Wu Liu,Ping Ren,Ke Liu,Hai-xin Duan

DOI: https://doi.org/10.1109/IWCDM.2011.17

2011-01-01

Abstract:Malware, such as Trojan Horse, Worms and Spy ware severely threatens Internet. We observed that although malware and its variants may vary a lot from content signatures, they share some behavior features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the technique of malware behavior extraction, presents the formal Malware Behavior Feature (MBF) extraction method, and proposes the malicious behavior feature based malware detection algorithm. Finally we designed and implemented the MBF based malware detection system, and the experimental results show that it can detect newly appeared unknown malwares.

peidai xie,yongjun wang,huabiao lu,meijian li,jinshu su

DOI: https://doi.org/10.1007/978-3-642-53959-6_22

2013-01-01

Abstract:Nowadays, malware, especially for a botnet, heavily employs network communication to accomplish predefined malicious functionalities. The network behavior of malware attracts attention of researchers. However, the network traffic used for network-based signatures generation and botnet detection is captured passively from an execution environment, that there are several limitations. In this paper, we present a network behavior mining approach based on binary analysis, named NBSBA. Our goal is to accurately understand the network behavior of malware in details, capture the packets the malware sample under analysis launched as soon as possible, and extract network behavior of malware as completely as possible. We firstly give a network behavior specification and then describe the NBSBA. And we implement a prototype system to evaluate the NBSBA. The experiment demonstrates that our approach is efficient.

mesut guven,Mesut Guven

DOI: https://doi.org/10.22399/ijcesen.460

2024-09-26

International Journal of Computational and Experimental Science and Engineering

Abstract:Dynamic malware analysis plays a pivotal role in modern cybersecurity, offering insights into malware behavior through dynamic execution and network traffic analysis. In this study, we present a comprehensive approach to dynamic malware analysis using a sandbox environment and network traffic logs. Our methodology involves the extraction of relevant features from network traffic captured in pcap files. We conducted experiments using a virtualized Oracle VirtualBox environment, where benign and malicious software samples were executed within a Windows virtual machine controlled by Python scripts. For network emulation, we utilized tools from the REMnux distribution, including InetSim and FakeDNS, to simulate realistic network interactions during malware execution. The collected pcap data underwent preprocessing and feature extraction to capture essential behavioral patterns and network indicators. Machine learning and artificial intelligence models were developed to classify malware based on these extracted features. Our findings underscore the efficacy of dynamic analysis coupled with machine learning in detecting and classifying malware variants based on their network behavior. This research contributes to advancing techniques for real-time threat detection and response in cybersecurity, emphasizing the importance of dynamic malware analysis in mitigating evolving cyber threats.

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Sen Li,Mengmeng Ge,Ruitao Feng,Xiaohong Li,Kwok Yan Lam

DOI: https://doi.org/10.1109/icdmw60847.2023.00171

2023-01-01

Abstract:Our society is rapidly moving towards the digital age, which has led to a sharp increase in IoT networks and devices. This growth requires more network security professionals, who are focused on protecting IoT systems. One crucial task is to analyze malicious software to gain a deeper understanding of its functionalities and response methods. However, malware analysis is a complex process that requires the use of various analysis tools, including advanced reverse engineering techniques. For beginners, parsing complex binary data can be particularly challenging as they may be strange with these tools and the basic principles of analysis. Even for experienced analysts, understanding reverse engineering binary files and assembly lists is daunting.Facing these challenges, we propose a two-fold solution. Firstly, we create a detailed list of analysis tools and construct a malware analysis framework aimed at simplifying the analysis process. The framework will list the key data points that need to be addressed in the analysis, providing analysts with the tools and information needed for effective malware analysis. Secondly, we will demonstrate that advanced analysis techniques by providing analysis scripts which automate the reverse engineering process in malware analysis. To evaluate the accuracy of our behavior classification system, we will use our framework and analysis scripts to analyze known malware samples. Then, we will compare the accuracy of script-based analysis results and evaluate their ability to identify malicious software behavior. Our research results indicate that by following our framework and using our scripts, we can detect over 80% critical malware behaviors in known samples, which highlights the potential of simplifying the process of malware analysis, making it easier to learn and implement.

