grows exponentially, which seriously affects the security of the Internet. In the prevention of malicious code, the accurate classification of malicious code is the most critical components. At present, researchers mainly focus on static detection and dynamic detection to study malicious code variant detection schemes. In the study of malicious code classification, this paper first analyzes the limitations of static detection and dynamic detection, then employs convolution neural networks to classify and identify malicious code, and finally implements an efficient malicious code detection system based on convolutional neural networks. Our malware detection model realizes the idea of automatic detection of malicious code variants. Experimental results demonstrated that the proposed malicious code detection system is efficient.

Yi Xin,Binxing Fang,Xiaochun Yun,Zhenyu Hun

DOI: https://doi.org/10.3772/j.issn.1002-0470.2008.10.007

2008-01-01

Abstract:This paper proposes a distributed malcode detection model based on distributed hash table(DHT)protocol for P2P networks and describes the functions and implementation of each part.The model uses an improved Rabin fingerprint al- gorithm to automatically extract malcode signatures.It also proposes the strategy of information communion based on dis- tributed storing of the fingerprints of substring,and on the basis of this,presents the algorithm of malcode detection under a distributed system.It is shown that this model can be applied to malcode detection in large scale networks.

Bo Yun Zhang,Xi Ai Yan,De Quan Tang

DOI: https://doi.org/10.1088/1742-6596/1087/6/062026

2018-09-01

Journal of Physics: Conference Series

Abstract:This paper describes the research status and progress of malicious code intelligent detection techniques. It introduced the research background of the malicious code detection. Then the classified and analyzed research work from the theoretical research on malicious code detection, malicious code static detection and dynamic detection, integrated detection and based on biological immune detection techniques are described in detail. The contrastive analysis of different detection methods principle and further study on the future directions are discussed.

Qian-feng CHU,Xin-yu ZHU,Gong-shen LIU

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.07.028

2017-01-01

Abstract:The proliferation of malicious code threatens the information and property security of the people at all times. The facts indicate that many new types of malicious code are variants of the existing code, and by using the deformation, packing, polymorphism, code disruption and other technologies to modify these existing malicious codes, the scanning from traditional detection technologies could be avoided. For this reason, and based on static mode, dynamic and combination of both modes, the homology judgment technologies of malicious codes are summarized and classified, and their basic principles, implement details, features, strengths and limitations also discussed, expecting to effectively solve the detection and processing of newly-emerging malicious codes. Finally, the development direction of homology judgment technologies is forecasted, thus to promote the further research.

Wu Bing,Yun Xiaochun

2012-01-01

Abstract:We present the dynamic information security theory model: P2DR to deal with malware epidemics. The model includes the following stages: detection of a malware epidemic by detection system, establishment of countermeasure strategy in strategy coordination center, activation of protection and response system, defense system activation for real-time protection and response. The process is a periodic one in which the strategy is adjusted dynamically. In the model we propose, the detection system is considered to be the key component. Based on our analysis of traditional IDS architecture, we think that it is not suitable for inspecting high speed network traffic and monitoring multivariant malware epidemics. Therefore, we propose a parallel detection model which can be applied to the backbone network matched with appropriate protocol parsing. Normalized taxonomy is also presented for the detection rules of malware. Five detection rule sets are covered, namely, match rules based on deep content pre-processing, special algorithms, binary level, binary level requiring network information checks, and pure network information. A Virus Detection System is realized based on the framework above.

Bo Yu

DOI: https://doi.org/10.17762/de.vi.372

2020-01-01

Design Engineering

Abstract:Modern computers and network technologies are constantly improving. The role of communication networks in people's learning, work, and life is also increasingly important. However, there are still many security risks in computer communication networks. Malicious code is one of the main factors that threaten its stability and security. This paper studies the key technologies of malicious code emergency response in computer communication network security, and provides a useful reference for computer communication network security defense.

