Weihao Huang,Chaoyang Lin,Qiucun Yan,Lu Xiang,Zhiyu Zhang,Guozhu Meng,Kai Chen

DOI: https://doi.org/10.1109/cscwd57460.2023.10151998

2023-01-01

Abstract:In recent years, binary malware detection has attracted extensive attention from industry and academia. However, most of the existing work focuses on determining whether a sample is malicious or not, rather than identifying the malicious essence in malware. Few studies aim at locating malicious code at function granularity and suffer from inaccuracy. In this paper, we solve the problem by dividing malware into Functional Module (FM), which is a better granularity for locating malicious code, as it combines certain functions to express malicious behaviors in malware. We design a tool called FMDiv to automatically unpack and disassemble binary malware and then divide them into FMs based on the function call graph (CG). Meanwhile, one novel feature extraction and embedding method has been adopted to validate the effect of the FM division algorithm and provide one alternative method of characterization for subsequent malicious FM location. We evaluate FMDiv’s performance on 10,440 real-world samples from VIRUSSHARE. The results show that FMDiv can correctly characterize and make FM division of malware, outperforming current state-of-the-art work.

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Ahmet Selman Bozkir,Ersan Tahillioglu,Murat Aydos,Ilker Kara

DOI: https://doi.org/10.1016/j.cose.2020.102166

2021-04-01

Abstract:The everlasting increase in usage of information systems and online services have triggered the birth of the new type of malware which are more dangerous and hard to detect. In particular, according to the recent reports, the new type of fileless malware infect the victims' devices without a persistent trace (i.e. file) on hard drives. Moreover, existing static malware detection methods in literature often fail to detect sophisticated malware utilizing various obfuscation and encryption techniques. Our contribution in this study is two-folded. First, we present a novel approach to recognize malware by capturing the memory dump of suspicious processes which can be represented as a RGB image. In contrast to the conventional approaches followed by static and dynamic methods existing in the literature, we aimed to obtain and use memory data to reveal visual patterns that can be classified by employing computer vision and machine learning methods in a multi-class open-set recognition regime. And second, we have applied a state of art manifold learning scheme named UMAP to improve the detection of unknown malware files through binary classification. Throughout the study, we have employed our novel dataset covering 4294 samples in total, including 10 malware families along with the benign executables. Lastly, we obtained their memory dumps and converted them to RGB images by applying 3 different rendering schemes. In order to generate their signatures (i.e. feature vectors), we utilized GIST and HOG (Histogram of Gradients) descriptors as well as their combination. Moreover, the obtained signatures were classified via machine learning algorithms of j48, RBF kernel-based SMO, Random Forest, XGBoost and linear SVM. According to the results of the first phase, we have achieved prediction accuracy up to 96.39% by employing SMO algorithm on the feature vectors combined with GIST+HOG. Besides, the UMAP based manifold learning strategy has improved accuracy of the unknown malware recognition models up to 12.93%, 21.83%, 20.78% on average for Random Forest, linear SVM and XGBoost algorithms respectively. Moreover, on a commercially available standard desktop computer, the suggested approach takes only 3.56 s for analysis on average. The results show that our vision based scheme provides an effective protection mechanism against malicious applications.

computer science, information systems

Karamitsos Ioannis,Afzulpurkar Aishwarya,B. Trafalis Theodore,Ioannis Karamitsos,Aishwarya Afzulpurkar,Theodore B. Trafalis

DOI: https://doi.org/10.4236/jis.2020.112007

2020-01-01

Journal of Information Security

Abstract:Memory forensics is a young but fast-growing area of research and a promising one for the field of computer forensics. The learned model is proposed to reside in an isolated core with strict communication restrictions to achieve incorruptibility as well as efficiency, therefore providing a probabilistic memory-level view of the system that is consistent with the user-level view. The lower level memory blocks are constructed using primary block sequences of varying sizes that are fed as input into Long-Short Term Memory (LSTM) models. Four configurations of the LSTM model are explored by adding bi- directionality as well as attention. Assembly level data from 50 Windows portable executable (PE) files are extracted, and basic blocks are constructed using the IDA Disassembler toolkit. The results show that longer primary block sequences result in richer LSTM hidden layer representations. The hidden states are fed as features into Max pooling layers or Attention layers, depending on the configuration being tested, and the final classification is performed using Logistic Regression with a single hidden layer. The bidirectional LSTM with Attention proved to be the best model, used on basic block sequences of size 29. The differences between the model’s ROC curves indicate a strong reliance on the lower level, instructional features, as opposed to metadata or string features.