Rayan Mosli,Rui Li,Bo Yuan,Yin Pan

DOI: https://doi.org/10.1007/978-3-319-67208-3_11

2017-01-01

Abstract:Malware is the fastest growing threat to information technology systems. Although a single absolute solution for defeating malware is improbable, a stacked arsenal against malicious software enhances the ability to maintain security and privacy. This research attempts to reinforce the anti-malware arsenal by studying a behavioral activity common to software -the use of handles. The characteristics of handle usage by benign and malicious software are extracted and exploited in an effort to distinguish between the two classes. An automated malware detection mechanism is presented that utilizes memory forensics, information retrieval and machine learning techniques. Experimentation with a malware dataset yields a malware detection rate of 91.4% with precision and recall of 89.8% and 91.1%, respectively.

Huijuan Wang,Boyan Cui,Quanbo Yuan,Ruonan Shi,Mengying Huang

DOI: https://doi.org/10.1016/j.neucom.2024.128010

IF: 6

2024-06-16

Neurocomputing

Abstract:With the popularization of computer technology, the number of malware has increased dramatically in recent years. Some malware can threaten the network security of users by downloading and installing, and even spreading widely on the Internet, causing consequences such as private data leakage in the operating system, extortion, and network paralysis. In order to deal with these threats, researchers analyze malicious samples through various analysis techniques, which are usually divided into static and dynamic analysis based on the principle of whether the code needs to be executed or not. This paper analyzes in detail several classical methods of feature extraction in malware detection techniques. With the technological development of artificial intelligence, deep learning is gradually being introduced into malware detection, which does not require the identification of professional security personnel and greatly improves the generalization ability of detection. In the paper, text-based detection methods, image visualization-based detection, and graph structure-based detection techniques are reviewed according to different feature extraction methods. In addition, the paper compares 26 datasets that have been commonly used in recent years applied in the research field and explains the main contents and specifications of the datasets. Finally, a summary and outlook of the malware research field is given.

computer science, artificial intelligence

Alan Nafiiev,Andrii Rodionov

DOI: https://doi.org/10.20535/tacs.2664-29132023.2.277959

2023-11-06

Theoretical and Applied Cybersecurity

Abstract:Cyber wars and cyber attacks are an urgent problem in the global digital environment. Based on existing popular detection methods, malware authors are creating ever more advanced and sophisticated malware. Therefore, this study aims to create a malware analysis system that uses both dynamic and static analysis. Our system is based on a machine learning method - support vector machine. The set of data used was collected from various Internet sources. It consists of 257 executable files in .exe format, 178 of which are malicious and 79 are benign. We use 5 different types of data representation: binary information, trace instructions, control flow graph, information obtained from the dynamic operation of the file, and file metadata. Then, using multiple kernel learning, we combine all data views and create one summative machine learning model.

Jianwei Ding,Zhouguo Chen,Yue Zhao,Hong Su,Yubin Guo,Enbo Sun

DOI: https://doi.org/10.1145/3058060.3058065

2017-01-01

Abstract:Malware, as a malicious software, or applications or execution codes, has become the centerpiece of most security threats in such a unceasing open Internet environment. The essential technology of malware analysis is to extract the characteristics of malware, intended to supply signatures to detection systems and provide evidence for recovery and cleanup. The focal point in the malware analysis is how to detect malicious behaviors versus how to hide a malware analyzer from malware during runtime. In this paper, we propose an approach called Malware Gene Topology Model (MGeT) inspired by Biotechnological Genomics that can quickly detect potential malware from a large amount of software or execution codes including metamorphic or new variants of malware. Instead of extracting the signatures from the malware in the execution file level or operating system level, we identify the key malicious behaviors of malware by the underlying instructions, named malware Gene. We evaluate our method based on real-world datasets and the results demonstrate the advantages of our method over the previous studies, validating the contribution of our method.

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

Xiaoguang Han,Jigang Sun,Wu Qu,Xuanxia Yao

DOI: https://doi.org/10.1109/ccdc.2014.6852896

2014-01-01

Abstract:A number of techniques have been devised by researchers to counter malware attacks, and machine learning techniques play an important role in automated malware detection. Several machine learning approaches have been applied to malware detection, based on different features derived from dynamic analysis of the malware. While these methods demonstrate promise, they pose at least two major challenges. First, these approaches are subjected to a growing array of countermeasures that increase the cost of capturing these malware binary executable file features. Further, feature extraction requires a time investment per binary file that does not scale well to the daily volume of malware instances being reported by those who diligently collect malware. In order to address the first challenge, this article proposed a binary-to-image projection algorithm based on a new type of feature extraction for the malware, was introduced in [2]. To address the second challenge, the technique's scalability is demonstrated through an implementation for the distributed (Key, Value) abstraction in cloud computing environment. Both theoretical and empirical evidence demonstrate its effectiveness over other state-of-the-art malware detection techniques on malware corpus, and the proposed method could be a useful and efficient complement to dynamic analysis.