Jia Zhang,Yuntao Guan,Xiaoxin Jiang,Hai-Xin Duan,Jianping Wu

DOI: https://doi.org/10.1109/waim.2008.44

2008-01-01

Abstract:With the development of malicious code technology, the number of malicious code has continued to increase. So it is imperative to optimize the traditional manual analysis method by automatic malicious code analysis system. This paper presents AMCAS--an automatic malicious code analysis system. It includes malicious code static analyzer, dynamic analyzer and network behavior analyzer. Compared with some existing automatic analysis systems, this system integrates the advantages of static and dynamic analysis, and imports network behavior analysis. Static analyzer can get the unpacked binary code and CallGraph; dynamic analyzer can get the host behavior of malicious code and network behavior analyzer can get the malicious network behavior profile. Experiment shows that this system can get malicious code information efficiently.

Zhenyu Zhang,Wujun Zhang,Jianfeng Wang,Xiaofeng Chen

DOI: https://doi.org/10.1007/978-3-642-55032-4_71

2014-01-01

Abstract:With the rapid development of cloud computing technique, network security has attracted more and more attention. Of all the network threats, malicious code is the major one. Due to the surge of number and species diversity of the malicious code, it is intractable for the existing antivirus techniques to defense all of the attacks. In this paper, we construct an effective cloud-based active defense system against malicious code. The constructed system utilizes the honey-pot subsystem to collect threaten data, and multiple behavior analysis engines work in parallel to generate a comprehensive program behavior analysis report. Furthermore, there are intelligent algorithms running on several computing servers to achieve automatic intelligent analysis on the reports. Associated with the multiple scan engines form a comprehensive, reinforced and more intelligent active defense system.

Zhimin Yin,Xiangzhan Yu,Linhua Niu

DOI: https://doi.org/10.2991/icaise.2013.45

2013-01-01

Abstract:The malicious code on the network is increasingly rampant that the traditional detection method of characteristic code has been difficult to deal with malicious code, with features of various variants, deformations and other problems. In this paper we present a new static analysis model based on software fingerprint to distinguish malicious codes. Through obtaining the software call graph by disassembling the binary file and mapping it as an image, shape moments can be obtained as the software fingerprint based on the retrieval theory of content image, combined with moment theory and the image's color, texture and shape features. The idea of pattern matching is used to measure the extracted software fingerprint similarity to determine whether it is malicious code or not. Then, we analyze the collected program samples. Test and verify whether the program has good performance in uniqueness, invariability and sensibility.

Liu Yang,Wang Xuan,Long Hanlin,Tian Zhicheng,Qi Shuhan,Zhang Jiajia,Xia Wen,Tang Linlin

2021-01-01

Abstract:The invention discloses a malicious software detection method. The method comprises the following steps: determining to-be-detected target software; obtaining a system call name and a network activityevent of the target software; sorting the system call names and the network activity events of the target software in a unified mode according to timestamps, and generating aggregation dynamic characteristics of the target software through encoding; inputting the aggregation dynamic characteristics of the target software into a pre-trained target neural network model based on a sequence converterstructure to obtain an output result; and determining whether the target software is malicious software or not according to the output result. By applying the technical scheme provided by the invention, the malicious software in the terminal is effectively detected by combining the system call name of the software and the network activity event and utilizing the structure of the sequence converter, so that the normal operation of the terminal is prevented from being influenced, and the user experience is improved. The invention further discloses a malicious software detection device which hasthe corresponding technical effects.

Yichi Zhang,Jianmin Pang,Rongcai Zhao,Zhichang Guo

DOI: https://doi.org/10.1109/ICICISYS.2010.5658423

2010-01-01

Abstract:With the rapidly development of virus technology, the number of malicious code has continued to increase. So it is imperative to optimize the traditional manual analysis method by automatic maliciousness decision system. Motivated by the inference technique for detecting viruses, and a recent successful classification method, we explore Radux - an automatic software maliciousness decision system. It rests on artificial neural network based on behavior hidden in malicious code. Decompile technique is applied to characterize behavioral and structural properties of binary code, which creates more abstract descriptions of malware. Experiment shows that this system can decision software maliciousness efficiently. ©2010 IEEE.

