Jingling Zhao,Suoxing Zhang,Bohan Liu,Baojiang Cui

DOI: https://doi.org/10.1109/icccn.2018.8487459

2018-01-01

Abstract:As millions of new malware samples emerge every day, traditional malware detection techniques are no longer adequate. Static analysis methods, such as file signature, fail to detect unknown programs. Dynamic analysis methods have low efficiency and high false positive rate. We need a detection technique that can adapt to the rapidly changing malware ecosystem. The paper presented a new malware detection method using machine learning based on the combination of dynamic and static features. The characteristic of this experiment involved in many fields of knowledge, including binary program instrumentation, static analysis, assembly instruction analysis, machine learning, etc. Finally, we achieved a good result over a substantial number of malwares.

Jian Zhang,Cheng Gao,Liangyi Gong,Zhaojun Gu,Dapeng Man,Wu Yang,Wenzhen Li

DOI: https://doi.org/10.1007/s11036-019-01503-4

2020-01-08

Mobile Networks and Applications

Abstract:As more and more applications migrate to clouds, the type and amount of malware attack against virtualized environments are increasing, which is a key factor that restricts the widespread deployment and application of cloud platforms. Traditional in-VM-based security software is not effective against malware attacks, as the security software itself becomes the target of malware attacks and can easily be tampered with or even subverted. In this paper, we propose a new malware detection method to improve virtual machine security performance and ensure the security of the entire cloud platform. This paper uses the virtual machine introspection(VMI) combined with the memory forensics analysis(MFA) technology to extract multiple types of dynamic features from the virtual machine memory, the hypervisor layer and the hardware layer. Furthermore, this paper proposes an adaptive feature selection method. By combining three different search strategies, three types of features are compared and analyzed from three aspects: effectiveness, system load and security. By adjusting the weight of each feature, it meets the detection requirements of different malware in the cloud environment as expected. Finally, the detection method improves the detection accuracy and generalization ability of the overall classifier using the AdaBoost ensemble learning method with Voting's combination strategy. The experiment used a large number of real malicious samples, and achieved an accuracy of 0.999 (AUC), with a maximum performance overhead of 5.6%.

computer science, information systems,telecommunications, hardware & architecture

Jinrong Bai,Junfeng Wang

DOI: https://doi.org/10.1002/sec.1600

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:The huge influx of new malware is created every day, and those malware have not been previously seen in the wild. Current anti-virus software uses byte signature to identify known malware and has little hope of identifying new malware. Researchers have proposed several malware detection methods based on byte n-grams, opcode n-grams, and format information, and those methods partially capture the distinguishable information between benign and malicious programs. In this study, we design two schemes to incorporate the aforementioned three single-view features and fully exploit complementary information of those features to discover the true nature of a program. Two datasets are used to evaluate new malware detection performance and generalization performance of the proposed schemes. Experimental results indicate that the proposed schemes increase the detection rate of new malware, improve the generalization performance of learning model, and reduce the false alarm rate to 0%. Because malware is hard to disguise itself in every feature view, the proposed schemes are more robust and not easy to be deceived. Copyright (C) 2016 John Wiley & Sons, Ltd.

Ying Fang,Bo Yu,Yong Tang,Liu Liu,Zexin Lu,Yi Wang,Qiang Yang

DOI: https://doi.org/10.1007/978-3-319-59870-3_10

2017-01-01

Abstract:Dynamic analysis plays an important role in analyzing malware variants which have used obfuscation, polymorphism and metamorphism techniques. Malware classification is an emerging approach for discriminating different malware families. However, existing malware classification methods have mediocre performance in small scale datasets and some machine learning algorithms have difficulties in handling imbalanced datasets. To solve these issues, we propose an ensemble learning based dynamic malware classification approach aiming at datasets of different scales. Additionally a novel feature selection method is presented to select features with strong discrimination power. In particular, we continue to explore issues in feature representation and feature selection. To verify the efficiency of our approach, we perform a series of comparative experiments with existing feature selection methods, commercial anti-malware tools and current malware classification techniques. The experimental results demonstrate that our approach can classify malware variants in high F1-score while imposing low classification time in datasets of different scales.

