Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

Yao Wang,Wan‐dong Cai,Peng‐cheng Wei,Wan-dong Cai,Peng-cheng Wei

DOI: https://doi.org/10.1002/sec.1441

IF: 1.968

2016-02-11

Security and Communication Networks

Abstract:Abstract Malicious JavaScript code in webpages on the Internet is an emergent security issue because of its universality and potentially severe impact. Because of its obfuscation and complexities, detecting it has a considerable cost. Over the last few years, several machine learning‐based detection approaches have been proposed; most of them use shallow discriminating models with features that are constructed with artificial rules. However, with the advent of the big data era for information transmission, these existing methods already cannot satisfy actual needs. In this paper, we present a new deep learning framework for detection of malicious JavaScript code, from which we obtained the highest detection accuracy compared with the control group. The architecture is composed of a sparse random projection, deep learning model, and logistic regression. Stacked denoising auto‐encoders were used to extract high‐level features from JavaScript code; logistic regression as a classifier was used to distinguish between malicious and benign JavaScript code. Experimental results indicated that our architecture, with over 27 000 labeled samples, can achieve an accuracy of up to 95%, with a false positive rate less than 4.2% in the best case. Copyright © 2016 John Wiley & Sons, Ltd.

computer science, information systems,telecommunications

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Xincheng He,Chunliu Cha,Lei Xu

DOI: https://doi.org/10.1109/APSEC.2018.00051

2018-12-01

Abstract:JavaScript plays an important role in web applications and services, which is used by millions of web pages in optimizing interface design, embedding dynamic texts, reading and writing HTML elements, validating form data, responding to browser events, controlling cookies and much more. However, since JavaScript is cross-platform and can be executed dynamically, it has been a major vehicle for web-based attacks. Existing solutions work by performing static analysis or monitoring program execution dynamically. However, since the heavy use of obfuscation techniques, many methods no longer apply to malicious JavaScript code detection, and it has been a huge challenge to de-obfuscate obfuscated malicious JavaScript code accurately. In this paper, we propose a hybrid analysis method combining static and dynamic analysis for detecting malicious JavaScript code that works by first conducting syntax analysis and dynamic instrumentation to extract internal features that are related to malicious code and then performing classificationbased detection to distinguish attacks. In addition, based on code instrumentation, we propose a new method which can deobfuscate part of obfuscated malicious JavaScript code accurately. Ultimately, we implement a browser plug-in called MJDetector and perform evaluation on 450 real web pages. Evaluation results show that our method can detect malicious JavaScript code and de-obfuscate obfucation effectively and efficiently. Specifically, MJDetector can detect JavaScipt attacks in current web pages with high accuracy 94.76% and de-obfuscate obfuscate code of specific types with accuracy 100% whereas the base line method can only detect with accuracy 81.16% and has no capacity of de-obfuscation.

Computer Science

Zhining Zhang,Liang Wan,Kun Chu,Shusheng Li,Haodong Wei,Lu Tang

DOI: https://doi.org/10.1371/journal.pone.0277891

IF: 3.7

2022-12-14

PLoS ONE

Abstract:Currently, JavaScript malicious code detection methods are becoming more and more effective. Still, the existing methods based on deep learning are poor at detecting too long or too short JavaScript code. Based on this, this paper proposes an adaptive code length deep learning network JACLNet, composed of convolutional block RDCNet, BiLSTM and Transfrom, to capture the association features of the variable distance between codes. Firstly, an abstract syntax tree recombination algorithm is designed to provide rich syntax information for feature extraction. Secondly, a deep residual convolution block network (RDCNet) is designed to capture short-distance association features between codes. Finally, this paper proposes a JACLNet network for JavaScript malicious code detection. To verify that the model presented in this paper can effectively detect variable JavaScript code, we divide the datasets used in this paper into long text dataset DB_Long; short text dataset DB_Short, original dataset DB_Or and enhanced dataset DB_Re. In DB_Long, our method's F1 - score is 98.87%, higher than that of JSContana by 2.52%. In DB_Short, our method's F1-score is 97.32%, higher than that of JSContana by 7.79%. To verify that the abstract syntax tree recombination algorithm proposed in this paper can provide rich syntax information for subsequent models, we conduct comparative experiments on DB_Or and DB_Re. In DPCNN+BiLSTM, F1-score with abstract syntax tree recombination increased by 1.72%, and in JSContana, F1-score with abstract syntax tree recombination increased by 1.50%. F1-score with abstract syntax tree recombination in JACNet improved by 1.00% otherwise unused.