Shuhui Zhang,Changdong Hu,Lianhai Wang,Miodrag J. Mihaljevic,Shujiang Xu,Tian Lan

DOI: https://doi.org/10.3390/sym15030758

2023-03-20

Symmetry

Abstract:As cyber attacks grow more complex and sophisticated, new types of malware become more dangerous and challenging to detect. In particular, fileless malware injects malicious code into the physical memory directly without leaving attack traces on disk files. This type of attack is well concealed, and it is difficult to find the malicious code in the static files. For malicious processes in memory, signature-based detection methods are becoming increasingly ineffective. Facing these challenges, this paper proposes a malware detection approach based on convolutional neural network and memory forensics. As the malware has many symmetric features, the saved training model can detect malicious code with symmetric features. The method includes collecting executable static malicious and benign samples, running the collected samples in a sandbox, and building a dataset of portable executables in memory through memory forensics. When a process is running, not all the program content is loaded into memory, so binary fragments are utilized for malware analysis instead of the entire portable executable (PE) files. PE file fragments are selected with different lengths and locations. We conducted several experiments on the produced dataset to test our model. The PE file with 4096 bytes of header fragment has the highest accuracy. We achieved a prediction accuracy of up to 97.48%. Moreover, an example of fileless attack is illustrated at the end of the paper. The results show that the proposed method can detect malicious codes effectively, especially the fileless attack. Its accuracy is better than that of common machine learning methods.

multidisciplinary sciences

Rami Sihwail,Khairuddin Omar,Khairul Akram Zainol Ariffin,Sanad Al Afghani,Khairul Zainol Ariffin

DOI: https://doi.org/10.3390/app9183680

2019-09-05

Applied Sciences

Abstract:The need to detect malware before it harms computers, mobile phones and other electronic devices has caught the attention of researchers and the anti-malware industry for many years. To protect users from malware attacks, anti-virus software products are downloaded on the computer. The anti-virus mainly uses signature-based techniques to detect malware. However, this technique fails to detect malware that uses packing, encryption or obfuscation techniques. It also fails to detect unseen (new) ones. This paper proposes an integrated malware detection approach that applies memory forensics to extract malicious artifacts from memory and combines them to features extracted during the execution of malware in a dynamic analysis. Pre-modeling techniques were also applied for feature engineering before training and testing the data set on the machine learning models. The experimental results show a significant improvement in both detection accuracy rate and false positive rate, 98.5% and 1.7% respectively, by applying the support vector machine. The results verify that our integrated analysis approach outperforms other analysis methods. In addition, the proposed approach overcomes the limitation of single path file execution in dynamic analysis by adding more relevant memory artifacts that can reveal the real intention of malicious files.

Mathew Ashik,A. Jyothish,S. Anandaram,P. Vinod,Francesco Mercaldo,Fabio Martinelli,Antonella Santone

DOI: https://doi.org/10.3390/electronics10141694

IF: 2.9

2021-07-15

Electronics

Abstract:Malware is one of the most significant threats in today’s computing world since the number of websites distributing malware is increasing at a rapid rate. Malware analysis and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. This software exploits the system’s vulnerabilities to steal valuable information without the user’s knowledge, and stealthily send it to remote servers controlled by attackers. Traditionally, anti-malware products use signatures for detecting known malware. However, the signature-based method does not scale in detecting obfuscated and packed malware. Considering that the cause of a problem is often best understood by studying the structural aspects of a program like the mnemonics, instruction opcode, API Call, etc. In this paper, we investigate the relevance of the features of unpacked malicious and benign executables like mnemonics, instruction opcodes, and API to identify a feature that classifies the executable. Prominent features are extracted using Minimum Redundancy and Maximum Relevance (mRMR) and Analysis of Variance (ANOVA). Experiments were conducted on four datasets using machine learning and deep learning approaches such as Support Vector Machine (SVM), Naïve Bayes, J48, Random Forest (RF), and XGBoost. In addition, we also evaluate the performance of the collection of deep neural networks like Deep Dense network, One-Dimensional Convolutional Neural Network (1D-CNN), and CNN-LSTM in classifying unknown samples, and we observed promising results using APIs and system calls. On combining APIs/system calls with static features, a marginal performance improvement was attained comparing models trained only on dynamic features. Moreover, to improve accuracy, we implemented our solution using distinct deep learning methods and demonstrated a fine-tuned deep neural network that resulted in an F1-score of 99.1% and 98.48% on Dataset-2 and Dataset-3, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Hamad Naeem,Shi Dong,Olorunjube James Falana,Farhan Ullah