Xiao-Yu Zhang,Shupeng Wang,Lei Zhang,Chunjie Zhang,Changsheng Li

DOI: https://doi.org/10.1109/INFCOMW.2016.7562161

2016-01-01

Abstract:Malware data are typically depicted with extremely high-dimensional features, which lays an excessive computational burden on detection methods. For the sake of effectiveness and efficiency, feature selection is an indispensable part for malware detection. In this paper, we propose an ensemble feature selection method with integration of discriminative and representative properties for malware detection. Based on the labeled and unlabeled data, the most discriminative and representative features are selected, respectively. The former extracts the features that are most distinctive with respect to the classes, and the latter focuses on the features that best represent the data. A comprehensive metric is subsequently obtained, which retains the most informative features.

Zhuocheng Yu,Shudong Li,Youming Bai,Weihong Han,Xiaobo Wu,Zhihong Tian

DOI: https://doi.org/10.1109/jiot.2023.3267337

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:With the rapid development of Internet of Things, the amount and distribution of malware has greatly increased. Internet of Things platform needs new defense technologies to protect users from new the increasing number and complexity of malware. This article extracts import Dlls and import APIs from the original portable executable (PE) file, and uses heterogeneous graph to describe higher-level semantic relationship between two PE files. Besides this we construct four static features to comprehensively describe PE file. Based on ensemble learning we develop a model called robust ensemble model based on semantic feature fusion (REMSF) which fuses five features mentioned above. To evaluate REMSF, we collect 5370 executable PE files from the real world for series of experiments, in which REMSF’s detection accuracy can reach 99.07%.

Jinpei Yan,Yong Qi,Qifan Rao

DOI: https://doi.org/10.1155/2018/7247095

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Malware detection plays a crucial role in computer security. Recent researches mainly use machine learning based methods heavily relying on domain knowledge for manually extracting malicious features. In this paper, we propose MalNet, a novel malware detection method that learns features automatically from the raw data. Concretely, we first generate a grayscale image from malware file, meanwhile extracting its opcode sequences with the decompilation tool IDA. Then MalNet uses CNN and LSTM networks to learn from grayscale image and opcode sequence, respectively, and takes a stacking ensemble for malware classification. We perform experiments on more than 40,000 samples including 20,650 benign files collected from online software providers and 21,736 malwares provided by Microsoft. The evaluation result shows that MalNet achieves 99.88% validation accuracy for malware detection. In addition, we also take malware family classification experiment on 9 malware families to compare MalNet with other related works, in which MalNet outperforms most of related works with 99.36% detection accuracy and achieves a considerable speed-up on detecting efficiency comparing with two state-of-the-art results on Microsoft malware dataset.

Chao Jing,Yun Wu,Chaoyuan Cui

DOI: https://doi.org/10.1016/j.future.2021.12.013

IF: 7.307

2022-01-01

Future Generation Computer Systems

Abstract:Behavior-based malware detection approaches combined with deep learning techniques are effective against unknown malware and malware variants. However, such approaches are vulnerable to adversarial attacks. Adversarial malware is carefully optimized to evade detection through embedding numerous anti-detection techniques, e.g., inserting irrelevant API calls or using API calls in loops during the program execution to mask the real malicious intentions. To address this problem, we propose a novel ensemble adversarial dynamic behavior detection method aiming at three features of malicious API sequence, namely Immediacy, Locality, and Adversary. The individual classifiers of the ensemble method follow the ``excellent and diverse'' principle. We conduct extensive experiments over large real benign and malicious instances and demonstrate a generic, query-efficient gray-box adversarial attack to evaluate our model. The experimental results indicate that, compared with the individual classifiers, the detection accuracy is improved by up to 2.55%similar to 11.34% (without anti-attack), 8.64%similar to 21.33% (random perturbation), and 10.07%similar to 21.34% (benign perturbation) respectively. To sum up, our method provides better effectiveness, generality, and resiliency in the absence of a constant re-training of the detector needed to cope with the evolution of adversarial malware. (C) 2021 Elsevier B.V. All rights reserved.

