Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Mengsong Song Zou,Lan-sheng Han,Qi-wen Liu,Ming Liu

DOI: https://doi.org/10.1109/YCICT.2009.5382354

2009-01-01

Abstract:As more polymorphic malicious codes coming into being, traditional anti-virus methods can not satisfy the current need. In order to achieve some specific functions, malicious codes must have some behaviors which are different from that of the normal programs. Focus on the difference between normal programs and the malicious codes the paper applies Support Vector Machine (SVM) and creates a space of virus API feature vector and a hyper-plane to divide the API space into two parts: malicious codes and normal program. Moreover, behaviors of different kinds of malicious codes are collected and 1-v-1 Multi-class SVM is introduced to detect those behaviors. Furthermore the paper constructs the application structure and selects large amount of test executable samples. Through statistics, analysis and calculation on those samples, the results verify our method. ©2009 IEEE.

Ping Wang,Yu-Shih Wang

DOI: https://doi.org/10.1016/j.jcss.2014.12.014

IF: 1.043

2014-01-01

Journal of Computer and System Sciences

Abstract:Most existing approaches for detecting viruses involve signature-based analyses to match the precise patterns of malware threats. However, the problem of classification accuracy regarding unspecified malware detection depends on correct extraction and completeness of training signatures. In practice, malware detection system uses the generalization ability of support vector models (SVMs) to guarantee a small classification error by machine learning. This study developed an automatic malware detection system by training an SVM classifier based on behavioural signatures. A cross-validation scheme was used for solving classification accuracy problems by using SVMs associated with 60 families of real malware. The experimental results reveal that the classification error decreases as the sizing of testing data is increased. For different sizing (N) of malware samples, the prediction accuracy of malware detection goes up to 98.7% with N=100. The overall detection accuracy of the SVC is more than 85% for unspecific mobile malware.

Kai Zhang,Chao Li,Yong Wang,Xiaobin Zhu,Haiping Wang

DOI: https://doi.org/10.1016/j.procs.2017.05.063

2017-01-01

Procedia Computer Science

Abstract:Malware has been the primary threat to computer and network for years. Traditionally, supervised learning methods are applied to detect malware. But supervised learning models need a great number of labeled samples to train models beforehand, and it is impractical to label enough malicious code manually. Insufficient training samples yields imperfect detection models and satisfactory detection result could not be obtained as a result. In this paper, we bring out a new algorithm call ColSVM (Collaborative Support Vector Machine) based on semi-supervised learning and independent component analysis. With ColSVM, only a few labeled samples is needed while the detection result keeps in a high level. Besides, we propose a general framework with independent components analysis, with which to reduce the restricted condition of collaborative train. Experiments prove the efficiency of our model finally.

Ting Liu,Xiaohong Guan,Yu Qu,Yanan Sun

DOI: https://doi.org/10.1002/cpe.1896

2011-01-01

Concurrency and Computation Practice and Experience

Abstract:Millions of new malicious programs are produced by the mature industry of malware production. These programs have tremendous challenges on the signature-based antivirus products. Machine learning techniques are applicable for detecting unknown malicious programs without knowing their signatures. In this paper, a layered classification method is developed to detect malwares with a two-layer framework. The low-level-classifier is employed to identify whether the programs perform any malicious functions according to the API-calls of the programs; the up-level-classifier is applied to detect malwares according to the function identification. A hybrid structure called Type-Function, constituting of the classification results of low-level-classifier and up-level-classifier, is proposed to describe the malware. This method is compared with Naive Bayes, decision tree, and boosting using a comprehensive test dataset containing 16,135 malwares and 1800 benign programs. The experiments demonstrate that our method outperforms other algorithms in terms of detection accuracy. Moreover, the Type-Function structure is proved as an unprejudiced and effective method for malware description. Copyright © 2011 John Wiley & Sons, Ltd.