DOI: https://doi.org/10.1016/j.eswa.2023.119952

IF: 8.5

2023-03-24

Expert Systems with Applications

Abstract:Malware has become more complicated in its purpose and abilities over time, demanding continuous progress in detection and defense technologies. Malware designers use anti-analysis obfuscation techniques, including packing and encryption, to evade detection and hinder the analysis process. Current malware detection methods have shortcomings; thus, an alternative dynamic platform-independent scheme is proposed to extract harmful hardware impressions. This scheme includes extracting and converting a file from process memory dumps into an image. A combined structural and statistical image textural analysis is performed by designing a hybrid local and global feature descriptor. The hybrid feature descriptor helps to improve the data training ability of the proposed deep-stacked ensemble model by reducing input dimensions. A deep-stacked ensemble model is developed by combining prediction outputs from weak learners (CNNs) and feeding them into a meta-learner (MLP) as learning input. An explainable artificial intelligence-based approach is employed to interpret and validate the final results of the proposed scheme. Evaluations are conducted using three datasets: the publicly available Dumpware10 dataset, which contains 3686 samples from 10 different malware families; the publicly available CIC-MalMem-2022 dataset, which includes 2,916 samples from 15 different obfuscated malware families; and a real-world dataset, which contains 2375 samples of both malware and benign android apps. Experimental outcomes show that the proposed scheme achieved 99.1% accuracy in analyzing Windows malware memory dumps, 94.3% accuracy in analyzing Android malware memory dumps, and 99.8% accuracy in analyzing Windows obfuscated malware memory dumps. The final results indicate that our vision-based system provides an excellent defense against malicious programs.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Jiaxi Liu,Yun Feng,Xinyu Liu,Jianjun Zhao,Qixu Liu

DOI: https://doi.org/10.1186/s42400-023-00157-w

2023-08-04

Abstract:Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years. One popular evasion method is to execute malicious code and perform malicious actions only in memory. Malicious programs that use this attack method are called memory-resident malware, with excellent evasion capability, and have posed huge threats to cyber security. Traditional static and dynamic methods are not effective in detecting memory-resident malware. In addition, existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis. This paper proposes MRm-DLDet, a state-of-the-art memory-resident malware detection framework, to overcome these drawbacks. MRm-DLDet first builds a virtual machine environment and captures memory dumps, then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping, followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them. MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18, which extracts the features of the sub-images. Then trains a network of gated recurrent units with an attention mechanism. Finally, it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer. We created a high-quality dataset consisting of 2,060 benign and memory-resident programs. In other words, the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images. We implement MRm-DLDet for Windows 10, and it performs better than the latest methods, with a detection accuracy of up to 98.34 . Moreover, we measured the effects of mimicry and adversarial attacks on MRm-DLDet, and the experimental results demonstrated the robustness of MRm-DLDet.

Syed Shakir Hameed Shah,Abd Rahim Ahmad,Norziana Jamil,Atta ur Rehman Khan

DOI: https://doi.org/10.3390/electronics11162579

IF: 2.9

2022-08-19

Electronics

Abstract:Malware has recently grown exponentially in recent years and poses a serious threat to individual users, corporations, banks, and government agencies. This can be seen from the growth of Advanced Persistent Threats (APTs) that make use of advance and sophisticated malware. With the wide availability of computer-automated tools such as constructors, email flooders, and spoofers. Thus, it is now easy for users who are not technically inclined to create variations in existing malware. Researchers have developed various defense techniques in response to these threats, such as static and dynamic malware analyses. These techniques are ineffective at detecting new malware in the main memory of the computer and otherwise require considerable effort and domain-specific expertise. Moreover, recent techniques of malware detection require a long time for training and occupy a large amount of memory due to their reliance on multiple factors. In this paper, we propose a computer vision-based technique for detecting malware that resides in the main computer memory in which our technique is faster or memory efficient. It works by taking portable executables in a virtual environment to extract memory dump files from the volatile memory and transform them into a particular image format. The computer vision-based contrast-limited adaptive histogram equalization and the wavelet transform are used to improve the contrast of neighboring pixel and to reduce the entropy. We then use the support vector machine, random forest, decision tree, and XGBOOST machine learning classifiers to train the model on the transformed images with dimensions of 112 × 112 and 56 × 56. The proposed technique was able to detect and classify malware with an accuracy rate of 97.01%. Its precision, recall, and F1-score were 97.36%, 95.65%, and 96.36%, respectively. Our finding shows that our technique in preparing dataset with more efficient features to be trained by the Machine Learning classifiers has resulted in significant performance in terms of accuracy, precision, recall, F1-score, speed and memory consumption. The performance has superseded most of the existing techniques in its unique approach.

