Cheng Wang,Zheng Qin,Jixin Zhang,Hui Yin

DOI: https://doi.org/10.1504/ijcse.2020.105209

2019-01-01

International Journal of Computational Science and Engineering

Abstract:Malware is one of the most terrible and major security threats facing the internet today, which can be defined as any type of malicious code to harm a computer or network. As malware variants can be equipped with sophisticated mechanisms to bypass traditional detection systems, in this paper, we propose a malware variant detection approach that can automatically, rapidly and accurately detect malware variants. In our approach, we present an asynchronous architecture for automated training and detection. Under this architecture, to improve the detection speed while retaining the accuracy, we propose an information entropy-based feature extraction method to extract a few but very useful features and a distance-based weight learning method to weight these features. To further improve the detection speed, we propose our fast density-based clustering algorithm. We evaluate our approach with a number of Windows-based malware instances which belong to six large families, and our experiments demonstrate that our automated malware variant detection method is able to achieve high accuracy with a significant speedup compared with the other state-of-art approaches.

Hongying Tang,Bo Zhu,Kui Ren

DOI: https://doi.org/10.1007/978-3-642-02617-1_24

2010-01-01

Abstract:Malware has become one of the most serious threats to computer users. Early techniques based on syntactic signatures can be easily bypassed using program obfuscation. A promising direction is to combine Control Flow Graph (CFG) with instruction-level information. However, since previous work includes only coarse information, i.e., the classes of instructions of basic blocks, it results in false positives during the detection. To address this issue, we propose a new approach that generates formalized expressions upon assignment statements within basic blocks. Through combining CFG with the functionalities of basic blocks, which are represented in terms of upper variables with their corresponding formalized expressions and system calls (if any), our approach can achieve more accurate malware detection compared to previous CFG-based solutions.

GAO Ying,CHEN Yi-yun,HUA Bao-jian

2008-01-01

Abstract:Nowadays, code obfuscation plays a more and more role in writing variations for malware. Unfortunately, the obfuscated variation invalidates the text-based malware detector. This paper proposes a semantics-based framework of malware detection for detecting whether a program is a variation of the malware. For that purpose, both of symbolic states are collected by symbolic execution, and then prove the semantics is satisfied with the definition of variation relationship. This framework can detect whether the malware is the variation of its obfuscated program, which will largely reduce the updating of virus definition database. Finally, the prototype which implements the framework shows the feasibility of the semantics-based framework of malware detection.

Yao Du,Junfeng Wang,Qi Li

DOI: https://doi.org/10.1109/access.2017.2720160

IF: 3.9

2017-01-01

IEEE Access

Abstract:With the development of code obfuscation and application repackaging technologies, an increasing number of structural information-based methods have been proposed for malware detection. Although, many offer improved detection accuracy via a similarity comparison of specific graphs, they still face limitations in terms of computation time and the need for manual operation. In this paper, we present a new malware detection method that automatically divides a function call graph into community structures. The features of these community structures can then be used to detect malware. Our method reduces the computation time by improving the Girvan–Newman algorithm and using machine learning classification instead of a similarity comparison of subgraphs. To evaluate our method, 5040 malware samples and 8750 benign samples were collected as an experimental data set. The evaluation results show that the detection accuracy of our method is higher than that of three well-known anti-virus software and two previous control flow graph-based methods for many malware families. The runtime performance of our method exhibits a clear improvement over the GN algorithm for community structure generation.

Chenzhong Yin,Hantang Zhang,Mingxi Cheng,Xiongye Xiao,Xinghe Chen,Xin Ren,Paul Bogdan

2023-12-20

Abstract:Malware represents a significant security concern in today's digital landscape, as it can destroy or disable operating systems, steal sensitive user information, and occupy valuable disk space. However, current malware detection methods, such as static-based and dynamic-based approaches, struggle to identify newly developed (``zero-day") malware and are limited by customized virtual machine (VM) environments. To overcome these limitations, we propose a novel malware detection approach that leverages deep learning, mathematical techniques, and network science. Our approach focuses on static and dynamic analysis and utilizes the Low-Level Virtual Machine (LLVM) to profile applications within a complex network. The generated network topologies are input into the GraphSAGE architecture to efficiently distinguish between benign and malicious software applications, with the operation names denoted as node features. Importantly, the GraphSAGE models analyze the network's topological geometry to make predictions, enabling them to detect state-of-the-art malware and prevent potential damage during execution in a VM. To evaluate our approach, we conduct a study on a dataset comprising source code from 24,376 applications, specifically written in C/C++, sourced directly from widely-recognized malware and various types of benign software. The results show a high detection performance with an Area Under the Receiver Operating Characteristic Curve (AUROC) of 99.85%. Our approach marks a substantial improvement in malware detection, providing a notably more accurate and efficient solution when compared to current state-of-the-art malware detection methods.