Chan Woo Kim

DOI: https://doi.org/10.48550/arXiv.1802.05412

2018-05-20

Abstract:As computing systems become increasingly advanced and as users increasingly engage themselves in technology, security has never been a greater concern. In malware detection, static analysis, the method of analyzing potentially malicious files, has been the prominent approach. This approach, however, quickly falls short as malicious programs become more advanced and adopt the capabilities of obfuscating its binaries to execute the same malicious functions, making static analysis extremely difficult for newer variants. The approach assessed in this paper is a novel dynamic malware analysis method, which may generalize better than static analysis to newer variants. Inspired by recent successes in Natural Language Processing (NLP), widely used document classification techniques were assessed in detecting malware by doing such analysis on system calls, which contain useful information about the operation of a program as requests that the program makes of the kernel. Features considered are extracted from system call traces of benign and malicious programs, and the task to classify these traces is treated as a binary document classification task of system call traces. The system call traces were processed to remove the parameters to only leave the system call function names. The features were grouped into various n-grams and weighted with Term Frequency-Inverse Document Frequency. This paper shows that Linear Support Vector Machines (SVM) optimized by Stochastic Gradient Descent and the traditional Coordinate Descent on the Wolfe Dual form of the SVM are effective in this approach, achieving a highest of 96% accuracy with 95% recall score. Additional contributions include the identification of significant system call sequences that could be avenues for further research.

Cryptography and Security,Computation and Language

Tao Ban,Takeshi Takahashi,Shanqing Guo,Daisuke Inoue,Koji Nakao

DOI: https://doi.org/10.1109/asiajcis.2016.29

2016-01-01

Abstract:In light of the rapid growth of malware threats towards the Android platform, there is a pressing need to develop effective solutions. In this paper we explorate the potential of multi-modal features to enhance the detection accuracy while keep the false alarms low. Examined features include the permissions, Application Programming Interface (API) calls, and meta features such as the category information and Application Package (APK) descriptions. These multi-modal features are coded in a way to facilitate efficient learning and testing with the particular classifiers known as the linear support vector machine (SVM). Experiments show that our proposed method can obtain an accuracy more than 94%, over performing the conventional methods by a large margin. By employing high-performance learning tools, the training and testing can be done in a very time-efficient fashion for large scale and high-dimensional data.

Mathew Ashik,A. Jyothish,S. Anandaram,P. Vinod,Francesco Mercaldo,Fabio Martinelli,Antonella Santone

DOI: https://doi.org/10.3390/electronics10141694

IF: 2.9

2021-07-15

Electronics

Abstract:Malware is one of the most significant threats in today’s computing world since the number of websites distributing malware is increasing at a rapid rate. Malware analysis and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. This software exploits the system’s vulnerabilities to steal valuable information without the user’s knowledge, and stealthily send it to remote servers controlled by attackers. Traditionally, anti-malware products use signatures for detecting known malware. However, the signature-based method does not scale in detecting obfuscated and packed malware. Considering that the cause of a problem is often best understood by studying the structural aspects of a program like the mnemonics, instruction opcode, API Call, etc. In this paper, we investigate the relevance of the features of unpacked malicious and benign executables like mnemonics, instruction opcodes, and API to identify a feature that classifies the executable. Prominent features are extracted using Minimum Redundancy and Maximum Relevance (mRMR) and Analysis of Variance (ANOVA). Experiments were conducted on four datasets using machine learning and deep learning approaches such as Support Vector Machine (SVM), Naïve Bayes, J48, Random Forest (RF), and XGBoost. In addition, we also evaluate the performance of the collection of deep neural networks like Deep Dense network, One-Dimensional Convolutional Neural Network (1D-CNN), and CNN-LSTM in classifying unknown samples, and we observed promising results using APIs and system calls. On combining APIs/system calls with static features, a marginal performance improvement was attained comparing models trained only on dynamic features. Moreover, to improve accuracy, we implemented our solution using distinct deep learning methods and demonstrated a fine-tuned deep neural network that resulted in an F1-score of 99.1% and 98.48% on Dataset-2 and Dataset-3, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ting Liu,Xiaohong Guan,Yu Qu,Yanan Sun

DOI: https://doi.org/10.1007/978-3-642-24403-2_14

2011-01-01

Abstract:In recent years, millions of new malicious programs are produced by Pa mature industry of malware production. These programs have tremendous challenges on the signature-based anti-virus products and pose great threats on network and information security. Machine learning techniques are applicable for detecting unknown malicious programs without knowing their signatures. In this paper, a Layered Detection (LD) method is developed to detect malwares with a two-layer framework. The Low-Level-Classifiers (LLC) are employed to identify whether the programs perform any malicious functions according to the API-calls of the programs. The Up-level-Classifier (ULC) is applied to detect malwares according to the low level function identification. The LD method is compared with many classical classification algorithms with comprehensive test datasets containing 16135 malwares and 1800 benign programs. The experiments demonstrate that the LD method outperforms other algorithms in terms of detection accuracy.