engineering, electrical & electronic,computer science, information systems,physics, applied

Haizhou Wang,Nanqing Luo,Peng LIu

2024-11-09

Abstract:Sandboxes and other dynamic analysis processes are prevalent in malware detection systems nowadays to enhance the capability of detecting 0-day malware. Therefore, techniques of anti-dynamic analysis (TADA) are prevalent in modern malware samples, and sandboxes can suffer from false negatives and analysis failures when analyzing the samples with TADAs. In such cases, human reverse engineers will get involved in conducting dynamic analysis manually (i.e., debugging, patching), which in turn also gets obstructed by TADAs. In this work, we propose a Large Language Model (LLM) based workflow that can pinpoint the location of the TADA implementation in the code, to help reverse engineers place breakpoints used in debugging. Our evaluation shows that we successfully identified the locations of 87.80% known TADA implementations adopted from public repositories. In addition, we successfully pinpoint the locations of TADAs in 4 well-known malware samples that are documented in online malware analysis blogs.

Cryptography and Security,Artificial Intelligence

Jian-Min Chen,Yu-Meng Feng,Yin-Ming Mei

DOI: https://doi.org/10.1109/ICMLC.2010.5580940

2010-01-01

Abstract:With the rapid development of Internet application, malware detection becomes more and more important and tremendous. There are tens of thousands of new malware samples especially associated with economic interests. Manual inspection is difficult to identify the samples with high-speed response. We designed and implemented an automatically identifying system based on the mass samples. It has high accuracy and good speed improving the efficiency of detecting malware.

Chan Woo Kim

DOI: https://doi.org/10.48550/arXiv.1802.05412

2018-05-20

Abstract:As computing systems become increasingly advanced and as users increasingly engage themselves in technology, security has never been a greater concern. In malware detection, static analysis, the method of analyzing potentially malicious files, has been the prominent approach. This approach, however, quickly falls short as malicious programs become more advanced and adopt the capabilities of obfuscating its binaries to execute the same malicious functions, making static analysis extremely difficult for newer variants. The approach assessed in this paper is a novel dynamic malware analysis method, which may generalize better than static analysis to newer variants. Inspired by recent successes in Natural Language Processing (NLP), widely used document classification techniques were assessed in detecting malware by doing such analysis on system calls, which contain useful information about the operation of a program as requests that the program makes of the kernel. Features considered are extracted from system call traces of benign and malicious programs, and the task to classify these traces is treated as a binary document classification task of system call traces. The system call traces were processed to remove the parameters to only leave the system call function names. The features were grouped into various n-grams and weighted with Term Frequency-Inverse Document Frequency. This paper shows that Linear Support Vector Machines (SVM) optimized by Stochastic Gradient Descent and the traditional Coordinate Descent on the Wolfe Dual form of the SVM are effective in this approach, achieving a highest of 96% accuracy with 95% recall score. Additional contributions include the identification of significant system call sequences that could be avenues for further research.

Cryptography and Security,Computation and Language

Ömer Aslan

DOI: https://doi.org/10.3390/electronics12081861

IF: 2.9

2023-04-15

Electronics

Abstract:The increased usage of the Internet raises cyber security attacks in digital environments. One of the largest threats that initiate cyber attacks is malicious software known as malware. Automatic creation of malware as well as obfuscation and packing techniques make the malicious detection processes a very challenging task. The obfuscation techniques allow malware variants to bypass most of the leading literature malware detection methods. In this paper, a more effective malware detection system is proposed. The goal of the study is to detect traditional as well as new and complex malware variants. The proposed approach consists of three modules. Initially, the malware samples are collected and analyzed by using dynamic malware analysis tools, and execution traces are collected. Then, the collected system calls are used to create malware behaviors as well as features. Finally, a proposed deep learning methodology is used to effectively separate malware from benign samples. The deep learning methodology consists of one input layer, three hidden layers, and an output layer. In hidden layers, 500, 64, and 32 fully connected neurons are used in the first, second, and third hidden layers, respectively. To keep the model simple as well as obtain optimal solutions, we have selected three hidden layers in which neurons are decreasing in the following subsequent layers. To increase the model performance and use more important features, various activation functions are used. The test results show that the proposed system can effectively detect the malware with more than 99% DR, f-measure, and 99.80 accuracy, which is substantially high when compared with other methods. The proposed system can recognize new malware variants that could not be detected with signature, heuristic, and some behavior-based detection techniques. Further, the proposed system has performed better than the well-known methods that are mentioned in the literature based on the DR, precision, recall, f-measure, and accuracy metrics.

