Hao Sun,Xiaofeng Wang,Jinshu Su,Peixin Chen

DOI: https://doi.org/10.1007/978-3-319-28865-9_9

2015-01-01

Abstract:Cybercrime caused by malware becomes a persistent and damaging threat which makes the trusted security solution urgently demanded, especially for resource-constrained ends. The existing industry and academic approaches provide available anti-malware systems based on different perspectives. However, it is hard to achieve high performance detection and data privacy protection simultaneously. This paper proposes a cloud-based anti-malware system, called RScam, which provides fast and trusted security service for the resource-constrained ends. In RScam, we present suspicious bucket filtering, a novel signature-based detection mechanism based on the reversible sketch structure, which provides retrospective and accurate orientations of malicious signature fragments. Then we design a lightweight client which utilizes the digest of signature fragments to sharply reduce detection range. Finally, we design balanced interaction mechanism, which transmits sketch coordinates of suspicious file fragments and transformation of malicious signature fragments between the client and cloud server to protect data privacy and reduce traffic volume. We evaluate the performance of RScam with campus suspicious traffic and normal files. The results demonstrate validity and veracity of the proposed mechanism. Our system can outperform other existing systems with less time and traffic consumption.

Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

Ziming Zhao,Zhaoxuan Li,Jiongchi Yu,Fan Zhang,Xiaofei Xie,Haitao Xu,Binbin Chen

DOI: https://doi.org/10.1109/tmc.2023.3311012

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. Existing approaches can be roughly categorized into network-side and host-side. However, existing network-side methods are difficult to capture contextual semantics from cross-source traffic, and previous host-side methods could be adversary-perceived and expose risks for tampering. More importantly, a single perspective cannot comprehensively track the multi-stage lifecycle of IoT malware. In this paper, we present ${\sf CMD}$ , a co-analyzed IoT malware detection and forensics system by combining hardware and network domains. For the network part, ${\sf CMD}$ proposes a tailored capsule neural network to capture the contextual semantics from cross-source traffic. For the hardware part, ${\sf CMD}$ designs an entire file operation recovery process in a side-channel manner by leveraging the Serial Peripheral Interface (SPI) signals from on-chip traces. These traffic provenance and operating logs information could benefit the anti-virus countermeasures for security practitioners. By practical evaluation, we demonstrate that ${\sf CMD}$ realizes outstanding detection effects ( e.g., $\sim$ 99.88% F1-score) compared with seven state-of-the-art methods, and recovers 96.88% $\sim$ 99.75% operation commands even if against adaptive adversaries (that could kill processes or tamper with operation log files). A by-product benefit of such an external monitor is ${\sf CMD}$ introduces zero latency on the IoT device, and incurs negligible IoT CPU utilization. Also, since SPI focuses on file operations, the proposed hardware trace forensics does not have the data explosion problem like previous work, e.g., recovered logs of ${\sf CMD}$ only take up limited extra space overhead ( e.g., $\sim$ 0.2 MB per malware). Furthermore, we provide the model interpretability for the capsule network and develop a case study (Hajime) of the operation logs recovery.

Sreenitha Kasarapu,Sanket Shukla,Sai Manoj Pudukotai Dinakarrao

2024-04-13

Abstract:In recent years, networked IoT systems have revolutionized connectivity, portability, and functionality, offering a myriad of advantages. However, these systems are increasingly targeted by adversaries due to inherent security vulnerabilities and limited computational and storage resources. Malicious applications, commonly known as malware, pose a significant threat to IoT devices and networks. While numerous malware detection techniques have been proposed, existing approaches often overlook the resource constraints inherent in IoT environments, assuming abundant resources for detection tasks. This oversight is compounded by ongoing workloads such as sensing and on-device computations, further diminishing available resources for malware detection. To address these challenges, we present a novel resource- and workload-aware malware detection framework integrated with distributed computing for IoT networks. Our approach begins by analyzing available resources for malware detection using a lightweight regression model. Depending on resource availability, ongoing workload executions, and communication costs, the malware detection task is dynamically allocated either on-device or offloaded to neighboring IoT nodes with sufficient resources. To safeguard data integrity and user privacy, rather than transferring the entire malware detection task, the classifier is partitioned and distributed across multiple nodes, and subsequently integrated at the parent node for comprehensive malware detection. Experimental analysis demonstrates the efficacy of our proposed technique, achieving a remarkable speed-up of 9.8x compared to on-device inference, while maintaining a high malware detection accuracy of 96.7%.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Xiaoheng Deng,Bin Chen,Xuechen Chen,Xinjun Pei,Shaohua Wan,Sotirios K. Goudos