Yongle Chen,Bingchu Jin,Dan Yu,Junjie Chen

DOI: https://doi.org/10.1109/pac.2018.00020

2018-01-01

Abstract:The variants of malware are a major threat to the security of computer systems. Millions of hosts on the Internet have been infected by malwares variants. Accurate detection of malware variants has become a key challenge for malware detection. The existing static detection is susceptible to file shelling and code obfuscation, while the dynamic detection is subject to anti-debugging and anti-virtual machine technology. Therefore, by combining the static and dynamic detection, we designed a malicious variants detection method based on behavior destructive features to analyze malicious samples.

Yajie Dong,Zhenyan Liu,Yida Yan,Yong Wang,Tu Peng,Ji Zhang

DOI: https://doi.org/10.1007/978-3-319-64701-2_28

2017-01-01

Abstract:The Internet has become an indispensable part of people's work and life. It provides favorable communication conditions for malwares. Therefore, malwares are endless and spread faster and become one of the main threats of current network security. Based on the malware analysis process, from the original feature extraction and feature selection to malware detection, this paper introduces the machine learning algorithm such as clustering, classification and association analysis, and how to use the machine learning algorithm to malware and its variants for effective analysis.

Baskoro Adi Pratomo,Toby Jackson,Pete Burnap,Andrew Hood,Eirini Anthi

2023-10-27

Abstract:Analysing malware is important to understand how malicious software works and to develop appropriate detection and prevention methods. Dynamic analysis can overcome evasion techniques commonly used to bypass static analysis and provide insights into malware runtime activities. Much research on dynamic analysis focused on investigating machine-level information (e.g., CPU, memory, network usage) to identify whether a machine is running malicious activities. A malicious machine does not necessarily mean all running processes on the machine are also malicious. If we can isolate the malicious process instead of isolating the whole machine, we could kill the malicious process, and the machine can keep doing its job. Another challenge dynamic malware detection research faces is that the samples are executed in one machine without any background applications running. It is unrealistic as a computer typically runs many benign (background) applications when a malware incident happens. Our experiment with machine-level data shows that the existence of background applications decreases previous state-of-the-art accuracy by about 20.12% on average. We also proposed a process-level Recurrent Neural Network (RNN)-based detection model. Our proposed model performs better than the machine-level detection model; 0.049 increase in detection rate and a false-positive rate below 0.1.

Cryptography and Security,Machine Learning

Ying Cao,Qiguang Miao,Jiachen Liu,Lin Gao

DOI: https://doi.org/10.1007/s11416-013-0186-3

2013-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Dynamic behavior-based malware analysis and detection is considered to be one of the most promising ways to combat with the obfuscated and unknown malwares. To perform such analysis, behavioral feature abstraction plays a fundamental role, because how to specify program formally to a large extend determines what kind of algorithm can be used. In existing research, graph-based methods keep a dominant position in specifying malware behaviors. However, they restrict the detection algorithm to be chosen from graph mining algorithm. In this paper, we build a complete virtual environment to capturemalware behaviors, especially that to stimulate network behaviors of a malware. Then, we study the problem of abstracting constant behavioral features from API call sequences and propose a minimal security-relevant behavior abstraction way, which absorbs the advantages of prevalent graph-based methods in behavior representation and has the following advantages: first API calls are aggregated by data dependence, therefore it is resistent to redundant data and is a kind of more constant feature. Second, API call arguments are also abstracted particularly, this further contributes to common and constant behavioral features of malware variants. Third, it is a moderate degree aggregation of a small group of API calls with a constructing criterion that centering on an independent operation on a sensitive resource. Fourth, it is very easy to embed the extracted behaviors in a high dimensional vector space, so that it can be processed by almost all of the prevalent statistical learning algorithms. We then evaluate these minimal security-relevant behaviors in three kinds of test, including similarity comparison, clustering and classification. The experimental results show that our method has a capacity in distinguishing malwares from different families and also from benign programs, and it is useful for many statistical learning algorithms.