engineering, electrical & electronic,computer science, information systems,physics, applied

Dorel Yaffe,Danny Hendler

DOI: https://doi.org/10.1007/978-3-030-78086-9_29

2021-03-30

Abstract:In recent years malware has become increasingly sophisticated and difficult to detect prior to exploitation. While there are plenty of approaches to malware detection, they all have shortcomings when it comes to identifying malware correctly prior to exploitation. The trade-off is usually between false positives, causing overhead, preventing normal usage and the risk of letting the malware execute and cause damage to the target. We present a novel end-to-end solution for in-memory malicious activity detection done prior to exploitation by leveraging machine learning capabilities based on data from unique run-time logs, which are carefully curated in order to detect malicious activity in the memory of protected processes. This solution achieves reduced overhead and false positives as well as deployment simplicity. We implemented our solution for Windows-based systems, employing multi disciplinary knowledge from malware research, machine learning, and operating system internals. Our experimental evaluation yielded promising results. As we expect future sophisticated malware may try to bypass it, we also discuss how our solution can be extended to thwart such bypassing attempts.

Cryptography and Security,Machine Learning

Mohammed Nasereddin,Raad Al-Qassas

DOI: https://doi.org/10.1007/s10207-024-00836-w

2024-03-17

International Journal of Information Security

Abstract:This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached with a false-positive rate of . Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.

computer science, information systems, theory & methods, software engineering

GUAN Yun-tao,DUAN Hai-xin

2009-01-01

Abstract:With the application of polymorphism,metamorphism and packing techniques,the analysis and detection of modern malware becomes more difficult.Manual malware analysis fails to handle this situation due to its unacceptable cost and human force involvement.The author design and implement an automated malware dynamic analysis system named MwDAS using kernel hooking and filter driver technologies,which can automatically analyze malware sample,extract and detail malware's behaviors into a well-organized report.The experiment shows that MwDAS can dramatically improve the analysis efficiency.

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

X. Fu,X. Du,B. Luo

DOI: https://doi.org/10.1002/sec.1337

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte GB and even Terabyte TB level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system OS data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library DLLs, and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field. Copyright © 2015 John Wiley & Sons, Ltd.

Weizhong Qiang,Lin Yang,Hai Jin

DOI: https://doi.org/10.1016/j.cose.2022.102871

2022-08-10

Abstract:Nowadays, the rapid growth of the number and variety of malware brings great security challenges. Machine learning has become a mainstream tool for effective malware detection, which can mainly be classified into static and dynamic analysis methods. The purpose of malware detection is to have a good and stable detection performance for different software forms. However, many static analysis methods are easily affected by packing and other code obfuscation techniques, and dynamic analysis methods are commonly believed more robust, while the impact of packing on them has received little attention. In addition, adversarial sample attacks against dynamic analysis methods have also been conducted. This indicates the need to investigate more accurate and robust malware classification methods. In this paper, we propose a new robust dynamic analysis method for malware detection by using specific fine-grained behavioral features, i.e., control flow traces. Further, a malware classifier is constructed by converting control flow traces into byte sequences and applying a combination of convolutional neural networks and long short term memory . The proposed classifier can effectively detect malware with an accuracy of up to 95.7%, as well as detect unseen malware with an accuracy of 94.6% (indicating a good performance in handling the evolution of malware). Meanwhile, it is first found experimentally that packing has specific interference with existing behavior-based malware classifiers, resulting in even worse performance than static classifiers in some cases. However, the proposed classifier performs well in terms of robustness, showing stable performance under the interference of an uneven packing distribution in the dataset, with a 26.3% higher true positive rate for unpacked samples compared to the API call-based classifier. In addition, the classifier is also more robust against adversarial samples, with a detection rate of at least 83%.

computer science, information systems