Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

Yong Fang,Wenjie Zhang,Beibei Li,Fan Jing,Lei Zhang

DOI: https://doi.org/10.1109/access.2019.2962198

IF: 3.9

2020-01-01

IEEE Access

Abstract:With the rapid advances of anti-virus and anti-tracking technologies, three aspects in malware clustering need to be improved for effective clustering, i.e., the robustness of features, the accuracy of similarity measurements, and the effectiveness of clustering algorithms. In this paper, we propose a novel malware family clustering approach based on dynamic and static features with their weights. In this approach, we employ a new similarity measurement method based on EMD to improve the accuracy of feature similarities. In addition, to reduce convergence time and improve clustering purity, we design a novel semi-supervised clustering algorithm, termed as S-DBSCAN by involving supervision information into the original algorithm known as Density-Based Spatial Clustering of Applications with Noise (DBSCAN). The experimental results demonstrate that the proposed approach can correctly and accurately distinguish the samples among various families and achieve outperformed purity with 98.7%.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Joris Kinable,Orestis Kostakis

DOI: https://doi.org/10.48550/arXiv.1008.4365

2010-08-26

Abstract:Each day, anti-virus companies receive tens of thousands samples of potentially harmful executables. Many of the malicious samples are variations of previously encountered malware, created by their authors to evade pattern-based detection. Dealing with these large amounts of data requires robust, automatic detection approaches. This paper studies malware classification based on call graph clustering. By representing malware samples as call graphs, it is possible to abstract certain variations away, and enable the detection of structural similarities between samples. The ability to cluster similar samples together will make more generic detection techniques possible, thereby targeting the commonalities of the samples within a cluster. To compare call graphs mutually, we compute pairwise graph similarity scores via graph matchings which approximately minimize the graph edit distance. Next, to facilitate the discovery of similar malware samples, we employ several clustering algorithms, including k-medoids and DBSCAN. Clustering experiments are conducted on a collection of real malware samples, and the results are evaluated against manual classifications provided by human malware analysts. Experiments show that it is indeed possible to accurately detect malware families via call graph clustering. We anticipate that in the future, call graphs can be used to analyse the emergence of new malware families, and ultimately to automate implementation of generic detection schemes.

Cryptography and Security

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Chan Woo Kim

DOI: https://doi.org/10.48550/arXiv.1802.05412

2018-05-20

Abstract:As computing systems become increasingly advanced and as users increasingly engage themselves in technology, security has never been a greater concern. In malware detection, static analysis, the method of analyzing potentially malicious files, has been the prominent approach. This approach, however, quickly falls short as malicious programs become more advanced and adopt the capabilities of obfuscating its binaries to execute the same malicious functions, making static analysis extremely difficult for newer variants. The approach assessed in this paper is a novel dynamic malware analysis method, which may generalize better than static analysis to newer variants. Inspired by recent successes in Natural Language Processing (NLP), widely used document classification techniques were assessed in detecting malware by doing such analysis on system calls, which contain useful information about the operation of a program as requests that the program makes of the kernel. Features considered are extracted from system call traces of benign and malicious programs, and the task to classify these traces is treated as a binary document classification task of system call traces. The system call traces were processed to remove the parameters to only leave the system call function names. The features were grouped into various n-grams and weighted with Term Frequency-Inverse Document Frequency. This paper shows that Linear Support Vector Machines (SVM) optimized by Stochastic Gradient Descent and the traditional Coordinate Descent on the Wolfe Dual form of the SVM are effective in this approach, achieving a highest of 96% accuracy with 95% recall score. Additional contributions include the identification of significant system call sequences that could be avenues for further research.

Cryptography and Security,Computation and Language

Jin-Qi XIAO,Jun-Feng WANG

DOI: https://doi.org/10.3969/j.issn.0490-6756.2018.03.009

2018-01-01

Abstract:Internet Security companies collect tens of millions of new malware variants each year ,Virus Share ,the online malware repository ,has stored more than 27 million unlabeled malwares .Clustering malware variant according to certain behavior patterns ,not only makes the new attack easier to be detec-ted ,but also helps us to obtain the malware trends in time and take the corresponding preventive meas-ures .Therefore ,this paper proposes a malware variant clustering method which use dynamic analysis technology to extract malware features ,including import and export function name ,strings ,system re-source records and system calls ,then convert these features to the fuzzy hashes ,finally clustering mal-ware samples through the CFSFDP clustering algorithm .We select the number of clusters ,precision , recall ,F-score and entropy as external criteria ,select the intra-cluster cohesion and inter-cluster separa-tion as internal criteria .The experimental results demonstrate that compared with Symantec and ESET-NOD32 ,the F-score obtained in this paper increased by 11 .632% and 2 .41% ,and the number of clus-ters is closest to the artificial labeled .