Fan Yang,Jinxia Wu,Shanyu Tang,Huanguo Zhang

DOI: https://doi.org/10.1109/GreenCom-iThings-CPSCom.2013.390

2013-01-01

Abstract:Traditional malware detection usually relies on the detected file only, not considering the usage scenario. This paper introduces the patterns of user behaviors, in addition to the normal dynamic analysis of process behaviors. The maliciousness of unknown file is calculated by attack tree model and Bayesian algorithm based on the file behaviors and sources. We count the security weights of file sources where users download or copy files, indicating the use habits and the safety consciousness. The assessment value of host security is finally obtained by knowledge repository update and dynamic machine learning, helping users to detect the behavior pattern and reinforce the host security. Experiments show that the accuracy of malware detection increases with the improvement of user's safety habits. As a result, our model can detect malware and lead the user to use computer securely in a realistic way.

Yi-Hsien Chen,Si-Chen Lin,Szu-Chun Huang,Chin-Laung Lei,Chun-Ying Huang

DOI: https://doi.org/10.1109/tifs.2023.3283913

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Malicious binaries have caused data and monetary loss to people, and these binaries keep evolving rapidly nowadays. With tons of new unknown attack binaries, one essential daily task for security analysts and researchers is to analyze and effectively identify malicious parts and report the critical behaviors within the binaries. While manual analysis is slow and ineffective, automated malware report generation is a long-term goal for malware analysts and researchers. This study moves one step toward the goal by identifying essential functions in malicious binaries to accelerate and even automate the analyzing process. We design and implement an expert system based on our proposed graph neural network called MalwareExpert. The system pinpoints the essential functions of an analyzed sample and visualizes the relationships between involved parts. We evaluate our proposed approach using executable binaries in the Windows operating system. The evaluation results show that our approach has a competitive detection performance (97.3% accuracy and 96.5% recall rate) compared to existing malware detection models. Moreover, it gives an intuitive and easy-to-understand explanation of the model predictions by visualizing and correlating essential functions. We compare the identified essential functions reported by our system against several expert-made malware analysis reports from multiple sources. Our qualitative and quantitative analyses show that the pinpointed functions indicate accurate directions. In the best case, the top 2% of functions reported from the system can cover all expert-annotated functions in three steps. We believe that the MalwareExpert system has shed light on automated program behavior analysis.

computer science, theory & methods,engineering, electrical & electronic

Faitouri A. Aboaoja,Anazida Zainal,Abdullah Marish Ali,Fuad A. Ghaleb,Fawaz Jaber Alsolami,Murad A. Rassam

DOI: https://doi.org/10.3390/math11020416

IF: 2.4

2023-01-13

Mathematics

Abstract:Recently, malware has become more abundant and complex as the Internet has become more widely used in daily services. Achieving satisfactory accuracy in malware detection is a challenging task since malicious software exhibit non-relevant features when they change the performed behaviors as a result of their awareness of the analysis environments. However, the existing solutions extract features from the entire collected data offered by malware during the run time. Accordingly, the actual malicious behaviors are hidden during the training, leading to a model trained using unrepresentative features. To this end, this study presents a feature extraction scheme based on the proposed dynamic initial evasion behaviors determination (DIEBD) technique to improve the performance of evasive malware detection. To effectively represent evasion behaviors, the collected behaviors are tracked by examining the entropy distributions of APIs-gram features using the box-whisker plot algorithm. A feature set suggested by the DIEBD-based feature extraction scheme is used to train machine learning algorithms to evaluate the proposed scheme. Our experiments' outcomes on a dataset of benign and evasive malware samples show that the proposed scheme achieved an accuracy of 0.967, false positive rate of 0.040, and F1 of 0.975.

mathematics

ZHAO Yi,GONG Jian,YANG Wang

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.z1.011

2014-01-01

Abstract:The analysis of malicious code’s network behavior is an important research field of network security. This function of existed systems is incomplete and not deep. The functions of malicious code are summarized and a compre-hensive content is presented. Moreover the network behavior analysis function of existed analysis systems is introduced and CUCKOO which is able to satisfy the requirements of involved study is found. Finally the advantage and points of this application platform were summarized, and an expansion of the system was proposed.

LI Hua,LIU Zhi,QIN Zheng,ZHANG Xiao-song

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.03.094

2011-01-01

Abstract:This paper proposed a new approach that could effectively detect and restrict(unknown) malware,and implemented a prototype system.First,used support vector machine to build classifier,which could judge whether a program was malicious or not,and extracted the malware's signature.Agents running in host could detect malware and stop its execution.To analyze precise behaviors,put samples in virtual machines for executions.Experiment results show compared with naive Bayes and decision tree,our system yields low false positives as well false negatives,and the distributed architecture accelerates restriction.