Wei Li,Chenyi Zhang,Jieying Zhou,Dan Wang,Nuannuan Li

DOI: https://doi.org/10.1088/1742-6596/2010/1/012165

2021-09-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, malicious code emerges in endlessly. New types of malicious code evade the traditional malicious code detection technology through polymorphism, shelling, confusion and other ways. In order to solve the challenges brought by various technologies to the research of malicious code detection, in this paper, we propose a malicious code detection method based on static features and ensemble learning. This method extracts the information in the PE header file of malicious code samples as static features, and on this basis, builds a malicious code detection model by using stacking ensemble learning. In order to verify the effectiveness of the model, experiments are carried out on a dataset containing 5000 malicious codes and 4943 benign codes. Experiments show that the classification model based on stacking ensemble learning is the best, with 97.22% precision rate and 96.45% stable F1 score.

Zhihua Cui,Lei Du,Penghong Wang,Xingjuan Cai,Wensheng Zhang

DOI: https://doi.org/10.1016/j.jpdc.2019.03.010

IF: 4.542

2019-01-01

Journal of Parallel and Distributed Computing

Abstract:An increasing amount of malicious code causes harm on the internet by threatening user privacy as one of the primary sources of network security vulnerabilities. The detection of malicious code is becoming increasingly crucial, and current methods of detection require much improvement. This paper proposes a method to advance the detection of malicious code using convolutional neural networks (CNNs) and intelligence algorithm. The CNNs are used to identify and classify grayscale images converted from executable files of malicious code. Non-dominated Sorting Genetic Algorithm II (NSGA-II) is then employed to deal with the data imbalance of malware families. A series of experiments are designed for malware image data from Vision Research Lab. The experimental results demonstrate that the proposed method is effective, maintaining higher accuracy and less loss.

Tao Li,Wenzhe Dong,Aiqun Hu,Jinguang Han

DOI: https://doi.org/10.1155/2022/3105291

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Since network systems have become increasingly large and complex, the limitations of traditional abnormal packet detection have gradually emerged. The existing detection methods mainly rely on the recognition of packet features, which lack the association of specific applications and result in hysteresis and inaccurate judgement. In this paper, a task-oriented abnormal packet behavior detection method is proposed, which creatively collects action identifications during the execution of network tasks and inserts security labels into communication packets. Specifically, this paper defines the network tasks as a collection of state and action sequences to achieve the fine-grained division of the execution of network tasks, performs Hash value matching based on random communication string and action identification sequence for packet authentication, and proposes a mechanism of action identification sequence matching and abnormal behavior decision-making based on a finite state machine, according to the fine-grained monitoring of task execution action sequence. Furthermore, to verify the validity of the anomaly detection method proposed in this paper, a prototype based on the FTP communication platform is constructed, on which the simulation experiments, including the DDOS attack and backdoor attack, are conducted. The experimental results show that the proposed task-oriented abnormal behavior detection method can effectively intercept network malicious data packets and realize the active security defense for network systems.

Wenwu Li,Chao Li,Miyi Duan

DOI: https://doi.org/10.1109/ccis.2014.7175735

2014-01-01

Abstract:Authors of obfuscated malicious code generally use the code obfuscation counter technology to improve the difficulty of being reversely analyzed for programming and hide critical code, data and program logic. The detection for malicious code of code obfuscation has become one of the popular topics being researched both domestically and abroad. In this study, a method for detecting the obfuscated malicious code with behavior connection is proposed. In this method, malicious acts are described based on the extended control flow graph to improve the descriptive power of self-modifying and obfuscated code. Furthermore, interference from malicious code brought by shell adding and obfuscation is eliminated by combining the method of stain diffusion and symbolic execution. Then malicious codes are extracted and detected based on behavior connection feature. As a result, accuracy of detecting the obfuscated malicious code is enhanced.