A. Sachenko,O. Savenko,P. Rehida,George Markowsky

DOI: https://doi.org/10.1109/DESSERT61349.2023.10416467

2023-10-13

Abstract:This paper deals with the problem of detecting the malware by using emulation approach. Modern malware include various avoid techniques, to hide its anomaly actions. Advantages of using sandbox and emulation technologies are described. Various anti-emulation techniques that are used in modern malware considered. Obfuscation as one primary approach to hide malware malicious actions described and discussed. State of emulator is presented, and the advantages of its usage are covered. Distributed model for malware detection is considered. Basic emulator and its current capabilities presented. Prepared files that represent malware are described. Experimental results for developed files that differs with included avoid techniques are presented. Disadvantages of proposed approach is described. Future research and sandbox improvement are described.

Computer Science

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/jsyst.2022.3150576

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In this article, we study how to resist malware attacks in cyber-physical power systems (CPPSs) through cyber protection. A model that incorporates the power flow analysis, the cyber monitoring and control, and the factor of cyber protection is proposed to simulate malware attacks in CPPSs. Meanwhile, an evaluation method is also developed to estimate the effectiveness of different cyber protection strategies. Through simulations, we conduct case studies in a test CPPS generated by coupling the IEEE 118 Bus System with a scale-free communication network. The protection effects of three heuristic cyber protection strategies, namely, target protection, random protection, and acquaintance protection are compared and analyzed. Simulation results reveal that compared with the other two strategies, target protection can suppress malware propagation and resist malware attacks more effectively. Moreover, we also investigate the optimal cyber protection problem in CPPSs and formulate it as a zero-one integer programming problem. We solve the problem by genetic algorithm and find that some low-degree cyber nodes also play a significant role in resisting malware attacks in CPPSs, especially when the protection budget is tight.

Shi Jin,Zhaofeng Guo,Dongli Liu,Yanhua Yang

DOI: https://doi.org/10.1155/2022/4977898

2022-02-23

Abstract:In recent years, with the development of information technology, the Internet has become an essential tool for human daily life. However, as the popularity and scale of the Internet continue to expand, malware has also emerged as an increasingly widespread trend, and its development has brought many negative impacts to the society. As the number of types of malware is getting enormous, the attacks are constantly updated, and at the same time, the spread is very fast, causing more and more damage to the network, the requirements and standards for malware detection are constantly rising. How to effectively detect malware is a research trend; in order to tackle the new needs and problems arising from the development of malware, this paper proposes to guide machine learning algorithms to implement malware detection in a distributed environment: firstly, each detection node in the distributed network performs anomaly detection on the captured software information and data, then performs feature analysis to discover unknown malware and obtain its samples, updates the new malware features to all feature detection nodes in the whole distributed network, and trains the random forest-based machine learning algorithm for malware classification and detection, thus completing the global response processing capability for malware. By building a distributed system framework, the global capture capability of malware detection is enhanced to robustly respond to the increasing and rapid spread of malware, and machine learning algorithms are integrated into it to achieve effective detection of malware. Extended experiments on the Ember 2017 and Ember 2018 databases show that our proposed approach achieves advanced performance and effectively addresses the problem of malware detection.

Ahmed Alghamdi

DOI: https://doi.org/10.52783/cana.v31.1476

2024-09-02

Abstract:The growing sophistication of malware in exisiting environment poses tough demands on its detection methods of another kind. This paper introduces a framework for cyber security improvement, a means to solve strongly the probability issue of how to determine the behavior algorithmically in your system. This research is applied to malware detection systems based on methods (Support Vector Machines, Random Forest) and Neural Networks that are robust against deception. Statistical analysis of security threats and a review of current methods used for malware detection are given at its outset. The proposed framework, with its statistical framework analysis, looks for patterns and anomalies that indicate malice. It then integrates cryptographic techniques onto data transmission, computation processes; that the core of our system remains untouched by potential disturbances. The concept is further elaborated with open-source code from the field, Machine Learning (SVM, Random Forest, Neural Networks), As if with this variety of tools we can now detect and classify types of malware that generate irregular patterns but do not necessarily resemble known signatures at all. Such a hybrid security mechanism as described here, combining the best of statistics, cryptographic security, and machine learning, gives a precision of detection beyond compare to today's systems. The experiments show large gains in both detection accuracy and response speed, demonstrating this whole-element approach's potential to better safeguard cybersecurity in all manner of fields. It may be foreseen that this proposed line of research could well become a key new tool, capable of adaptation and expansion with the needs expanding around us.