DOI: https://doi.org/10.1109/tii.2023.3245681

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:The Internet of Things (IoT) mainly consists of a large number of Internet-connected devices. The proliferation of untrusted third-party IoT applications has led to an increase in IoT-based malware attacks. In addition, it is infeasible for the IoT devices to support the sophisticated detection systems due to the restricted resources. Edge computing is considered to be promising. It provides solutions to the data security and privacy leakage brought by untrusted third-party IoT applications. In this article, an intelligent trusted and secure edge computing (ITEC) system is proposed for IoT malware detection. In this system, a signature-based preidentification mechanism is built for matching and identifying the malicious behaviors of untrusted third-party IoT applications. A delay strategy is then embedded into the risk detection engine in order to “buy time” for threat analysis and rate-limit the impact of suspicious third-party IoT applications in the system. We conduct extensive experiments to verify the effectiveness of the ITEC system and show that we can achieve accuracies of up to 98.52%.

Xiaoheng Deng,Bin Chen,Xuechen Chen,Xinjun Pei,Shaohua Wan,Sotirios K. Goudos

DOI: https://doi.org/10.1109/tii.2023.3245681

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:The Internet of Things (IoT) mainly consists of a large number of Internet-connected devices. The proliferation of untrusted third-party IoT applications has led to an increase in IoT-based malware attacks. In addition, it is infeasible for the IoT devices to support the sophisticated detection systems due to the restricted resources. Edge computing is considered to be promising. It provides solutions to the data security and privacy leakage brought by untrusted third-party IoT applications. In this article, an intelligent trusted and secure edge computing (ITEC) system is proposed for IoT malware detection. In this system, a signature-based preidentification mechanism is built for matching and identifying the malicious behaviors of untrusted third-party IoT applications. A delay strategy is then embedded into the risk detection engine in order to “buy time” for threat analysis and rate-limit the impact of suspicious third-party IoT applications in the system. We conduct extensive experiments to verify the effectiveness of the ITEC system and show that we can achieve accuracies of up to 98.52%.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Donghai Tian,Qianjin Ying,Xiaoqi Jia,Rui Ma,Changzhen Hu,Wenmao Liu

DOI: https://doi.org/10.1016/j.comnet.2021.108394

IF: 5.493

2021-01-01

Computer Networks

Abstract:With the development of cloud computing, more and more enterprises and institutes have deployed important computing tasks and data into virtualization environments. Virtualization security has become very important for cloud computing. When an attacker controls a victim’s virtual machine, he (or she) may launch malware for malicious purpose in that virtual machine. To defend against malware attacks in the cloud, many virtualization-based approaches are proposed. However, the existing methods suffer from limitations in terms of transparency and performance cost. To address these issues, we propose MDCHD, a novel malware detection solution for virtualization environments. This method first utilizes the Intel Processor Trace (IPT) mechanism to collect the run-time control flow information of the target program. Then, it converts the control flow information into color images. By doing so, we can utilize a CNN-based deep learning method to identify malware from the images. To improve the performance of our detection mechanism, we leverage Lamport’s ring buffer algorithm. In this way, the control flow information collector and security checker can work concurrently. The evaluation shows that our approach can achieve acceptable detection accuracy with a minimal performance cost.

Robert Shire,Stavros Shiaeles,Keltoum Bendiab,Bogdan Ghita,Nicholas Kolokotronis

DOI: https://doi.org/10.1007/978-3-030-30859-9_6

2021-09-08

Abstract:Internet of Things devices have seen a rapid growth and popularity in recent years with many more ordinary devices gaining network capability and becoming part of the ever growing IoT network. With this exponential growth and the limitation of resources, it is becoming increasingly harder to protect against security threats such as malware due to its evolving faster than the defence mechanisms can handle with. The traditional security systems are not able to detect unknown malware as they use signature-based methods. In this paper, we aim to address this issue by introducing a novel IoT malware traffic analysis approach using neural network and binary visualisation. The prime motivation of the proposed approach is to faster detect and classify new malware (zero-day malware). The experiment results show that our method can satisfy the accuracy requirement of practical application.