Pengbin Feng,Jianfeng Ma,Cong Sun,Xinpeng Xu,Yuwan Ma

DOI: https://doi.org/10.1109/access.2018.2844349

IF: 3.9

2018-01-01

IEEE Access

Abstract:With the popularity of Android smartphones, malicious applications targeted Android platform have explosively increased. Proposing effective Android malware detection method for preventing the spread of malware has become an emerging issue. Various features extracted through static and dynamic analysis in conjunction with machine learning algorithm have been the mainstream in large-scale malware identification. In general, static analysis becomes invalid in detecting applications which adopt sophisticated obfuscation techniques like encryption or dynamic code loading. However, dynamic analysis is suitable to deal with these evasion techniques. In this paper, we propose an effective dynamic analysis framework, called EnDroid, in the aim of implementing highly precise malware detection based on multiple types of dynamic behavior features. These features cover system-level behavior trace and common application-level malicious behaviors like personal information stealing, premium service subscription, and malicious service communication. In addition, EnDroid adopts feature selection algorithm to remove noisy or irrelevant features and extracts critical behavior features. Extracting behavior features through runtime monitor, EnDroid is able to distinguish malicious from benign applications with ensemble learning algorithm. Through experiments, we prove the effectiveness of EnDroid on two datasets. Furthermore, we find Stacking achieves the best classification performance and is promising in Android malware detection.

Moustafa Saleh,Tao Li,Shouhuai Xu

DOI: https://doi.org/10.1007/s11416-017-0304-8

2017-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Malware detection is still an open problem. There are numerous attacks that take place every day where malware is used to steal private information, disrupt services, or sabotage industrial systems. In this paper, we combine three kinds of contextual information, namely static, dynamic, and instruction-based, for malware detection. This leads to the definition of more than thirty thousand features, which is a large features set that covers a wide range of a sample characteristics. Through experiments with one million files, we show that this features set leads to machine learning based models that can detect both malware seen roughly at the time when the models are built, and malware first seen even months after the models were built (i.e., the detection models remain effective months ahead of time). This may be due to the comprehensiveness of the features set.

Yunan Zhang,Chenghao Rong,Qingjia Huang,Yang Wu,Zeming Yang,Jianguo Jiang

DOI: https://doi.org/10.1109/trustcom/bigdatase/icess.2017.222

2017-01-01

Abstract:Automatic malware categorization plays an important role in combating the current large volume of malware and aiding the corresponding forensics. Generally, there are lot of sample information could be extracted with the static tools and dynamic sandbox for malware analysis. Combine these obtained features effectively for further analysis would provides us a better understanding. On the other hand, most current works on malware analysis are based on single category of machine learning algorithm to categorize samples. However, different clustering algorithms have their own strengths and weaknesses. And then, how to combine the merits of the multiple categories of features and algorithms to further improve the analysis result is very critical. In this paper, we propose a novel scalable malware analysis framework to exploit the complementary nature of different features and algorithms to optimally integrate their results. By using the concept of clustering ensemble, our system combines partitions from individual category of feature and algorithm to obtain better quality and robustness. Our system composed of the following three parts: (1) extract multiple categories of static and dynamic features; (2) use the k-means and hierarchical clustering algorithms to construct the base clustering; (3) proposed an efficient method based on mixture model clustering ensemble to conduct an effective clustering analysis. We have evaluated our method on two malware datasets, namely the Microsoft malware dataset and our own malware dataset which contained 10868 and 53760 samples respectively. Our experiment results show that our method could categorize malware with better quality and robustness. Also, our method has certain advantages in the system run time and memory consumption compared with the state-of-the art malware analysis works