Wei Li,Chenyi Zhang,Jieying Zhou,Dan Wang,Nuannuan Li

DOI: https://doi.org/10.1088/1742-6596/2010/1/012165

2021-09-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, malicious code emerges in endlessly. New types of malicious code evade the traditional malicious code detection technology through polymorphism, shelling, confusion and other ways. In order to solve the challenges brought by various technologies to the research of malicious code detection, in this paper, we propose a malicious code detection method based on static features and ensemble learning. This method extracts the information in the PE header file of malicious code samples as static features, and on this basis, builds a malicious code detection model by using stacking ensemble learning. In order to verify the effectiveness of the model, experiments are carried out on a dataset containing 5000 malicious codes and 4943 benign codes. Experiments show that the classification model based on stacking ensemble learning is the best, with 97.22% precision rate and 96.45% stable F1 score.

Yong Fang,Chaoyi Huang,Minchuan Zeng,Zhiying Zhao,Cheng Huang

DOI: https://doi.org/10.1016/j.cose.2022.102715

2022-07-01

Abstract:Web development technology has experienced significant progress. The creation of JavaScript has highly enriched the interactive ability of the client. However, the attacker uses the dynamic characteristics of the JavaScript language to embed malicious code into web pages to achieve the purpose of smuggling, redirection, and so on. Traditional methods based on static feature detection are therefore difficult to detect malicious code after confusion, and the method based on dynamic analysis is inefficient. To meet these challenges, this paper proposes a static detection model JStrong based on graph neural network. The model first generates an abstract syntax tree from the JavaScript source code, and then adds data flow and control flow information into the program dependency graph. In addition, we embed the nodes and edges of the graph into the feature vector and fully learn the features of the whole graph through the graph neural network. We take advantage of a real-world dataset collected from the top website and GitHub to evaluate JStrong and compare it to the state-of-the-art method. Experimental results show that JStrong achieves near-perfect classification performance and is superior to the state-of-the-art method.

computer science, information systems

Fathi H. Amsaad,Junjie Zhang,M. Pk,Al Amin Hossain

DOI: https://doi.org/10.1109/NAECON61878.2024.10670668

2024-07-15

Abstract:The rapid evolution of cyber threats raises the inevitability of the advancement of innovative and effective approaches in cybersecurity. There are numerous cyber threats; among these threats, malicious code, including viruses, worms, and sophisticated malware, poses significant risks to digital systems. The existing threat detection methods often rely on signature-based techniques and need help to keep pace with the dynamic and evolving characteristics of malware. Large language models (LLMs) such as GPT-4, renowned for their ability to perform natural language processing, offer a promising alternative for enhancing malicious code detection. This research paper proposes a novel approach using large language models (LLMs) to detect unwanted malicious code in Java source code, leveraging the Mixtral architecture. The Mixtral model is trained on a diverse dataset of benign and malicious Java code, enabling it to learn complex patterns and characteristics of malicious code. Experimental results validate the efficiency of the proposed in identifying malicious code, outperforming existing static analysis tools.

Computer Science

Sungjoong Kim,Seongkyu Yeom,Haengrok Oh,Dongil Shin,Dongkyoo Shin

DOI: https://doi.org/10.3390/sym13010035

2020-12-28

Symmetry

Abstract:The development of information and communication technology (ICT) is making daily life more convenient by allowing access to information at anytime and anywhere and by improving the efficiency of organizations. Unfortunately, malicious code is also proliferating and becoming increasingly complex and sophisticated. In fact, even novices can now easily create it using hacking tools, which is causing it to increase and spread exponentially. It has become difficult for humans to respond to such a surge. As a result, many studies have pursued methods to automatically analyze and classify malicious code. There are currently two methods for analyzing it: a dynamic analysis method that executes the program directly and confirms the execution result, and a static analysis method that analyzes the program without executing it. This paper proposes a static analysis automation technique for malicious code that uses machine learning. This classification system was designed by combining a method for classifying malicious code using a portable executable (PE) structure and a method for classifying it using a PE structure. The system has 98.77% accuracy when classifying normal and malicious files. The proposed system can be used to classify various types of malware from PE files to shell code.