Cryptography and Security,Artificial Intelligence

Shtwai Alsubai,Ashit Kumar Dutta,Abdullah M Alnajim,Abdul Rahaman Wahab Sait,Rashid Ayub,Afnan Mushabbab AlShehri,Naved Ahmad

DOI: https://doi.org/10.7717/peerj-cs.1366

2023-05-29

Abstract:The Internet of Things (IoT) environment demands a malware detection (MD) framework for protecting sensitive data from unauthorized access. The study intends to develop an image-based MD framework. The authors apply image conversion and enhancement techniques to convert malware binaries into RGB images. You only look once (Yolo V7) is employed for extracting the key features from the malware images. Harris Hawks optimization is used to optimize the DenseNet161 model to classify images into malware and benign. IoT malware and Virusshare datasets are utilized to evaluate the proposed framework's performance. The outcome reveals that the proposed framework outperforms the current MD framework. The framework generates the outcome at an accuracy and F1-score of 98.65 and 98.5 and 97.3 and 96.63 for IoT malware and Virusshare datasets, respectively. In addition, it achieves an area under the receiver operating characteristics and the precision-recall curve of 0.98 and 0.85 and 0.97 and 0.84 for IoT malware and Virusshare datasets, accordingly. The study's outcome reveals that the proposed framework can be deployed in the IoT environment to protect the resources.

Tzu-Ling Wan,Tao Ban,Shin-Ming Cheng,Yen-Ting Lee,Bo Sun,Ryoichi Isawa,Takeshi Takahashi,Daisuke Inoue

DOI: https://doi.org/10.1109/ojcs.2020.3033974

2020-01-01

IEEE Open Journal of the Computer Society

Abstract:Simple implementation and autonomous operation features make the Internet-of-Things (IoT) vulnerable to malware attacks. Static analysis of IoT malware executable files is a feasible approach to understanding the behavior of IoT malware for mitigation and prevention. However, current analytic approaches based on opcodes or call graphs typically do not work well with diversity in central processing unit (CPU) architectures and are often resource intensive. In this paper, we propose an efficient method for leveraging machine learning methods to detect and classify IoT malware programs. We show that reliable and efficient detection and classification can be achieved by exploring the essential discriminating information stored in the byte sequences at the entry points of executable programs. We demonstrate the performance of the proposed method using a large-scale dataset consisting of 111K benignware and 111K malware programs from seven CPU architectures. The proposed method achieves near optimal generalization performance for malware detection (99.96 accuracy) and for malware family classification (98.47 accuracy). Moreover, when CPU architecture information is considered in learning, the proposed method combined with support vector machine classifiers can yield even higher generalization performance using fewer bytes from the executable files. The findings in this paper are promising for implementing light-weight malware protection on IoT devices with limited resources.

Tzung-Han Jeng,Wen-Yang Luo,Chuan-Chiang Huang,Chien-Chih Chen,Kuang-Hung Chang,Yi-Ming Chen,Chen,Yi-Ming

DOI: https://doi.org/10.4018/IJGHPC.2021070102

2021-05-11

International Journal of Grid and High Performance Computing

Abstract:As the application of network encryption technology expands, malicious attacks will also be protected by encryption mechanism, increasing the difficulty of detection. This paper focuses on the analysis of encrypted traffic in the network by hosting long-day encrypted traffic, coupled with a weighted algorithm commonly used in information retrieval and SSL/TLS fingerprint to detect malicious encrypted links. The experimental results show that the system proposed in this paper can identify potential malicious SSL/TLS fingerprints and malicious IP which cannot be recognized by other external threat information providers. The network packet decryption is not required to help clarify the full picture of the security incident and provide the basis of digital identification. Finally, the new threat intelligence obtained from the correlation analysis of this paper can be applied to regional joint defense or intelligence exchange between organizations. In addition, the framework adopts Google cloud platform and microservice technology to form an integrated serverless computing architecture.

Mansaf Alam,Shuchi Sethi

DOI: https://doi.org/10.48550/arXiv.1504.03539

2015-04-14

Distributed, Parallel, and Cluster Computing

Abstract:Recent research shows that colluded malware in different VMs sharing a single physical host may use a resource as a channel to leak critical information. Covert channels employ time or storage characteristics to transmit confidential information to attackers leaving no trail.These channels were not meant for communication and hence control mechanisms do not exist. This means these remain undetected by traditional security measures employed in firewalls etc in a network. The comprehensive survey to address the issue highlights that accurate methods for fast detection in cloud are very expensive in terms of storage and processing. The proposed framework builds signature by extracting features which accurately classify the regular from covert traffic in cloud and estimates difference in distribution of data under analysis by means of scores. It then adds context to the signature and finally using machine learning (Support Vector Machines),a model is built and trained for deploying in cloud. The results show that the framework proposed is high in accuracy while being low cost and robust as it is tested after adding noise which is likely to exist in public cloud environments.

Haibo Zhang,Chaoshun Zuo,Shanqing Guo,Lizhen Cui,Jun Chen

DOI: https://doi.org/10.1007/978-3-319-11167-4_29

2014-01-01

Abstract:Drive-by downloads attack has become the primary attack vehicle for malware distribution in recent years. One existing method of detecting drive-by download attacks is using static analysis technique. However, static detection methods are vulnerable to sophisticated obfuscation and cloaking. Dynamic detection methods are proposed to overcome the shortcomings of static analysis techniques and can get a higher detection rate. But dynamic anomaly detection methods are typically resource intensive and introduce high time overhead. To improve performance of dynamic detection techniques, we designed SafeBrowingCloud, a system based on apache S4, a distributed computing platform. And the system is deployed at edge router. SafeBrowingCloud analyzes network traffic, executes webpages in firefox with modified javascript engine, abstracts javascript strings and detects shellcode with three shellcode detection methods to find malicious web pages. Experimental results show efficiency of the proposed system with the high-speed network traffic.

B. Ranjani,M. Chinnadurai

DOI: https://doi.org/10.1038/s41598-024-76193-4

IF: 4.6

2024-10-18

Scientific Reports

Abstract:Recent developments indicate that malware programs present a significant risk in the security and privacy of cloud systems. Existing research in malware detection encounters numerous significant challenges due to the constantly changing and advanced characteristics of malware. Malware detection systems frequently experience high rates of false positives and false negatives, where legitimate applications are incorrectly identified as malware or actual malware remains undetected, which results in operational inefficiencies. Traditional signature-based approaches struggle in recognizing new or modified malware. Additionally, sophisticated malware types, such as file less malware, ransom ware, and rootkits pose detection challenges as they integrate deeply into systems or alter their behaviour to evade detection. These challenges highlight the urgent need for ongoing advancements in this field. Existing methods of malware detection that rely on signatures have been found to be both inefficient and slow in the context of cloud environments. Also, Existing studies have focused on detecting malware by analysing input API calls. But, these models have encountered challenges such as limited accuracy and difficulties in effectively classifying malware types. In contrast, Deep Learning (DL) have shown success by analysing malware behaviour through API calls, which yields encouraging results. Additionally, the data produced by API calls necessitates more computational resources for training. To address these challenges, a new deep learning-based malware detection approach utilizes 2D grayscale images derived from API calls, along with an effective tuning strategy has been proposed. Initially, data are collected from cloud malware dataset. Then, API calls are converted into 2D gray scale images in order to construct gray scale image dataset. After getting the gray scale image, pre-processing is performed to reduce high level noise and to enhance the quality of image by weighted mean filter and anisotropic filter, which helps to improve the performance in classification. Next, these images are then passed into the feature extraction stage to extract sufficient features with an effective integrated densely connected squeeze MobileNet v2 (Ef-DeSMob2), which reduces the dimensionality issue and increase the computational complexity. Then, the collected features are passed into the classification phase to detect normal and malware classes from the samples using sparse attention with residual pyramidal depth wise separable convolutional neural networks (SA:ResPyDSC), which focus to enhance the security and reliability of the model. Finally, the hyper parameters in the classifier model like weights, bias are properly fine-tuned by utilizing hybrid white shark beluga optimization algorithm (Hy-WBeOp). The experimental findings illustrate that the proposed method attains accuracy of 98.06%, precision of 97.99%, recall of 97.05%, f1-score of 96.08% and error metrics like MSE AT 0.08, RMSE of 0.27 and MAE of 0.21, which shows that the proposed method helps to classify the malware classes accurately with less error rates. The proposed approach outperforms with the existing techniques because of its great efficiency. Overall, this approach establish a strong malware detection system classification and enhance the reliability and effectiveness of protection against malicious attacks.

multidisciplinary sciences

Ahsan Wajahat,Jingsha He,Nafei Zhu,Tariq Mahmood,Ahsan Nazir,Faheem Ullah,Sirajuddin Qureshi,Soumyabrata Dev

DOI: https://doi.org/10.1016/j.asej.2024.102642

IF: 4.79

2024-02-01

Ain Shams Engineering Journal

Abstract:The Internet of Things (IoT) has experienced significant growth in recent years and has emerged as a very dynamic sector in the worldwide market. Being an open-source platform with a substantial user base, Android has not only been a driving force in the swift advancement of the IoT but has also garnered attention from malicious actors, leading to malware attacks. Given the rapid proliferation of Android malware in recent times, there is an urgent requirement to introduce practical techniques for the detection of such malware. While current machine learning-based Android malware detection approaches have shown promising results, the majority of these methods demand extensive time and effort from malware analysts to construct dynamic or static features. Consequently, the practical application of these methods becomes challenging. Therefore, this paper presents an Android malware detection system characterized by its lightweight design and reliance on explainable machine-learning techniques. The system uses features extracted from mobile applications (apps) to distinguish between malicious and benign apps. Through extensive testing, it has exhibited exceptional accuracy and an F1-score surpassing 0.99 while utilizing minimal device resources and presenting negligible false positive and false negative rates. Furthermore, the classifier model's transparency and comprehensibility are significantly augmented through the application of Shapley's additive explanation scores, enhancing the overall interpretability of the system.

engineering, multidisciplinary

Yasir Glani,Luo Ping,Syed Asad Shah

DOI: https://doi.org/10.1109/ACCC58361.2022.00010

2022-01-01

Abstract:IoT malware applications significantly threaten user privacy and security. Traditionally, IoT developers have focused primarily on hardware, but connectivity requires additional embedded software, usually developed by third-party developers. Unfortunately, third-party code is not always secure and trustworthy, and it frequently contains bugs and malicious code, which leaves IoT devices vulnerable. We propose the AASH technique (IoT Malware Detection) a novel technique that can detect malware at the source code level using the Adler-32 hash function and Fibonacci search. Previously, DROIDMD technique and SQVDT technique have been proposed to detect malware on Android and Linux devices. According to the authors, their schemes are scalable and can be deployed on IoT devices. However, their technique suffers from lower accuracy and takes longer to detect malicious code. The performance measurement shows that our proposed AASH technique is comparatively better than DROIDMD and SQVDT techniques in terms of accuracy and malware detection. AASH is reliable, efficient, and can be deployed on a large-scale level.

Meysam Ghahramani,Rahim Taheri,Mohammad Shojafar,Reza Javidan,Shaohua Wan

DOI: https://doi.org/10.1016/j.iot.2024.101300

2024-01-01

Abstract:The volume of malware and the number of attacks in IoT devices are rising everyday, which encourages security professionals to continually enhance their malware analysis tools. Researchers in the field of cyber security have extensively explored the usage of sophisticated analytics and the efficiency of malware detection. With the introduction of new malware kinds and attack routes, security experts confront considerable challenges in developing efficient malware detection and analysis solutions. In this paper, a different view of malware analysis is considered and the risk level of each sample feature is computed, and based on that the risk level of that sample is calculated. In this way, a criterion is introduced that is used together with accuracy and FPR criteria for malware analysis in IoT environment. In this paper, three malware detection methods based on visualization techniques called the clustering approach, the probabilistic approach, and the deep learning approach are proposed. Then, in addition to the usual machine learning criteria namely accuracy and FPR, a proposed criterion based on the risk of samples has also been used for comparison, with the results showing that the deep learning approach performed better in detecting malware

Sen Li,Mengmeng Ge,Ruitao Feng,Xiaohong Li,Kwok Yan Lam

DOI: https://doi.org/10.1109/icdmw60847.2023.00171

2023-01-01

Abstract:Our society is rapidly moving towards the digital age, which has led to a sharp increase in IoT networks and devices. This growth requires more network security professionals, who are focused on protecting IoT systems. One crucial task is to analyze malicious software to gain a deeper understanding of its functionalities and response methods. However, malware analysis is a complex process that requires the use of various analysis tools, including advanced reverse engineering techniques. For beginners, parsing complex binary data can be particularly challenging as they may be strange with these tools and the basic principles of analysis. Even for experienced analysts, understanding reverse engineering binary files and assembly lists is daunting.Facing these challenges, we propose a two-fold solution. Firstly, we create a detailed list of analysis tools and construct a malware analysis framework aimed at simplifying the analysis process. The framework will list the key data points that need to be addressed in the analysis, providing analysts with the tools and information needed for effective malware analysis. Secondly, we will demonstrate that advanced analysis techniques by providing analysis scripts which automate the reverse engineering process in malware analysis. To evaluate the accuracy of our behavior classification system, we will use our framework and analysis scripts to analyze known malware samples. Then, we will compare the accuracy of script-based analysis results and evaluate their ability to identify malicious software behavior. Our research results indicate that by following our framework and using our scripts, we can detect over 80% critical malware behaviors in known samples, which highlights the potential of simplifying the process of malware analysis, making it easier to learn and implement.

Jiawei Su,Danilo Vasconcellos Vargas,Sanjiva Prasad,Daniele Sgandurra,Yaokai Feng,Kouichi Sakurai

DOI: https://doi.org/10.48550/arXiv.1802.03714

2018-02-11

Abstract:The Internet of Things (IoT) is an extension of the traditional Internet, which allows a very large number of smart devices, such as home appliances, network cameras, sensors and controllers to connect to one another to share information and improve user experiences. Current IoT devices are typically micro-computers for domain-specific computations rather than traditional functionspecific embedded devices. Therefore, many existing attacks, targeted at traditional computers connected to the Internet, may also be directed at IoT devices. For example, DDoS attacks have become very common in IoT environments, as these environments currently lack basic security monitoring and protection mechanisms, as shown by the recent Mirai and Brickerbot IoT botnets. In this paper, we propose a novel light-weight approach for detecting DDos malware in IoT <a class="link-external link-http" href="http://environments.We" rel="external noopener nofollow">this http URL</a> firstly extract one-channel gray-scale images converted from binaries, and then utilize a lightweight convolutional neural network for classifying IoT malware families. The experimental results show that the proposed system can achieve 94.0% accuracy for the classification of goodware and DDoS malware, and 81.8% accuracy for the classification of goodware and two main malware families.

Cryptography and Security,Computer Vision and Pattern Recognition

Rahul Kumar,Nisha Prajapati,R. R. Rout,Kamalakanta Sethi,Padmalochan Bera

DOI: https://doi.org/10.1109/ICCCNT49239.2020.9225627

2020-07-01

Abstract:Enforcing security and resilience in a cloud platform is an essential but challenging problem due to the presence of a large number of heterogeneous applications running on shared resources. A security analysis system that can detect threats or malware must exist inside the cloud infrastructure. Much research has been done on machine learning-driven malware analysis, but it is limited in computational complexity and detection accuracy. To overcome these drawbacks, we proposed a new malware detection system based on the concept of clustering and trend micro locality sensitive hashing (TLSH). We used Cuckoo sandbox, which provides dynamic analysis reports of files by executing them in an isolated environment. We used a novel feature extraction algorithm to extract essential features from the malware reports obtained from the Cuckoo sandbox. Further, the most important features are selected using principal component analysis (PCA), random forest, and Chi-square feature selection methods. Subsequently, the experimental results are obtained for clustering and non-clustering approaches on three classifiers, including Decision Tree, Random Forest, and Logistic Regression. The model performance shows better classification accuracy and false positive rate (FPR) as compared to the state-of-the-art works and non-clustering approach at significantly lesser computation cost.

Computer Science