Muhammad Shoaib Akhtar,Tao Feng

DOI: https://doi.org/10.3390/sym14112304

2022-11-04

Symmetry

Abstract:One of the most significant issues facing internet users nowadays is malware. Polymorphic malware is a new type of malicious software that is more adaptable than previous generations of viruses. Polymorphic malware constantly modifies its signature traits to avoid being identified by traditional signature-based malware detection models. To identify malicious threats or malware, we used a number of machine learning techniques. A high detection ratio indicated that the algorithm with the best accuracy was selected for usage in the system. As an advantage, the confusion matrix measured the number of false positives and false negatives, which provided additional information regarding how well the system worked. In particular, it was demonstrated that detecting harmful traffic on computer systems, and thereby improving the security of computer networks, was possible using the findings of malware analysis and detection with machine learning algorithms to compute the difference in correlation symmetry (Naive Byes, SVM, J48, RF, and with the proposed approach) integrals. The results showed that when compared with other classifiers, DT (99%), CNN (98.76%), and SVM (96.41%) performed well in terms of detection accuracy. DT, CNN, and SVM algorithms' performances detecting malware on a small FPR (DT = 2.01%, CNN = 3.97%, and SVM = 4.63%,) in a given dataset were compared. These results are significant, as malicious software is becoming increasingly common and complex.

Abien Fred Agarap

DOI: https://doi.org/10.48550/arXiv.1801.00318

2019-02-07

Abstract:Effective and efficient mitigation of malware is a long-time endeavor in the information security community. The development of an anti-malware system that can counteract an unknown malware is a prolific activity that may benefit several sectors. We envision an intelligent anti-malware system that utilizes the power of deep learning (DL) models. Using such models would enable the detection of newly-released malware through mathematical generalization. That is, finding the relationship between a given malware $x$ and its corresponding malware family $y$, $f: x \mapsto y$. To accomplish this feat, we used the Malimg dataset (Nataraj et al., 2011) which consists of malware images that were processed from malware binaries, and then we trained the following DL models 1 to classify each malware family: CNN-SVM (Tang, 2013), GRU-SVM (Agarap, 2017), and MLP-SVM. Empirical evidence has shown that the GRU-SVM stands out among the DL models with a predictive accuracy of ~84.92%. This stands to reason for the mentioned model had the relatively most sophisticated architecture design among the presented models. The exploration of an even more optimal DL-SVM model is the next stage towards the engineering of an intelligent anti-malware system.

Neural and Evolutionary Computing,Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Jingling Zhao,Suoxing Zhang,Bohan Liu,Baojiang Cui

DOI: https://doi.org/10.1109/icccn.2018.8487459

2018-01-01

Abstract:As millions of new malware samples emerge every day, traditional malware detection techniques are no longer adequate. Static analysis methods, such as file signature, fail to detect unknown programs. Dynamic analysis methods have low efficiency and high false positive rate. We need a detection technique that can adapt to the rapidly changing malware ecosystem. The paper presented a new malware detection method using machine learning based on the combination of dynamic and static features. The characteristic of this experiment involved in many fields of knowledge, including binary program instrumentation, static analysis, assembly instruction analysis, machine learning, etc. Finally, we achieved a good result over a substantial number of malwares.

Di Xue,Jingmei Li,Tu Lv,Weifei Wu,Jiaxiang Wang

DOI: https://doi.org/10.1109/access.2019.2927552

IF: 3.9

2019-01-01

IEEE Access

Abstract:Malware classification plays an important role in tracing the attack sources of computer security. However, existing static analysis methods are fast in classification, but they are inefficient in some malware using packing and obfuscation techniques; the dynamic analysis methods have better universality for packing and obfuscation, but they will cause excessive classification cost. To overcome these shortcomings, in this paper, we propose a classification system Malscore based on the probability scoring and machine learning, which sets the probability threshold to concatenate static analysis (called Phase 1) and dynamic analysis (called Phase 2). The convolutional neural networks with spatial pyramid pooling were used to analyze the grayscale images (static features) in Phase 1, and the variable n-grams and machine learning were used to analyze the native API call sequences (dynamic features) in Phase 2. Malscore combined static analysis with dynamic analysis not only accelerated the static analysis process by taking advantage of the CNN in image recognition but also appeared to be more resilient to obfuscation by the dynamic analysis. Different from other static and dynamic analysis techniques, when malware is detected, due to the fact that malware will most likely be labeled only by static analysis, we could reduce the overheads by dynamically analyzing a few malware that has less obvious features or greater confusion in static analysis. We performed experiments on 174 607 malware samples from 63 malware families. The result showed that Malscore achieved 98.82% accuracy for malware classification. Furthermore, Malscore was compared with the method of using static and dynamic analysis. The preprocessing and test time represented a reduction of 59.58% and 61.70%, respectively.