Yi WANG,Yong TANG,Zexin LU,Xin YU

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.09.013

2016-01-01

Abstract:The increment of malware has exploded in recent years. As a result, using cluster algorithm to detect malware families has received the favors of security vendors. Malware clustering is the task of converging sample that has similar behavior or structure in the same group (called a cluster), and features selection plays a vital role in malware clustering. Firstly this paper discusses carefully the common features used in existing study of malware clustering and compares these features with each other. The most of existing works focus on the clustering based on single feature vector, while single feature vector is not capable of describing all the characteristics of malware. To solve this problem, then multi feature vector pairs are proposed to cluster malware. Also, according to the clustering results, the speciifc indexes are deifned to evaluate the selected feature vectors. Finally, combining with DBSCAN clustering algorithm, several feature vectors and their combinations are selected to test. The result shows that multi feature vector pairs are superior to single feature vector in identifying malware families.

Yuping Li,Jiyong Jang,Xin Hu,Xinming Ou

DOI: https://doi.org/10.48550/arXiv.1707.04795

2017-07-15

Cryptography and Security

Abstract:Clustering has been well studied for desktop malware analysis as an effective triage method. Conventional similarity-based clustering techniques, however, cannot be immediately applied to Android malware analysis due to the excessive use of third-party libraries in Android application development and the widespread use of repackaging in malware development. We design and implement an Android malware clustering system through iterative mining of malicious payload and checking whether malware samples share the same version of malicious payload. Our system utilizes a hierarchical clustering technique and an efficient bit-vector format to represent Android apps. Experimental results demonstrate that our clustering approach achieves precision of 0.90 and recall of 0.75 for Android Genome malware dataset, and average precision of 0.98 and recall of 0.96 with respect to manually verified ground-truth.

Rahul Kumar,Nisha Prajapati,R. R. Rout,Kamalakanta Sethi,Padmalochan Bera

DOI: https://doi.org/10.1109/ICCCNT49239.2020.9225627

2020-07-01

Abstract:Enforcing security and resilience in a cloud platform is an essential but challenging problem due to the presence of a large number of heterogeneous applications running on shared resources. A security analysis system that can detect threats or malware must exist inside the cloud infrastructure. Much research has been done on machine learning-driven malware analysis, but it is limited in computational complexity and detection accuracy. To overcome these drawbacks, we proposed a new malware detection system based on the concept of clustering and trend micro locality sensitive hashing (TLSH). We used Cuckoo sandbox, which provides dynamic analysis reports of files by executing them in an isolated environment. We used a novel feature extraction algorithm to extract essential features from the malware reports obtained from the Cuckoo sandbox. Further, the most important features are selected using principal component analysis (PCA), random forest, and Chi-square feature selection methods. Subsequently, the experimental results are obtained for clustering and non-clustering approaches on three classifiers, including Decision Tree, Random Forest, and Logistic Regression. The model performance shows better classification accuracy and false positive rate (FPR) as compared to the state-of-the-art works and non-clustering approach at significantly lesser computation cost.

Computer Science

Muhammad Shoaib Akhtar,Tao Feng

DOI: https://doi.org/10.3390/sym14112304

2022-11-04

Symmetry

Abstract:One of the most significant issues facing internet users nowadays is malware. Polymorphic malware is a new type of malicious software that is more adaptable than previous generations of viruses. Polymorphic malware constantly modifies its signature traits to avoid being identified by traditional signature-based malware detection models. To identify malicious threats or malware, we used a number of machine learning techniques. A high detection ratio indicated that the algorithm with the best accuracy was selected for usage in the system. As an advantage, the confusion matrix measured the number of false positives and false negatives, which provided additional information regarding how well the system worked. In particular, it was demonstrated that detecting harmful traffic on computer systems, and thereby improving the security of computer networks, was possible using the findings of malware analysis and detection with machine learning algorithms to compute the difference in correlation symmetry (Naive Byes, SVM, J48, RF, and with the proposed approach) integrals. The results showed that when compared with other classifiers, DT (99%), CNN (98.76%), and SVM (96.41%) performed well in terms of detection accuracy. DT, CNN, and SVM algorithms' performances detecting malware on a small FPR (DT = 2.01%, CNN = 3.97%, and SVM = 4.63%,) in a given dataset were compared. These results are significant, as malicious software is becoming increasingly common and complex.