Alan Nafiiev,Andrii Rodionov

DOI: https://doi.org/10.20535/tacs.2664-29132023.2.277959

2023-11-06

Theoretical and Applied Cybersecurity

Abstract:Cyber wars and cyber attacks are an urgent problem in the global digital environment. Based on existing popular detection methods, malware authors are creating ever more advanced and sophisticated malware. Therefore, this study aims to create a malware analysis system that uses both dynamic and static analysis. Our system is based on a machine learning method - support vector machine. The set of data used was collected from various Internet sources. It consists of 257 executable files in .exe format, 178 of which are malicious and 79 are benign. We use 5 different types of data representation: binary information, trace instructions, control flow graph, information obtained from the dynamic operation of the file, and file metadata. Then, using multiple kernel learning, we combine all data views and create one summative machine learning model.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Muhammad Ali,Stavros Shiaeles,Maria Papadaki,Bogdan Ghita

DOI: https://doi.org/10.1109/GIIS.2018.8635598

2019-03-13

Abstract:Malicious software is detected and classified by either static analysis or dynamic analysis. In static analysis, malware samples are reverse engineered and analyzed so that signatures of malware can be constructed. These techniques can be easily thwarted through polymorphic, metamorphic malware, obfuscation and packing techniques, whereas in dynamic analysis malware samples are executed in a controlled environment using the sandboxing technique, in order to model the behavior of malware. In this paper, we have analyzed Petya, Spyeye, VolatileCedar, PAFISH etc. through Agent-based and Agentless dynamic sandbox systems in order to investigate and benchmark their efficiency in advanced malware detection.

Cryptography and Security,Information Retrieval

Wu Bing,Yun Xiaochun

2012-01-01

Abstract:We present the dynamic information security theory model: P2DR to deal with malware epidemics. The model includes the following stages: detection of a malware epidemic by detection system, establishment of countermeasure strategy in strategy coordination center, activation of protection and response system, defense system activation for real-time protection and response. The process is a periodic one in which the strategy is adjusted dynamically. In the model we propose, the detection system is considered to be the key component. Based on our analysis of traditional IDS architecture, we think that it is not suitable for inspecting high speed network traffic and monitoring multivariant malware epidemics. Therefore, we propose a parallel detection model which can be applied to the backbone network matched with appropriate protocol parsing. Normalized taxonomy is also presented for the detection rules of malware. Five detection rule sets are covered, namely, match rules based on deep content pre-processing, special algorithms, binary level, binary level requiring network information checks, and pure network information. A Virus Detection System is realized based on the framework above.

Rasmi-Vlad Mahmoud,Marios Anagnostopoulos,Sergio Pastrana,Jens Myrup Pedersen

DOI: https://doi.org/10.1109/access.2024.3400167

IF: 3.9

2024-05-22

IEEE Access

Abstract:In cybersecurity, adversaries employ a myriad of tactics to evade detection and breach defenses. Malware remains a formidable weapon in their arsenal. To counter this threat, researchers unceasingly pursue dynamic analysis, which aims to comprehend and thwart established malware strains. This paper introduces an innovative methodology for dynamic malware analysis while critically evaluating prevailing technologies and their limitations. The proposed approach hinges on harnessing the capabilities of an open-source Security Information and Event Management (SIEM) toolset, namely the Elastic-Stack. This toolset is utilized to capture, structure, and analyze the behavioral patterns of malware without relying on any pre-existing sandbox framework. This augmentation facilitates a profound understanding of the activities exhibited by malware samples. With the help of the proposed ecosystem, we compile the AAU_MalData dataset that encompasses distinctly the benign and malicious behavior. Specifically, we analyzed the behavior of the 2,800 malware within a realistic network topology and systematically collected Windows event logs, which serve as a comprehensive record of the malware's actions. These event logs are precious as they are organized in a timestamped format, providing a chronological list of system activities, such as event descriptions, process and file details, and registry modifications. These are pivotal in comprehending the malware's functionality and repercussions on the compromised system. Furthermore, by incorporating the MITRE ATT&CK framework, we leveraged the event logs to correlate the malware's mode of operation, delve into its Command and Control operations, and investigate its persistence mechanisms, enabling a structured and practical approach to malware analysis. The AAU_MalData dataset, organized in a JSON format data structure, is offered to the research community first as a proof of concept to demonstrate the toolset's feasibility for dynamic malware analysis and second as a potential training ground for anti-malware mechanisms based on host and network Indicators of Compromise (IoCs).