Yanli Shao,Yang Lu,Dan Wei,Jinglong Fang,Feiwei Qin,Bin Chen

DOI: https://doi.org/10.1155/2022/3301718

2022-07-08

Wireless Communications and Mobile Computing

Abstract:Edge computing is a feasible solution for effectively collecting and processing data in industrial Internet of Things (IIoT) systems, and edge security is an important guarantee for edge computing. Fast and accurate classification of malicious code in the whole lift cycle of edge computing is of great significance, which can effectively prevent malicious code from attacking wireless sensor networks and ensure the stable and secure transmission of data in smart devices. Considering that there is a large amount of code reuse in the same malicious code family, making their visual feature similar, many studies use visualization technology to assist malicious code classification. However, traditional malicious code visual classification schemes have the problems such as single image source, weak ability of deep-level feature extraction, and lack of attention to key image details. Therefore, an innovative malicious code visual classification method based on a deep residual network and hybrid attention mechanism for edge security is proposed in this study. Firstly, the malicious code visualization scheme integrates the bytecode file and assembly file of the malware and converts them into a four-channel RGBA image to fully represent malicious code feature information without increasing the computational complexity. Secondly, a hybrid attention mechanism is introduced into the deep residual network to construct an effective classification model, which extracts image texture features of malicious code from two dimensions of the channel and spatial to improve the classification performance. Finally, the experimental results on the BIG2015 and Malimg datasets show that the proposed scheme is feasible and effective and can be widely applied used in various malicious code classification issues, and the classification accuracy rate is relatively higher than the existing better-performing malicious code classification methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Dongzhi Cao,Xinglan Zhang,Zhenhu Ning,Jianfeng Zhao,Fei Xue,Yongli Yang

DOI: https://doi.org/10.1145/3297156.3297246

2018-01-01

Abstract:With the rapid development of the Internet, people have variety in their life style. While the Internet is developing rapidly, some malware has also been generated, and the number of malicious codes grows exponentially, which seriously affects the security of the Internet. In the prevention of malicious code, the accurate classification of malicious code is the most critical components. At present, researchers mainly focus on static detection and dynamic detection to study malicious code variant detection schemes. In the study of malicious code classification, this paper first analyzes the limitations of static detection and dynamic detection, then employs convolution neural networks to classify and identify malicious code, and finally implements an efficient malicious code detection system based on convolutional neural networks. Our malware detection model realizes the idea of automatic detection of malicious code variants. Experimental results demonstrated that the proposed malicious code detection system is efficient.

Yunhua Huang,Tao Li,Lijia Zhang,Beibei Li,Xiaojie Liu

DOI: https://doi.org/10.1016/j.cose.2021.102218

2021-05-01

Abstract:<p>JavaScript has played a crucial role in web development, making it a primary tool for hackers to launch assaults. Although malicious JavaScript detection methods are becoming increasingly effective, the existing methods based on feature matching or static word embeddings are difficult to detect different versions and obfuscation of JavaScript code. To solve this problem, we present JSContana, a novel detection method that consists of adaptable context analysis and efficient key feature extraction. The key to our approach is context analysis based on dynamic word embeddings. We convert JavaScript code to syntax unit sequences with detailed information and get the real contextual representation of code by dynamic word embeddings. Furthermore, as a classification module in the method, TextCNN can effectively extract key features. To demonstrate the performance of the method, we have conducted extensive comparison experiments under five-fold cross-validation. Numerical results show that the method achieves 0.990 in AUC-score, and outperforms the state-of-the-art method by up to 3.5%.</p>

computer science, information systems

李佳静,梁知音,韦韬,毛剑

DOI: https://doi.org/10.3321/j.issn:0479-8023.2008.04.007

2008-01-01

Abstract:A semantic based method is presented to analyze malicious behavior in software, with more precise description of function call based attacks, and flow sensitive, context sensitive and path sensitive inter-procedure analysis ability. Experiments on malicious and benign programs show that it is effective to identify malicious behavior in software.

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Ammar Alazab,Ansam Khraisat,Moutaz Alazab,Sarabjot Singh

DOI: https://doi.org/10.3390/fi14080217

2022-07-23

Future Internet

Abstract:Websites on the Internet are becoming increasingly vulnerable to malicious JavaScript code because of its strong impact and dramatic effect. Numerous recent cyberattacks use JavaScript vulnerabilities, and in some cases employ obfuscation to conceal their malice and elude detection. To secure Internet users, an adequate intrusion-detection system (IDS) for malicious JavaScript must be developed. This paper proposes an automatic IDS of obfuscated JavaScript that employs several features and machine-learning techniques that effectively distinguish malicious and benign JavaScript codes. We also present a new set of features, which can detect obfuscation in JavaScript. The features are selected based on identifying obfuscation, a popular method to bypass conventional malware detection systems. The performance of the suggested approach has been tested on JavaScript obfuscation attacks. The studies have shown that IDS based on selected features has a detection rate of 94% for malicious samples and 81% for benign samples within the dimension of the feature vector of 60.