XU Xiao-lin,YUN Xiao-chun,ZHOU Yong-lin,KANG Xue-bin

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.08.019

2013-01-01

Journal of Communications

Abstract:In order to improve the effectiveness and efficiency of mass malicious code analysis,an online analytical model was proposed including feature space construction,automatic feature extraction and fast clustering.Our research focused on the law of malware behavior and code string distribution by dynamic and static techniques.In this model,a sample was described with its API and key code fragment.This model proposed a fast clustering approach to identify group samples that exhibit similar feature when applied this model to real-world malware collections.The result demonstrates that the proposed model is able to extract feature automatically,support streaming data clustering on large-scale,and achieve better precision.

huabiao lu,xiaofeng wang,jinshu su

2013-01-01

International Journal of Grid and Distributed Computing

Abstract:Malware is huge and growing at an exponential pace. Symantec observes 403 million new malware samples in 2011. Therefore, that efficiently and effectively analysis so many malware samples becomes a great challenge. Centralized systems cause problems of single point of failure as well as processing bottlenecks. Previous distributed systems are mainly applied for specific or simple malware. This paper presents SCMA, a new distributed malware analysis system which can analyze various malware, shares behavior fragments among its monitors efficiently, analyzes malware based on global behavior of malware and aggregates those analyses among monitors in a load-balance way. We implemented a proof-of-concept version of SCMA and performed experiments with 917 real-world malware samples; preliminary results from our evaluation confirm that SCMA has comparable performance with centralized system, but much better scalability, and is approximately consistent with the analysis of AV scanners.

Xi Xiao,Xianni Xiao,Yong Jiang,Xuejiao Liu,Runguo Ye

DOI: https://doi.org/10.1002/ett.3016

IF: 3.6

2016-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic analysis method to distinguish malware with system call sequences. At first, we track the system calls of applications under different events. Then two different feature models, the frequency vector and the co‐occurrence matrix, are employed to extract features from the system call sequence. Finally, we apply Adaptive Regularization Of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. We evaluate our method with 1189 benign applications and 1227 malicious applications. The experiment results show that the co‐occurrence matrix can achieve a much better detection rate than the frequency vector. Our best detection rate is 97.7per cent with false positive rate being 1.34per cent, which is better than those of the existing methods. Copyright © 2016 John Wiley & Sons, Ltd.

Tolvinas Vyšniūnas,Dainius Čeponis,Nikolaj Goranin,Antanas Čenys

DOI: https://doi.org/10.3390/electronics13010206

IF: 2.9

2024-01-03

Electronics

Abstract:Malware intrusion is a serious threat to cybersecurity; that is why new and innovative methods are constantly being developed to detect and prevent it. This research focuses on malware intrusion detection through the usage of system calls and machine learning. An effective and clearly described system-call grouping method could increase the various metrics of machine learning methods, thereby improving the malware detection rate in host-based intrusion-detection systems. In this article, a risk-based system-call sequence grouping method is proposed that assigns riskiness values from low to high based on function risk value. The application of the newly proposed grouping method improved classification accuracy by 23.4% and 7.6% with the SVM and DT methods, respectively, compared to previous results obtained on the same methods and data. The results suggest the use of lightweight machine learning methods for malware attack can ensure detection accuracy comparable to deep learning methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xin Chen,Dongjin Yu,Xinxin Cai,He Jiang,Haihua Yu

DOI: https://doi.org/10.1109/tr.2023.3332090

IF: 5.883

2024-01-01

IEEE Transactions on Reliability

Abstract:Familiar analysis for malware plays an important role in comprehending the diversity of malicious behaviors and identifying the emerging security threats. Existing studies mainly focus on classifying malware into known families by supervised learning. However, these methods face two main challenges, 1) the lack of a large amount of labeled data and 2) the poor effectiveness in identifying unknown families of malware. To overcome these challenges, we propose a new method called multiple features (MulFC) based on unsupervised learning. In the method, we first leverage a decompiling tool to extract multiple features, including manifest features, application programming interface (API) features, and opcode features. Then, the opcode features are preprocessed to filter out the redundant ones to reduce the calculation cost. After that, we adopt the Jaccard index to calculate the similarities between malware and construct a malware network. Finally, InfoMap is applied to perform the clustering on the basis of the malware network. Overall, MulFC does not require the use of labeled data and can identify unknown families of malware. Experiments are conducted on two datasets for the performance evaluation of MulFC. The experimental results show that MulFC achieves 0.810 in terms of normalized mutual information, 0.576 in terms of adjusted rand index, 0.620 in terms of the Fowlkes-Mallows index, and 0.805 in terms of V-measure on average, and outperforms the state-of-the-art baseline method by 0.060, 0.054, 0.038, and 0.065, respectively.