computer science, information systems,telecommunications,engineering, electrical & electronic

Jeyaprakash Hemalatha,Subbiah Geetha,Seifedine Kadry,Robertas Damaševičius,S. Roseline

DOI: https://doi.org/10.3390/e23030344

IF: 2.738

2021-03-15

Entropy

Abstract:Recently, there has been a huge rise in malware growth, which creates a significant security threat to organizations and individuals. Despite the incessant efforts of cybersecurity research to defend against malware threats, malware developers discover new ways to evade these defense techniques. Traditional static and dynamic analysis methods are ineffective in identifying new malware and pose high overhead in terms of memory and time. Typical machine learning approaches that train a classifier based on handcrafted features are also not sufficiently potent against these evasive techniques and require more efforts due to feature-engineering. Recent malware detectors indicate performance degradation due to class imbalance in malware datasets. To resolve these challenges, this work adopts a visualization-based method, where malware binaries are depicted as two-dimensional images and classified by a deep learning model. We propose an efficient malware detection system based on deep learning. The system uses a reweighted class-balanced loss function in the final classification layer of the DenseNet model to achieve significant performance improvements in classifying malware by handling imbalanced data issues. Comprehensive experiments performed on four benchmark malware datasets show that the proposed approach can detect new malware samples with higher accuracy (98.23% for the Malimg dataset, 98.46% for the BIG 2015 dataset, 98.21% for the MaleVis dataset, and 89.48% for the unseen Malicia dataset) and reduced false-positive rates when compared with conventional malware mitigation techniques while maintaining low computational time. The proposed malware detection solution is also reliable and effective against obfuscation attacks.

physics, multidisciplinary

Yong Li,Pan Hui,Depeng Jin,Li Su,Lieguang Zeng

DOI: https://doi.org/10.1109/SAHCN.2011.5984913

2011-01-01

Abstract:As malware attacks become more frequent in mobile networks, deploying an efficient defense system to protect against infection and to help the infected nodes to recover is important to contain serious spreading and outbreaks. The technical challenges are that mobile devices are heterogeneous in terms of operating systems, and the malware can infect the targeted system in any opportunistic fashion via local and global connectivity, while the to-be-deployed defense system on the other hand would be usually resource limited. In this paper, we investigate the problem of optimal distribution of content-based signatures of malware to minimize the number of infected nodes, which can help to detect the corresponding malware and to disable further propagation. We model the defense system with realistic assumptions addressing all the above challenges, which have not been addressed in previous analytical work. Based on the proposed framework of optimizing the system welfare utility through the signature allocation, we provide an encounter-based distributed algorithm based on Metropolis sampler. Through extensive simulations with both synthetic and real mobility traces, we show that the distributed algorithm achieves the optimal solution, and performs efficiently in realistic environments.

Chong Wang,Jianwei Ding,Tao Guo,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-319-69811-3_39

2017-11-02

Abstract:AbstractWith the development of software security technology, more and more malicious programs constantly uses new confusion and feature hiding techniques, the malware detection technology need to upgrade urgently. This paper presents a malware detection method based on sandbox, binary instrumentation and multidimensional feature extraction. We introduced the design and implementation of sandbox, feature extractor and the classifier. Finally, we merged multiple models and get a pretty well classifier for the malware detection.