Cryptography and Security,Artificial Intelligence,Machine Learning

Weizhong Qiang,Lin Yang,Hai Jin

DOI: https://doi.org/10.1016/j.cose.2022.102871

2022-08-10

Abstract:Nowadays, the rapid growth of the number and variety of malware brings great security challenges. Machine learning has become a mainstream tool for effective malware detection, which can mainly be classified into static and dynamic analysis methods. The purpose of malware detection is to have a good and stable detection performance for different software forms. However, many static analysis methods are easily affected by packing and other code obfuscation techniques, and dynamic analysis methods are commonly believed more robust, while the impact of packing on them has received little attention. In addition, adversarial sample attacks against dynamic analysis methods have also been conducted. This indicates the need to investigate more accurate and robust malware classification methods. In this paper, we propose a new robust dynamic analysis method for malware detection by using specific fine-grained behavioral features, i.e., control flow traces. Further, a malware classifier is constructed by converting control flow traces into byte sequences and applying a combination of convolutional neural networks and long short term memory . The proposed classifier can effectively detect malware with an accuracy of up to 95.7%, as well as detect unseen malware with an accuracy of 94.6% (indicating a good performance in handling the evolution of malware). Meanwhile, it is first found experimentally that packing has specific interference with existing behavior-based malware classifiers, resulting in even worse performance than static classifiers in some cases. However, the proposed classifier performs well in terms of robustness, showing stable performance under the interference of an uneven packing distribution in the dataset, with a 26.3% higher true positive rate for unpacked samples compared to the API call-based classifier. In addition, the classifier is also more robust against adversarial samples, with a detection rate of at least 83%.

computer science, information systems

Shanxi Li,Qingguo Zhou,Wei

DOI: https://doi.org/10.3837/tiis.2021.09.010

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:Malware is a severe threat to the computing system and there's a long history of the battle between malware detection and anti-detection. Most traditional detection methods are based on static analysis with signature matching and dynamic analysis methods that are focused on sensitive behaviors. However, the usual detections have only limited effect when meeting the development of malware, so that the manual update for feature sets is essential. Besides, most of these methods match target samples with the usual feature database, which ignored the characteristics of the sample itself. In this paper, we propose a new malware detection method that could combine the features of a single sample and the general features of malware. Firstly, a structure of Directed Cyclic Graph (DCG) is adopted to extract features from samples. Then the sensitivity of each API call is computed with Markov Chain. Afterward, the graph is merged with the chain to get the final features. Finally, the detectors based on machine learning or deep learning are devised for identification. To evaluate the effect and robustness of our approach, several experiments were adopted. The results showed that the proposed method had a good performance in most tests, and the approach also had stability with the development and growth of malware.

Jingling Zhao,Suoxing Zhang,Bohan Liu,Baojiang Cui

DOI: https://doi.org/10.1109/icccn.2018.8487459

2018-01-01

Abstract:As millions of new malware samples emerge every day, traditional malware detection techniques are no longer adequate. Static analysis methods, such as file signature, fail to detect unknown programs. Dynamic analysis methods have low efficiency and high false positive rate. We need a detection technique that can adapt to the rapidly changing malware ecosystem. The paper presented a new malware detection method using machine learning based on the combination of dynamic and static features. The characteristic of this experiment involved in many fields of knowledge, including binary program instrumentation, static analysis, assembly instruction analysis, machine learning, etc. Finally, we achieved a good result over a substantial number of malwares.

Jixin Zhang,Zheng Qin,Hui Yin,Lu Ou,Yupeng Hu

DOI: https://doi.org/10.1109/icpads.2016.0155

2016-01-01

Abstract:Malware detection becomes mission critical as its threats spread from personal computers to industrial control systems. Modern malware generally equips with sophisticated anti-detection mechanisms such as code-morphism, which allows the malware to evolve into many variants and bypass traditional code feature based detection systems. In this paper, we propose to disassemble binary executables into opcodes sequences, and then convert the opcodes into images. By using convolutional neural network to compare the opcode images generated from binary targets with the opcode images generated from known malware sample codes, we can detect if the target binary executables is malicious. Theoretical analysis and real-life experiments results show that malware detection using visualized analysis is comparable in terms of accuracy, our approach can significantly improve 15% of detection accuracy when the detection set contains a large quantity of binaries and the training set is much smaller.