Liu,Bao-sheng Wang,Bo Yu,Qiu-xi Zhong

DOI: https://doi.org/10.1631/fitee.1601325

IF: 2.526

2017-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:The explosive growth of malware variants poses a major threat to information security. Traditional anti-virus systems based on signatures fail to classify unknown malware into their corresponding families and to detect new kinds of malware programs. Therefore, we propose a machine learning based malware analysis system, which is composed of three modules: data processing, decision making, and new malware detection. The data processing module deals with gray-scale images, Opcode n-gram, and import functions, which are employed to extract the features of the malware. The decision-making module uses the features to classify the malware and to identify suspicious malware. Finally, the detection module uses the shared nearest neighbor (SNN) clustering algorithm to discover new malware families. Our approach is evaluated on more than 20 000 malware instances, which were collected by Kingsoft, ESET NOD32, and Anubis. The results show that our system can effectively classify the unknown malware with a best accuracy of 98.9%, and successfully detects 86.7% of the new malware.

Ying Fang,Bo Yu,Yong Tang,Liu Liu,Zexin Lu,Yi Wang,Qiang Yang

DOI: https://doi.org/10.1007/978-3-319-59870-3_10

2017-01-01

Abstract:Dynamic analysis plays an important role in analyzing malware variants which have used obfuscation, polymorphism and metamorphism techniques. Malware classification is an emerging approach for discriminating different malware families. However, existing malware classification methods have mediocre performance in small scale datasets and some machine learning algorithms have difficulties in handling imbalanced datasets. To solve these issues, we propose an ensemble learning based dynamic malware classification approach aiming at datasets of different scales. Additionally a novel feature selection method is presented to select features with strong discrimination power. In particular, we continue to explore issues in feature representation and feature selection. To verify the efficiency of our approach, we perform a series of comparative experiments with existing feature selection methods, commercial anti-malware tools and current malware classification techniques. The experimental results demonstrate that our approach can classify malware variants in high F1-score while imposing low classification time in datasets of different scales.

Jian Zhang,Cheng Gao,Liangyi Gong,Zhaojun Gu,Dapeng Man,Wu Yang,Wenzhen Li

DOI: https://doi.org/10.1007/s11036-019-01503-4

2020-01-08

Mobile Networks and Applications

Abstract:As more and more applications migrate to clouds, the type and amount of malware attack against virtualized environments are increasing, which is a key factor that restricts the widespread deployment and application of cloud platforms. Traditional in-VM-based security software is not effective against malware attacks, as the security software itself becomes the target of malware attacks and can easily be tampered with or even subverted. In this paper, we propose a new malware detection method to improve virtual machine security performance and ensure the security of the entire cloud platform. This paper uses the virtual machine introspection(VMI) combined with the memory forensics analysis(MFA) technology to extract multiple types of dynamic features from the virtual machine memory, the hypervisor layer and the hardware layer. Furthermore, this paper proposes an adaptive feature selection method. By combining three different search strategies, three types of features are compared and analyzed from three aspects: effectiveness, system load and security. By adjusting the weight of each feature, it meets the detection requirements of different malware in the cloud environment as expected. Finally, the detection method improves the detection accuracy and generalization ability of the overall classifier using the AdaBoost ensemble learning method with Voting's combination strategy. The experiment used a large number of real malicious samples, and achieved an accuracy of 0.999 (AUC), with a maximum performance overhead of 5.6%.

computer science, information systems,telecommunications, hardware & architecture

Zhiqiang Wang,Yao Tang,Jing Yao,Rong Qian,Zheng Zhang,Pingchuan Ma

DOI: https://doi.org/10.1145/3207677.3277976

2018-01-01

Abstract:In the1 modern global mobile phone market, Android OS is firmly occupying the first throne with the absolute user base and the proportion of mobile phones, and with the proliferation of android smart phones and other mobile devices, it has also attracted more and more attention from malware developers. There are a large number of malware in several major application markets around the world. In order to solve this problem, this paper proposes a large-scale malware detection system based on multiclass features and machine learning. There are two main problems in the traditional detection schemes, one is how to analyze and extract effectively features which can distinguish malware and benign software, the other is that how to select the most suitable algorithm to detect malware. For the first problem, we select the features that can reflect the android software's maliciousness by extracting android features and removing the features whose degree of distinction are less. For the second problem, we compare seven machine learning algorithms and select the most suitable algorithm that has the highest accuracy for android malware identification. Afterwards, many experiments are done to verify our solutions. First, we extract 234 features and select 76 features. Second, selecting the most suitable algorithm "ensemble learning" by comparing the detection accuracies of 7 algorithms, then adjusting and optimizing the related parameter to achieve the highest accuracy, 99.73%, which proves the effectiveness of our system and scheme.