Yao ZHENG,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1673-629X.2017.03.026

2017-01-01

Abstract:A static feature-based mechanism is studied to provide a static analysis method for detection of the Android malware. In order to identify the intention of different Android malware,all kinds of clustering algorithms are applied to enhance the malware modeling ca-pability to any Android procedure. Besides,a system,called XDroidMat,is developed. The XDroidMat extracts the information from each application' s manifest file and regards components as entry points drilling down for tracing API Calls related to permissions. Then it uses k-means algorithm to strengthen the malware modeling capability. The number of clusters is decided by Singular Value Decomposition ( SVD) method on the low rank approximation. Finally,it uses kNN algorithm to classify the application as benign or malicious. The ex-perimental results show XDroidMat can get 98. 12% accuracy and do well in detecting the Android malware.

Ling DONG,Hongli ZHANG,Lin YE

DOI: https://doi.org/10.3969/j.issn.2095-2163.2014.04.004

2014-01-01

Abstract:System calls are the interface between operating system and user programs.Execution of each program must use some system calls.In recent years,network security incidents occur frequently,intrusion detection method based on the system call sequence analysis has become one of the hot network security technology researches.This paper presents a multi-layer model of program behaviours based on both hidden Markov models and enumerating methods,which differs from the conventional single layer approach.On experimental data provided by the University of New Mexico,experimental results have shown that the model is better in detecting anomalous behaviour of programs in terms of accuracy and response time, which indicates that this method is suitable for online host -based intrusion detection systems.

Xi Xiao,Zhenlong Wang,Qi Li,Qing Li,Yong Jiang

DOI: https://doi.org/10.3837/tiis.2015.07.023

2015-01-01

Abstract:Android dominates the mobile operating system market, which stimulates the rapid spread of mobile malware. It is quite challenging to detect mobile malware. System call sequence analysis is widely used to identify malware. However, the malware detection accuracy of existing approaches is not satisfactory since they do not consider correlation of system calls in the sequence. In this paper, we propose a new scheme called Artificial Neural Networks (ANNs) on Co-occurrence Matrices Droid (ANNCMDroid), using co-occurrence matrices to mine correlation of system calls. Our key observation is that correlation of system calls is significantly different between malware and benign software, which can be accurately expressed by co-occurrence matrices, and ANNs can effectively identify anomaly in the co-occurrence matrices. Thus at first we calculate co-occurrence matrices from the system call sequences and then convert them into vectors. Finally, these vectors are fed into ANN to detect malware. We demonstrate the effectiveness of ANNCMDroid by real experiments. Experimental results show that only 4 applications among 594 evaluated benign applications are falsely detected as malware, and only 18 applications among 614 evaluated malicious applications are not detected. As a result, ANNCMDroid achieved an F-Score of 0.981878, which is much higher than other methods.

Olha Jurečková,Martin Jureček,Mark Stamp

2024-05-06

Abstract:Malware attacks have become significantly more frequent and sophisticated in recent years. Therefore, malware detection and classification are critical components of information security. Due to the large amount of malware samples available, it is essential to categorize malware samples according to their malicious characteristics. Clustering algorithms are thus becoming more widely used in computer security to analyze the behavior of malware variants and discover new malware families. Online clustering algorithms help us to understand malware behavior and produce a quicker response to new threats. This paper introduces a novel machine learning-based model for the online clustering of malicious samples into malware families. Streaming data is divided according to the clustering decision rule into samples from known and new emerging malware families. The streaming data is classified using the weighted k-nearest neighbor classifier into known families, and the online k-means algorithm clusters the remaining streaming data and achieves a purity of clusters from 90.20% for four clusters to 93.34% for ten clusters. This work is based on static analysis of portable executable files for the Windows operating system. Experimental results indicate that the proposed online clustering model can create high-purity clusters corresponding to malware families. This allows malware analysts to receive similar malware samples, speeding up their analysis.

Cryptography and Security,Machine Learning