Reza Mirzazadeh,Mohammad Hossein Moattar,Majid Vafaei Jahan

DOI: https://doi.org/10.48550/arXiv.1811.04304

2018-11-11

Abstract:The most common malware detection approaches which are based on signature matching and are not sufficient for metamorphic malware detection, since virus kits and metamorphic engines can produce variants with no resemblance to one another. Metamorphism provides an efficient way for eluding malware detection software kits. Code obfuscation methods like dead-code insertion are also widely used in metamorphic malware. In order to address the problem of detecting mutated generations, we propose a method based on Opcode Graph Similarity (OGS). OGS tries to detect metamorphic malware using the similarity of opcode graphs. In this method, all nodes and edges have a respective effect on classification, but in the proposed method, edges of graphs are pruned using Linear Discriminant Analysis (LDA). LDA is based on the concept of searching for a linear combination of predictors that best separates two or more classes. Most distinctive edges are identified with LDA and the rest of edges are removed. The metamorphic malware families considered here are NGVCK and metamorphic worms that we denote these worms as MWOR. The results show that our approach is capable of classifying metamorphosed instances with no or minimum false alarms. Also, our proposed method can detect NGVCK and MWOR with high accuracy rate.

Cryptography and Security

Hao Bai,Chang-Zhen Hu,Xiao-Chuan Jing,Ning Li,Xiao-Yin Wang

DOI: https://doi.org/10.1049/iet-ifs.2012.0343

2014-01-01

IET Information Security

Abstract:Malware identification is the process of determining the maliciousness of a program, which is necessary for detecting malware variants. Although some techniques have been developed to confront the rapid expansion of malware, they are not efficient to recognise booming malware instances, and can be evaded by using obfuscation techniques. In this study, a novel dynamic malware identification approach is proposed. Concretely, this approach employs techniques that explore multiple execution paths and trigger malicious behaviours with resulting outcomes. To this end, a group of featured malicious behaviours and outcomes (MBOs) are primarily constructed, from which weights for malware family classification are derived. A virtual monitor is then developed to dynamically trigger MBOs by exploring multipath with suitable probing depths. Finally, triggered malicious behaviours are modelled with features recorded in MBOs to train a malware classifier which can identify unknown malware variants. The experimental results on test cases demonstrate the proposed approach is effective in identifying new variants of popular malware families. The comparison with latest malware identifiers shows that our approach achieves lower false positive rate and can recognise malware equipped with obfuscation techniques.

Zongqu Zhao,Junfeng Wang,Jinrong Bai

DOI: https://doi.org/10.1049/iet-ifs.2012.0289

2014-01-01

IET Information Security

Abstract:The existing anti-virus methods extract signatures of software by manual analysis. It is inefficient when they deal with a large number of malware. Meanwhile, the limitation of unknown malware detection often is found in them too. By the research on software structure, it has been found that the control flow of software can be divided into many basic blocks by the interior cross-references, and a feature-selection approach based on this phenomenon is proposed. It can extract opcode sequences from the disassembled program, and translate them into features by vector space model. The algorithms of data mining are employed to find the classify rules from the software features, and then the rules can be applied to the malware detection. Experimental results illustrate that the proposed method can achieve the 97.0% malware detection accuracy and 3.2% false positive rate with the Random Forest classifier. Furthermore, as high as 94.5% overall accuracy can be achieved when only 5% experimental data are used as training data.

Ran Liu,Charles Nicholas

DOI: https://doi.org/10.48550/arXiv.2304.07989

2023-08-09

Abstract:The popularity of dynamic malware analysis has grown significantly, as it enables analysts to observe the behavior of executing samples, thereby enhancing malware detection and classification decisions. With the continuous increase in new malware variants, there is an urgent need for an automated malware analysis engine capable of accurately identifying malware samples. In this paper, we provide a brief overview of malware detection and classification methodologies. Moreover, we introduce a novel framework tailored for the dynamic analysis environment, called the Incremental Malware Detection and Classification Framework (IMDCF). IMDCF offers a comprehensive solution for general-purpose malware detection and classification, achieving an accuracy rate of 96.49% while maintaining a simple architecture.

Cryptography and Security

Dr. Pradeep Kumar

DOI: https://doi.org/10.22214/ijraset.2024.58295

2024-02-29

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Malware, derived from "Malicious software," is a comprehensive term encompassing any software intentionally crafted to disrupt, damage, or illicitly access computer systems. It's critical to determine whether a file includes malware. The increase in malware is causing a lot of problems for businesses, including data loss and other problems. Malware can swiftly inflict significant damage to a system by slowing it down and encrypting a sizable amount of data on a personal computer. This suggests that lowering the number of false positives is important. A comprehensive description of the adaptable framework for machine learning algorithms may be found in this study. It is possible to detect malware with these methods. The justification for this is that these algorithms simplify the process of distinguishing between files that are infected with malware and those that are not. Modern antivirus and anti-malware tools offer effective protection against various malware attacks. Nevertheless, due to the constantly changing landscape of malicious activities, it is imperative to curate an up-to-date database of previous malware instances. This repository serves as a valuable resource for anticipating the characteristics of future attacks and facilitating swift responses. Different machine learning methods, including decision trees and random forests, are used in our malware detection process. The method with the highest accuracy is chosen, giving the system an excellent detection ratio. Additionally, the confusion matrix is used to calculate the false positive and false negative rates, which is how the system's performance is determined.