Ya-Shu Liu,Yu-Kun Lai,Zhi-Hai Wang,Han-Bing Yan

DOI: https://doi.org/10.1109/access.2019.2892500

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the development of the Internet, malware has become one of the most significant threats. Recognizing specific types of malware is an important step toward effective removal. Malware visualization is an important branch of malware static analysis techniques, where a piece of malware is turned into an image for visualization and classification. Despite great success, it is still difficult to extract effective texture feature representations for challenging datasets. The existing methods use global image features which are sensitive to relative code locations. In this paper, we present a new learning framework to obtain more discriminative and robust feature descriptors. The proposed method works with the existing local descriptors such as local binary patterns and dense scale-invariant feature transform, by grouping them into blocks and by using a new bag-of-visual-words model to obtain robust features, which are more flexible than global features and more robust than local features. We evaluate the proposed method on three malware databases. The experimental results demonstrate that the obtained descriptors lead to the state-of-the-art classification performance.

Ying Cao,Qiguang Miao,Jiachen Liu,Lin Gao

DOI: https://doi.org/10.1007/s11416-013-0186-3

2013-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Dynamic behavior-based malware analysis and detection is considered to be one of the most promising ways to combat with the obfuscated and unknown malwares. To perform such analysis, behavioral feature abstraction plays a fundamental role, because how to specify program formally to a large extend determines what kind of algorithm can be used. In existing research, graph-based methods keep a dominant position in specifying malware behaviors. However, they restrict the detection algorithm to be chosen from graph mining algorithm. In this paper, we build a complete virtual environment to capturemalware behaviors, especially that to stimulate network behaviors of a malware. Then, we study the problem of abstracting constant behavioral features from API call sequences and propose a minimal security-relevant behavior abstraction way, which absorbs the advantages of prevalent graph-based methods in behavior representation and has the following advantages: first API calls are aggregated by data dependence, therefore it is resistent to redundant data and is a kind of more constant feature. Second, API call arguments are also abstracted particularly, this further contributes to common and constant behavioral features of malware variants. Third, it is a moderate degree aggregation of a small group of API calls with a constructing criterion that centering on an independent operation on a sensitive resource. Fourth, it is very easy to embed the extracted behaviors in a high dimensional vector space, so that it can be processed by almost all of the prevalent statistical learning algorithms. We then evaluate these minimal security-relevant behaviors in three kinds of test, including similarity comparison, clustering and classification. The experimental results show that our method has a capacity in distinguishing malwares from different families and also from benign programs, and it is useful for many statistical learning algorithms.

Muhammad Shoaib Akhtar,Tao Feng

DOI: https://doi.org/10.3390/s23020946

IF: 3.9

2023-01-14

Sensors

Abstract:This research study mainly focused on the dynamic malware detection. Malware progressively changes, leading to the use of dynamic malware detection techniques in this research study. Each day brings a new influx of malicious software programmes that pose a threat to online safety by exploiting vulnerabilities in the Internet. The proliferation of harmful software has rendered manual heuristic examination of malware analysis ineffective. Automatic behaviour-based malware detection using machine learning algorithms is thus considered a game-changing innovation. Threats are automatically evaluated based on their behaviours in a simulated environment, and reports are created. These records are converted into sparse vector models for use in further machine learning efforts. Classifiers used to synthesise the results of this study included kNN, DT, RF, AdaBoost, SGD, extra trees and the Gaussian NB classifier. After reviewing the test and experimental data for all five classifiers, we found that the RF, SGD, extra trees and Gaussian NB Classifier all achieved a 100% accuracy in the test, as well as a perfect precision (1.00), a good recall (1.00), and a good f1-score (1.00). Therefore, it is reasonable to assume that the proof-of-concept employing autonomous behaviour-based malware analysis and machine learning methodologies might identify malware effectively and rapidly.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation