Jixin Hang,Zheng Qin,Hui Yin,Lu Ou,Sheng Xiao,Yupeng Hu

DOI: https://doi.org/10.1109/icccn.2016.7568542

2016-01-01

Abstract:Malware detection becomes mission critical as its threats spread from personal computers to industrial control systems. Modern malware generally equips with sophisticated anti-detection mechanisms such as code-morphism, which allows the malware to evolve into many variants and bypass traditional code feature based detection systems. In this paper, we propose to disassemble binary executables into opcodes sequences, and then convert the opcodes into images. By comparing the opcode images generated from binary targets with the opcode images generated from known malware sample codes, we can detect if the target binary executables contain variants of these known malwares. Theoretical analysis and real-life experiments results show that malware detection using visualized analysis is comparable in terms of accuracy, our approach can significantly improve 15\% of detection accuracy when the detection set contains a large quantity of binaries and the training set is small.

Zhi Sun,Zhihong Rao,Jianfeng Chen,Rui Xu,Da He,Hui Yang,Jie Liu

DOI: https://doi.org/10.1145/3318236.3318255

2019-01-01

Abstract:One of the main challenges in security today is defending against unknown malware attacks which have the potential to harm a computer or network. Hence, detecting malware has become one of the most important challenges for the security of computer systems. The known malware detection methods based on the appearance of opcode sequences has to construct a matrix from programs of different architectures to extract high-level features. In order to resolve high dimensional inputs vector and differences assembly instruction, this paper proposes a novel method for detecting static characteristics of 32-bit and 64-bit malicious Portable Executable (PE) Windows files by opcode sequences analysis. By compute the frequency of occurrence of each opcode sequence and distinguishing different types of 32-bit and 64-bit PE files, the proposed method shows promising results with less complexity in comparison with previous studies, which is beneficial to train machine learning model such as k-nearest neighbor (KNN) and back-propagation neural network (BP). Our method is evaluated on more than 20,000 samples, and experimental results show that our system can effectively detect and classify unknown malware.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Ding Yuxin,Dai Wei,Zhang Yibin,Xue Chenglong

DOI: https://doi.org/10.1109/3pgcic.2014.140

2014-01-01

Abstract:An opcode behavior based method is proposed to detect malware. Opcode behaviors are represented as opcode sequences from a decompiled executable. To accurately describe the malware behaviors, we construct the opcode running tree to simulate the dynamic execution of a program, and opcode n-grams are extracted to represent the features of an executable. The experimental results show that the opcode behaviors extracted by this method can fully represent the behavior characteristics of an executable. Compared with the detection method based the opcode distributions, the proposed method has higher overall accuracy and a lower false positive rate.

Zhihua Cui,Fei Xue,Xingjuan Cai,Yang Cao,Gai-ge Wang,Jinjun Chen

DOI: https://doi.org/10.1109/tii.2018.2822680

IF: 12.3

2018-07-01

IEEE Transactions on Industrial Informatics

Abstract:With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Fangtian Zhong,Zekai Chen,Minghui Xu,Guoming Zhang,Dongxiao Yu,Xiuzhen Cheng

DOI: https://doi.org/10.48550/arXiv.2108.04314

2022-03-10

Abstract:Malware is a piece of software that was written with the intent of doing harm to data, devices, or people. Since a number of new malware variants can be generated by reusing codes, malware attacks can be easily launched and thus become common in recent years, incurring huge losses in businesses, governments, financial institutes, health providers, etc. To defeat these attacks, malware classification is employed, which plays an essential role in anti-virus products. However, existing works that employ either static analysis or dynamic analysis have major weaknesses in complicated reverse engineering and time-consuming tasks. In this paper, we propose a visualized malware classification framework called VisMal, which provides highly efficient categorization with acceptable accuracy. VisMal converts malware samples into images and then applies a contrast-limited adaptive histogram equalization algorithm to enhance the similarity between malware image regions in the same family. We provided a proof-of-concept implementation and carried out an extensive evaluation to verify the performance of our framework. The evaluation results indicate that VisMal can classify a malware sample within 4.0ms and have an average accuracy of 96.0%. Moreover, VisMal provides security engineers with a simple visualization approach to further validate its performance.

Cryptography and Security

Yuxin Ding,Wei Dai,Shengli Yan,Yumei Zhang

DOI: https://doi.org/10.1016/j.cose.2014.04.003

IF: 5.105

2014-01-01

Computers & Security

Abstract:Opcode sequences from decompiled executables have been employed to detect malware. Currently, opcode sequences are extracted using text-based methods, and the limitation of this method is that the extracted opcode sequences cannot represent the true behaviors of an executable. To solve this issue, we present a control flow-based method to extract executable opcode behaviors. The behaviors extracted by this method can fully represent the behavior characteristics of an executable. To verify the efficiency of control flow-based behaviors, we perform a comparative study of the two types of opcode behavior analysis methods. The experimental results indicate that the proposed control flow-based method has a higher overall accuracy and a lower false positive rate.

Pengfei Li,Zhouguo Chen,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-319-69835-9_9

2017-01-01

Abstract:Due to its seriously damage to computer and network, malware (short for malicious software) has caught the attention of both anti-malware companies and researchers for decades. Although signature-based detection is the most significant method used in commercial anti-malware, it fails to recognize new and unseen malware. To solve this problem, n-gram of the Opcodes, generated by disassembling the executables, is used to be the features for the classification process. However, many researches in the past set n small such as 1 or 2. In this paper, firstly, we use various n-gram size from 1 to 15. Then we compare different feature select methods. Lastly, we perform experiments with different MFP, short for malicious files percentage to demonstrate which setting is better.

Renjie Lu

DOI: https://doi.org/10.48550/arXiv.1906.04593

2019-06-10

Abstract:Nowadays, with the booming development of Internet and software industry, more and more malware variants are designed to perform various malicious activities. Traditional signature-based detection methods can not detect variants of malware. In addition, most behavior-based methods require a secure and isolated environment to perform malware detection, which is vulnerable to be contaminated. In this paper, similar to natural language processing, we propose a novel and efficient approach to perform static malware analysis, which can automatically learn the opcode sequence patterns of malware. We propose modeling malware as a language and assess the feasibility of this approach. First, We use the disassembly tool IDA Pro to obtain opcode sequence of malware. Then the word embedding technique is used to learn the feature vector representation of opcode. Finally, we propose a two-stage LSTM model for malware detection, which use two LSTM layers and one mean-pooling layer to obtain the feature representations of opcode sequences of malwares. We perform experiments on the dataset that includes 969 malware and 123 benign files. In terms of malware detection and malware classification, the evaluation results show our proposed method can achieve average AUC of 0.99 and average AUC of 0.987 in best case, respectively.

Cryptography and Security,Software Engineering

Dan Li,Lichao Zhao,Qingfeng Cheng,Ning Lu,Wenbo Shi

DOI: https://doi.org/10.1002/cpe.5308

2019-01-01

Abstract:SummaryThe number of malware has exploded due to the openness of the Android platform, and the endless stream of malware poses a threat to the privacy, tariffs, and device of mobile phone users. A novel Android mobile malware detection system is proposed, which employs an optimized deep convolutional neural network to learn from opcode sequences. The optimized convolutional neural network is trained multiple times by the raw opcode sequences extracted from the decompiled Android file, so that the feature information can be effectively learned and the malicious program can be detected more accurately. More critically, the k‐max pooling method with better results is adopted in the pooling operation phase, which improves the detection effect of the proposed method. The experimental results show that the detection system achieved the accuracy of 99%, which is 2%‐11% higher than the accuracy of the machine learning detection algorithms when using the same data set. It also ensures that the indicators, such as F1‐score, recall, and precision, are maintained above 97%. Based on the detection system, a multi–data set comparison experiment is carried out. The introduced k‐max pooling is deeply studied, and the effect of k of k‐max pooling on the overall detection effect is observed.

Junwei Tang,Wei Xu,Tao Peng,Sijie Zhou,Qiaosen Pi,Ruhan He,Xinrong Hu

DOI: https://doi.org/10.1016/j.jisa.2024.103721

IF: 4.96

2024-01-01

Journal of Information Security and Applications

Abstract:Mobile applications have been deeply integrated into the daily life of ordinary users. Android malware seriously threatens the privacy and property security of users. However, code obfuscation and other technologies have reduced the effectiveness of traditional static analysis methods, and more and more studies are extracting grayscale image features for malware detection. We propose a classification method for Android malware based on a novel mixed bytecode image and deep neural network combined with attention mechanism. Firstly, for the executable file of the target malware, read one character every 8 bits, fix the line and width, and output it as a vector. Each element in this vector is between 0 and 255, which is the range of values for grayscale images. Furthermore, the executable files are generated into grayscale images and Markov images, respectively. Then a new texture feature space is constructed by the fusion of grayscale and Markov images using the transfer probability, which is mapped to a two-dimensional space to obtain the mixed image feature. The constructed fusion feature space can more clearly characterize Android malware. What is more, the convolutional attention mechanism is added to ResNet to increase the depth of the network and improve the network effect. Finally, experiments are performed on Drebin and CICMalDroid 2020. Our experimental results show that our method can efficiently perform uniform representation of bytecode sequence files and extract and classify feature sequences. On the basis of mixed image features, the accuracy of malware detection can reach 98.67%, which outperforms the classification based on Markov images, grayscale images and other similar methods.

Xiao Wang,Jianbiao Zhang,Ai Zhang

DOI: https://doi.org/10.1007/978-3-030-00563-4_70

2018-01-01

Abstract:With the rapid development of cloud computing, cloud security is increasingly an important issue. Virtual machine (VM) is the main form to provide cloud service. To protect VMs against malware attack, a cloud needs to have the ability to react not only to known malware, but also to the new emerged ones. Virtual Machine Introspection (VMI) is a good solution for VM monitoring, which can obtain the raw memory state of the VM at Virtual Machine Monitor (VMM) level. Through analyzing the memory dumps, the significant features of malware can be obtained. In our research, we propose a novel static analysis method for unknown malware detection based on the feature of opcode n-gram of the executable files. Different feature sizes ranging from 2-gram to 4-gram are implemented with the feature length of 100, 200, 300 respectively. The feature selection criterion of Term Frequency (TF)-Inverse Document Frequency (IDF) and Information Gain (IG) are leveraged to extract the top features for classifier training. Different classifiers are trained with the preprocessed dataset. The experimental results show that the weighted integrated classifier with opcode 4-gram of 300 features has the optimal accuracy of 98.2%.

Xuejin Zhu,Jie Huang,Bin Wang,Chunyang Qi

DOI: https://doi.org/10.7717/peerj-cs.494

2021-01-01

PeerJ Computer Science

Abstract:The family homology determination of malware has become a research hotspot as the number of malware variants are on the rise. However, existing studies on malware visualization only determines homology based on the global structure features of executable, which leads creators of some malware variants with the same structure intentionally set to misclassify them as the same family. We sought to develop a homology determination method using the fusion of global structure features and local fine-grained features based on malware visualization. Specifically, the global structural information of the malware executable file was converted into a bytecode image, and the opcode semantic information of the code segment was extracted by the n-gram feature model to generate an opcode image. We also propose a dual-branch convolutional neural network, which features the opcode image and bytecode image as the final family classification basis. Our results demonstrate that the accuracy and F-measure of family homology classification based on the proposed scheme are 99.05% and 98.52% accurate, respectively, which is better than the results from a single image feature or other major schemes.

Jixin Zhang,Zheng Qin,Hui Yin,Lu Ou,Kehuan Zhang

DOI: https://doi.org/10.1016/j.cose.2019.04.005

IF: 5.105

2019-01-01

Computers & Security

Abstract:Being able to detect malware variants is a critical problem due to the potential damages and the fast paces of new malware variations. According to surveys from McAfee and Symantec, there is about 69 new instances of malware detected in every minutes, and more than 50% of them are variants of existing ones. Such a large volume of diversified malware variants has forced researches to investigate new methods based on common behavior patterns using machine learning. However, such methods only use single type of features such as opcode, system call, etc., which faces several drawbacks: Firstly, the methods lose a part of useful information since different types of features show different characteristics of malware. This severely limits detection precision and recall. Secondly, the accuracy and the speed (as a trade-off) of such methods fail to meet users' expectation. Thirdly, the precise classification of malware families is still a hard problem and is also important in malware analysis. In this work, we propose a feature-hybrid malware variants detection approach which integrates multi-types of features to address these challenges. We first represent opcodes by a bi-gram model and represent API calls by a vector of frequency, then we use principal component analysis to optimize the representations to improve the convergence speed, the next we adopt a convolutional neural network and a back-propagation neural network for opcode based feature embedding and API based feature embedding respectively, and finally we embed these features to train a detection model by using softmax. Theoretical analysis and real-life experimental results show the efficiency and optimization of our approach which achieves more than 95% malware detection accuracy and almost 90% classification accuracy of malware families. The detection speed of our approach is less than 0.1 s. (C) 2019 Elsevier Ltd. All rights reserved.

Enes Sinan Parildi,Dimitrios Hatzinakos,Yuri Lawryshyn

DOI: https://doi.org/10.1007/s00521-021-05861-7

2021-03-21

Neural Computing and Applications

Abstract:Thousands of new malware codes are developed every day. Signature-based methods, which are employed by common malware detectors, are susceptible to code obfuscation and novel malware. In this paper, we present an alternative method for malware detection, which makes use of assembly opcode sequences obtained during runtime. First, for sequential opcode data, we utilize natural language processing and deep learning techniques to facilitate the extraction of deeper behavioral features. Due to these features, this method can be impervious to code obfuscation and effective against novel malware. Finally, these features are fed to various machine learning algorithms for classification. The experiments on a more class balanced dataset of 26869 samples demonstrated that MCC (Matthew’s correlation coefficient) score as high as 0.95 is achievable with this approach. The MCC score results for the experiments conducted on imbalanced and artificially balanced datasets are 0.81 and 0.83, respectively.

computer science, artificial intelligence

Lichao Zhao,Dan Li,Guangcong Zheng,Wenbo Shi

DOI: https://doi.org/10.1109/icct.2018.8600052

2018-01-01

Abstract:Malware detection is more challenging due to the increase in android malicious programs and the current problems of android malicious detection. This paper proposes an android mobile malware detection system based on deep neural network, a novel malware detection method which uses optimized deep Convolutional Neural Network to learn from opcode sequences. In the proposed detection system, the optimized Convolutional Neural Network is trained multiple times by the raw operation code sequence extracted from the decompiled android file, so that the feature information can be effectively learned and the malicious program can be detected more accurately. More critically, the k-max pooling method with better results was adopted in the pooling operation phase, and which improves the detection effect of the proposed method. The experimental results show that the detection system achieved the accuracy of 99%, which is 2%-11 % higher than the accuracy of the machine learning detection algorithms when using the same dataset. It also ensures that the indicators such as Fl-score, Recall and Precision are maintained above 97%.

Cheng Wang,Zheng Qin,Jixin Zhang,Hui Yin

DOI: https://doi.org/10.1504/ijcse.2020.105209

2019-01-01

International Journal of Computational Science and Engineering

Abstract:Malware is one of the most terrible and major security threats facing the internet today, which can be defined as any type of malicious code to harm a computer or network. As malware variants can be equipped with sophisticated mechanisms to bypass traditional detection systems, in this paper, we propose a malware variant detection approach that can automatically, rapidly and accurately detect malware variants. In our approach, we present an asynchronous architecture for automated training and detection. Under this architecture, to improve the detection speed while retaining the accuracy, we propose an information entropy-based feature extraction method to extract a few but very useful features and a distance-based weight learning method to weight these features. To further improve the detection speed, we propose our fast density-based clustering algorithm. We evaluate our approach with a number of Windows-based malware instances which belong to six large families, and our experiments demonstrate that our automated malware variant detection method is able to achieve high accuracy with a significant speedup compared with the other state-of-art approaches.

Changren Mai,Riqing Liao,Jing Ren,Yuanxiang Gong,Kaibo Zhang,Chiya Zhang

DOI: https://doi.org/10.23919/jcin.2023.10272350

2023-01-01

Journal of Communications and Information Networks

Abstract:In recent years, with the rapid development of Internet and hardware technologies, the number of Internet of things (IoT) devices has grown exponentially. However, IoT devices are constrained by power consumption, making the security of IoT vulnerable. Malware such as Botnets and Worms poses significant security threats to users and enterprises alike. Deep learning models have demonstrated strong performance in various tasks across different domains, leading to their application in malicious software detection. Nevertheless, due to the power constraints of IoT devices, the well-performanced large models are not suitable for IoT malware detection. In this paper we propose a malware detection method based on Markov images and MobileNet, offering a cost-effective, efficient, and high-performing solution for malware detection. Additionally, this paper innovatively analyzes the robustness of opcode sequences.

Akshara P,Bhawana Rudra

DOI: https://doi.org/10.1007/s42979-021-00672-y

2021-05-15

SN Computer Science

Abstract:With the ever-increasing number of Internet users in this digital age, exposure to malicious attacks is increasing. Every day, large volumes of malicious content are generated to exploit 0-day vulnerabilities. There is every possibility of downloading malicious files unintentionally, which could corrupt the system and user data. With the advancements in technology and growing dependence on digital data, malicious software detection has become a crucial task. The existing approaches need modifications to support and detect the latest attacks. Recently, artificial intelligence-based malicious file detection methods have been proposed. In the past, most of the works analyzed the executable file features and visual features from their corresponding images independently. Additionally, image-based analysis has been exploited for categorical classification, i.e., finding the family once it is known to be malware. We propose a CNN-based model that extracts visual features from malware images, which outperforms existing approaches on a benchmark dataset like MalImg. We study the effect of using a hybrid feature set containing these visual features integrated with statically obtained opcode frequencies for the detection of malware. Our experiments on standard datasets demonstrate that there is no significant performance improvement using this hybrid approach.

Hamad Naeem,Bing Guo,Muhammad Rashid Naeem,Farhan Ullah,Hamza Aldabbas,Muhammad Sufyan Javed

DOI: https://doi.org/10.1016/j.compeleceng.2019.03.015

IF: 4.152

2019-01-01

Computers & Electrical Engineering

Abstract:The recent increases in Internet use and the number of malicious attacks are helping attackers generate malware variants through automated software. Because of these attacks, the amount of malware and the number of their variants are continuously increasing. Consequently, an improved malware analysis is a critical requirement to stop the rapid expansion of malicious activities. In this study, we propose a more accurate and slightly faster model to characterize malware variants. To implement the proposed model, we designed a method for transforming a malware binary into a grayscale image. We then propose the use of collective local and global malicious patterns for efficient malware variant identification. To reduce the computational time, the total number of dimensions of both types of patterns is reduced using selection methods. In addition, we prepared a baseline to compare the classification performance of our proposed model with previous state-of-the-art malware detection techniques. The experimental results indicate that the response time and classification performance of our model are better than those of previous models.