Chenzhong Yin,Hantang Zhang,Mingxi Cheng,Xiongye Xiao,Xinghe Chen,Xin Ren,Paul Bogdan

2023-12-20

Abstract:Malware represents a significant security concern in today's digital landscape, as it can destroy or disable operating systems, steal sensitive user information, and occupy valuable disk space. However, current malware detection methods, such as static-based and dynamic-based approaches, struggle to identify newly developed (``zero-day") malware and are limited by customized virtual machine (VM) environments. To overcome these limitations, we propose a novel malware detection approach that leverages deep learning, mathematical techniques, and network science. Our approach focuses on static and dynamic analysis and utilizes the Low-Level Virtual Machine (LLVM) to profile applications within a complex network. The generated network topologies are input into the GraphSAGE architecture to efficiently distinguish between benign and malicious software applications, with the operation names denoted as node features. Importantly, the GraphSAGE models analyze the network's topological geometry to make predictions, enabling them to detect state-of-the-art malware and prevent potential damage during execution in a VM. To evaluate our approach, we conduct a study on a dataset comprising source code from 24,376 applications, specifically written in C/C++, sourced directly from widely-recognized malware and various types of benign software. The results show a high detection performance with an Area Under the Receiver Operating Characteristic Curve (AUROC) of 99.85%. Our approach marks a substantial improvement in malware detection, providing a notably more accurate and efficient solution when compared to current state-of-the-art malware detection methods.

Cryptography and Security,Artificial Intelligence,Machine Learning

Cheng-Jie Xiong,Yan-Fu Li,Min Xie,Szu-Hui Ng,Thong-Ngee Goh

DOI: https://doi.org/10.1007/978-3-642-10619-4_38

2009-01-01

Abstract:Distributed systems are widely deployed in industries where high computational capability and low cost are required. Distributed software architecture is very important in the distributed system. However, since most distributed systems are designed based on a network structure, distributed software is very vulnerable to malware attacks. Due to the popularity of distributed system, it is vital to study the effects of malware attack on distributed systems. In this paper, we studied the malware attack behaviors by a Markov process model. The states of the object homogeneous distributed system can be derived by analyzing the Markov model, with which the service reliability and service availability can be further obtained. An illustrative demonstration is also presented.

Antonio Nappa,Panagiotis Papadopoulos,Matteo Varvello,Daniel Aceituno Gomez,Juan Tapiador,Andrea Lanzi

DOI: https://doi.org/10.48550/arXiv.2109.02979

2021-10-06

Abstract:Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information inthe reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to <a class="link-external link-http" href="http://detect.The" rel="external noopener nofollow">this http URL</a> most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the POW-HOW framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.

Cryptography and Security

Yong Li,Pan Hui,Depeng Jin,Li Su,Lieguang Zeng

DOI: https://doi.org/10.1109/TMC.2012.255

IF: 6.075

2014-01-01

IEEE Transactions on Mobile Computing

Abstract:As malware attacks become more frequently in mobile networks, deploying an efficient defense system to protect against infection and to help the infected nodes to recover is important to prevent serious spreading and outbreaks. The technical challenges are that mobile devices are heterogeneous in terms of operating systems, the malware infects the targeted system in any opportunistic fashion via local and global connectivity, while the to-be-deployed defense system on the other hand would be usually resource limited. In this paper, we investigate the problem of how to optimally distribute the content-based signatures of malware, which helps to detect the corresponding malware and disable further propagation, to minimize the number of infected nodes. We model the defense system with realistic assumptions addressing all the above challenges that have not been addressed in previous analytical work. Based on the framework of optimizing the system welfare utility, which is the weighted summation of individual utility depending on the final number of infected nodes through the signature allocation, we propose an encounter-based distributed algorithm based on Metropolis sampler. Through theoretical analysis and simulations with both synthetic and realistic mobility traces, we show that the distributed algorithm achieves the optimal solution, and performs efficiently in realistic environments.