Xia Xiao-Ling,Ding Yu-Xin,Jiang Jing-Zhi,Zeng Rong

DOI: https://doi.org/10.1109/ICMLC.2017.8107737

2017-01-01

Abstract:Malware in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. So how to describe the behavior knowledge of malware is an interesting and meaningful work. In recent years, different ontology technologies have been proposed to represent domain knowledge. In the study, we apply ontology techniques into the field of malware detection, and propose the malware detection method based on ontology. This method is based on the behavior of malicious code, and makes a knowledge representation of the malware behaviors from a variety of perspectives. We use the common behaviors of individuals to represent the behaviors of a malware family, and use the ontology reasoning mechanism to detect unknown malware samples. Experiments show that the method has high malicious code detection rate and low false alarm rate.

Xiaoguang Han,Jigang Sun,Wu Qu,Xuanxia Yao

DOI: https://doi.org/10.1109/ccdc.2014.6852896

2014-01-01

Abstract:A number of techniques have been devised by researchers to counter malware attacks, and machine learning techniques play an important role in automated malware detection. Several machine learning approaches have been applied to malware detection, based on different features derived from dynamic analysis of the malware. While these methods demonstrate promise, they pose at least two major challenges. First, these approaches are subjected to a growing array of countermeasures that increase the cost of capturing these malware binary executable file features. Further, feature extraction requires a time investment per binary file that does not scale well to the daily volume of malware instances being reported by those who diligently collect malware. In order to address the first challenge, this article proposed a binary-to-image projection algorithm based on a new type of feature extraction for the malware, was introduced in [2]. To address the second challenge, the technique's scalability is demonstrated through an implementation for the distributed (Key, Value) abstraction in cloud computing environment. Both theoretical and empirical evidence demonstrate its effectiveness over other state-of-the-art malware detection techniques on malware corpus, and the proposed method could be a useful and efficient complement to dynamic analysis.

Wu Bing,Yun Xiaochun

2012-01-01

Abstract:We present the dynamic information security theory model: P2DR to deal with malware epidemics. The model includes the following stages: detection of a malware epidemic by detection system, establishment of countermeasure strategy in strategy coordination center, activation of protection and response system, defense system activation for real-time protection and response. The process is a periodic one in which the strategy is adjusted dynamically. In the model we propose, the detection system is considered to be the key component. Based on our analysis of traditional IDS architecture, we think that it is not suitable for inspecting high speed network traffic and monitoring multivariant malware epidemics. Therefore, we propose a parallel detection model which can be applied to the backbone network matched with appropriate protocol parsing. Normalized taxonomy is also presented for the detection rules of malware. Five detection rule sets are covered, namely, match rules based on deep content pre-processing, special algorithms, binary level, binary level requiring network information checks, and pure network information. A Virus Detection System is realized based on the framework above.

Jixin Hang,Zheng Qin,Hui Yin,Lu Ou,Sheng Xiao,Yupeng Hu

DOI: https://doi.org/10.1109/icccn.2016.7568542

2016-01-01

Abstract:Malware detection becomes mission critical as its threats spread from personal computers to industrial control systems. Modern malware generally equips with sophisticated anti-detection mechanisms such as code-morphism, which allows the malware to evolve into many variants and bypass traditional code feature based detection systems. In this paper, we propose to disassemble binary executables into opcodes sequences, and then convert the opcodes into images. By comparing the opcode images generated from binary targets with the opcode images generated from known malware sample codes, we can detect if the target binary executables contain variants of these known malwares. Theoretical analysis and real-life experiments results show that malware detection using visualized analysis is comparable in terms of accuracy, our approach can significantly improve 15\% of detection accuracy when the detection set contains a large quantity of binaries and the training set is small.

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Ying Fang,Bo Yu,Yong Tang,Liu Liu,Zexin Lu,Yi Wang,Qiang Yang

DOI: https://doi.org/10.1007/978-3-319-59870-3_10

2017-01-01

Abstract:Dynamic analysis plays an important role in analyzing malware variants which have used obfuscation, polymorphism and metamorphism techniques. Malware classification is an emerging approach for discriminating different malware families. However, existing malware classification methods have mediocre performance in small scale datasets and some machine learning algorithms have difficulties in handling imbalanced datasets. To solve these issues, we propose an ensemble learning based dynamic malware classification approach aiming at datasets of different scales. Additionally a novel feature selection method is presented to select features with strong discrimination power. In particular, we continue to explore issues in feature representation and feature selection. To verify the efficiency of our approach, we perform a series of comparative experiments with existing feature selection methods, commercial anti-malware tools and current malware classification techniques. The experimental results demonstrate that our approach can classify malware variants in high F1-score while imposing low classification time in datasets of different scales.