Zhihua Cui,Fei Xue,Xingjuan Cai,Yang Cao,Gai-ge Wang,Jinjun Chen

DOI: https://doi.org/10.1109/tii.2018.2822680

IF: 12.3

2018-07-01

IEEE Transactions on Industrial Informatics

Abstract:With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Bingnan HOU,Yan? YU,Jiashun WU

2015-01-01

Journal of Computer Applications

Abstract:Malicious Web pages that host drive-by-download exploits have become the popular means for compromising hosts and creating botnets on the Internet. In drive-by-download exploits, attackers embed malicious JavaScript code into a Web page. When a victim visits this page, the script is executed and attempts to compromise the browser or one of its plugins. This paper proposed a detection and analysis method of malicious JavasScript code based on pre-filter called JSFEA which suits for large-scale Web page detection. JSFEA used static analysis techniques to quickly examine a Web page for determining whether it”s suspicious or not. If it is determined suspicious then put it into dynamic detection. The study shows that JSFEA is able to reduce the load on a more costly dynamic analysis by more than 85%, with a low false positive rate.

Mathew Ashik,A. Jyothish,S. Anandaram,P. Vinod,Francesco Mercaldo,Fabio Martinelli,Antonella Santone

DOI: https://doi.org/10.3390/electronics10141694

IF: 2.9

2021-07-15

Electronics

Abstract:Malware is one of the most significant threats in today’s computing world since the number of websites distributing malware is increasing at a rapid rate. Malware analysis and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. This software exploits the system’s vulnerabilities to steal valuable information without the user’s knowledge, and stealthily send it to remote servers controlled by attackers. Traditionally, anti-malware products use signatures for detecting known malware. However, the signature-based method does not scale in detecting obfuscated and packed malware. Considering that the cause of a problem is often best understood by studying the structural aspects of a program like the mnemonics, instruction opcode, API Call, etc. In this paper, we investigate the relevance of the features of unpacked malicious and benign executables like mnemonics, instruction opcodes, and API to identify a feature that classifies the executable. Prominent features are extracted using Minimum Redundancy and Maximum Relevance (mRMR) and Analysis of Variance (ANOVA). Experiments were conducted on four datasets using machine learning and deep learning approaches such as Support Vector Machine (SVM), Naïve Bayes, J48, Random Forest (RF), and XGBoost. In addition, we also evaluate the performance of the collection of deep neural networks like Deep Dense network, One-Dimensional Convolutional Neural Network (1D-CNN), and CNN-LSTM in classifying unknown samples, and we observed promising results using APIs and system calls. On combining APIs/system calls with static features, a marginal performance improvement was attained comparing models trained only on dynamic features. Moreover, to improve accuracy, we implemented our solution using distinct deep learning methods and demonstrated a fine-tuned deep neural network that resulted in an F1-score of 99.1% and 98.48% on Dataset-2 and Dataset-3, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ru Zhang,Xinjian Zhao,Jiaqi Li,Song Zhang,Zhijie Shang

DOI: https://doi.org/10.1088/1742-6596/2010/1/012066

2021-09-01

Journal of Physics: Conference Series

Abstract:Abstract Malicious code families have become a major threat to network security. Many current methods convert malicious code into images and use deep learning to classify malicious code families. However, the family classification method based on deep learning incorporates the overall characteristics of the malicious code into the classification model, which may cause interference with redundant information in the malicious code. This paper proposes a malicious code family classification method based on a self-attention mechanism. When analysing a noisy data structure such as malicious code images, the attention mechanism is introduced to filter the interference information in the malicious code. The experimental results show that the classification accuracy rate of this method for malicious code families is 99.56%, and the recall rate is 98.06%. Rigorous theoretical analyses and numerous experiments prove our method is efficient and reliable.

Yichi Zhang,Jianmin Pang,Rongcai Zhao,Zhichang Guo

DOI: https://doi.org/10.1109/ICICISYS.2010.5658423

2010-01-01

Abstract:With the rapidly development of virus technology, the number of malicious code has continued to increase. So it is imperative to optimize the traditional manual analysis method by automatic maliciousness decision system. Motivated by the inference technique for detecting viruses, and a recent successful classification method, we explore Radux - an automatic software maliciousness decision system. It rests on artificial neural network based on behavior hidden in malicious code. Decompile technique is applied to characterize behavioral and structural properties of binary code, which creates more abstract descriptions of malware. Experiment shows that this system can decision software maliciousness efficiently. ©2010 IEEE.