Pascal Maniriho,Abdun Naser Mahmood,Mohammad Jabed Morshed Chowdhury

DOI: https://doi.org/10.1016/j.future.2021.11.030

IF: 7.307

2022-05-01

Future Generation Computer Systems

Abstract:There has been an increasing trend of malware release, which raises the alarm for security professionals worldwide. It is often challenging to stay on top of different types of malware and their detection techniques, which are essential, particularly for researchers and the security community. Analysing malware to get insights into what it intends to perform on the victim’s system is one of the crucial steps towards malware detection. Malware analysis can be performed through static analysis, code analysis, dynamic analysis, memory analysis and hybrid analysis techniques. The next step to malware analysis is the detection model’s design using malware’s extracted patterns from the analysis. Machine learning and deep learning methods have drawn attention to researchers, owing to their ability to implement sophisticated malware detection models that can deal with known and unknown malicious activities. Therefore, this survey presents a comprehensive study and analysis of current malware and detection techniques using the snowball approach. It presents a comprehensive study on malware analysis testbeds, dynamic malware analysis and memory analysis, the taxonomy of malware behaviour analysis tools, datasets repositories, feature selection, machine learning and deep learning techniques. Moreover, comparisons of behaviour-based malware detection techniques have been grouped by categories of machine learning and deep learning techniques. This study also looks at various performance evaluation metrics, current research challenges in this area and possible future direction of research.

Amir Djenna,Ahmed Bouridane,Saddaf Rubab,Ibrahim Moussa Marou

DOI: https://doi.org/10.3390/sym15030677

2023-03-09

Symmetry

Abstract:Malware, a lethal weapon of cyber attackers, is becoming increasingly sophisticated, with rapid deployment and self-propagation. In addition, modern malware is one of the most devastating forms of cybercrime, as it can avoid detection, make digital forensics investigation in near real-time impossible, and the impact of advanced evasion strategies can be severe and far-reaching. This makes it necessary to detect it in a timely and autonomous manner for effective analysis. This work proposes a new systematic approach to identifying modern malware using dynamic deep learning-based methods combined with heuristic approaches to classify and detect five modern malware families: adware, Radware, rootkit, SMS malware, and ransomware. Our symmetry investigation in artificial intelligence and cybersecurity analytics will enhance malware detection, analysis, and mitigation abilities to provide resilient cyber systems against cyber threats. We validated our approach using a dataset that specifically contains recent malicious software to demonstrate that the model achieves its goals and responds to real-world requirements in terms of effectiveness and efficiency. The experimental results indicate that the combination of behavior-based deep learning and heuristic-based approaches for malware detection and classification outperforms the use of static deep learning methods.

multidisciplinary sciences

Priyank Singhal,Nataasha Raul

DOI: https://doi.org/10.5121/ijnsa.2012.4106

2012-02-08

Abstract:Malicious software is abundant in a world of innumerable computer users, who are constantly faced with these threats from various sources like the internet, local networks and portable drives. Malware is potentially low to high risk and can cause systems to function incorrectly, steal data and even crash. Malware may be executable or system library files in the form of viruses, worms, Trojans, all aimed at breaching the security of the system and compromising user privacy. Typically, anti-virus software is based on a signature definition system which keeps updating from the internet and thus keeping track of known viruses. While this may be sufficient for home-users, a security risk from a new virus could threaten an entire enterprise network. This paper proposes a new and more sophisticated antivirus engine that can not only scan files, but also build knowledge and detect files as potential viruses. This is done by extracting system API calls made by various normal and harmful executable, and using machine learning algorithms to classify and hence, rank files on a scale of security risk. While such a system is processor heavy, it is very effective when used centrally to protect an enterprise network which maybe more prone to such threats.

Cryptography and Security,Machine Learning

Yang ZHAO,Long HU,Hu XIONG,Zhi-guang QIN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.12.005

2014-01-01

Abstract:The popularity of smart phones have greatly stimulated the spread of malicious software, because of its huge market share and revenue characteristics, the Android platform has become the preferred target of attackers. Since the traditional signature-based antivirus software can effectively detect known malicious software, the unknown malware is powerless. In this paper, we proposed a novel dynamic analysis scheme of Android malware based on sandbox, which is used to analyze unknown malware effectively. The scheme implements the Android sandbox by installing Android x86 virtual machine in the virtualization software Oracle VM VirtualBox, while using a command-line tool provide by VirtualBox to control the Android sandbox. The Android application performs the corresponding action by calling the appropriate API. We determine the behavioral characteristics by monitoring the API information called by Android application. We make the Android application to run automatically by inserting monitoring codes in the application package and transmit different user lfow of events to simulate real operations of users on the application. Experiments show that the proposed scheme is feasible.