Yuxin Ding,Jieke Hu,Wenting Xu,Xiao Zhang

DOI: https://doi.org/10.1109/ICMLC48188.2019.8949298

2019-01-01

Abstract:In recent years, there is a rapid increase in the number of Android based malware. To protect users from malware attacks, different malware detection methods are proposed. In this paper, a novel static method is proposed to detect malware. We use the static analysis technique to analyze the Android applications and obtain their static behaviors. Two kinds of behaviors are extracted to represent malware. One kind of behaviors is the function call graph and the other kind is opcode sequences. To automatically learn behavioral features, we convert the function call graphs and opcode sequences into two dimensional data, and use deep learning method to build malware classifier. To further improve the performance of the malware classifier, a deep feature fusion model is proposed, which can combine different behavioral features for malware classification. The experimental results show the deep learning method is effective to detect malware and the proposed fusion model outperforms the single behavioral model.

Yihong Li,Fangzheng Liu,Zhenyu Du,Dubing Zhang

DOI: https://doi.org/10.3390/a11080124

2018-01-01

Algorithms

Abstract:In the malware detection process, obfuscated malicious codes cannot be efficiently and accurately detected solely in the dynamic or static feature space. Aiming at this problem, an integrative feature extraction algorithm based on simhash was proposed, which combines the static information e.g., API (Application Programming Interface) calls and dynamic information (such as file, registry and network behaviors) of malicious samples to form integrative features. The experiment extracts the integrative features of some static information and dynamic information, and then compares the classification, time and obfuscated-detection performance of the static, dynamic and integrated features, respectively, by using several common machine learning algorithms. The results show that the integrative features have better time performance than the static features, and better classification performance than the dynamic features, and almost the same obfuscated-detection performance as the dynamic features. This algorithm can provide some support for feature extraction of malware detection.

Wei Li,Chenyi Zhang,Jieying Zhou,Dan Wang,Nuannuan Li

DOI: https://doi.org/10.1088/1742-6596/2010/1/012165

2021-09-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, malicious code emerges in endlessly. New types of malicious code evade the traditional malicious code detection technology through polymorphism, shelling, confusion and other ways. In order to solve the challenges brought by various technologies to the research of malicious code detection, in this paper, we propose a malicious code detection method based on static features and ensemble learning. This method extracts the information in the PE header file of malicious code samples as static features, and on this basis, builds a malicious code detection model by using stacking ensemble learning. In order to verify the effectiveness of the model, experiments are carried out on a dataset containing 5000 malicious codes and 4943 benign codes. Experiments show that the classification model based on stacking ensemble learning is the best, with 97.22% precision rate and 96.45% stable F1 score.

Mohammed Nasser Al-Andoli,Shing Chiang Tan,Kok Swee Sim,Pey Yun Goh,Chee Peng Lim

DOI: https://doi.org/10.3233/jifs-230009

2023-04-12

Abstract:Malicious software, or malware, has posed serious and evolving security threats to Internet users. Many anti-malware software packages and tools have been developed to protect legitimate users from these threats. However, legacy anti-malware methods are confronted with millions of potential malicious programs. To combat these threats, intelligent anti-malware systems utilizing machine learning (ML) models are useful. However, most ML models have limitations in performance since the training depth is usually limited. The emergence of Deep Learning (DL) models allow more training possibilities and improvement in performance. DL models often use gradient descent optimization, i.e., the Back-Propagation (BP) algorithm; therefore, their training and optimization procedures suffer from local sub-optimal solutions. In addition, DL-based malware detection methods often entail single classifiers. Ensemble learning overcomes the shortcomings of individual techniques by consolidating their strengths to improve the performance. In this paper, we propose an ensemble DL classifier stacked with the Fuzzy ARTMAP (FAM) model for malware detection. The stacked ensemble method uses several heterogeneous deep neural networks as the base learners. During the training and optimization process, these base learners adopt a hybrid BP and Particle Swarm Optimization algorithm to combine both local and global optimization capabilities for identifying optimal features and improving the classification performance. FAM is selected as a meta-learner to effectively train and combine the outputs of the base learners and achieve robust and accurate classification. A series of empirical studies with different benchmark data sets is conducted. The results ascertain that the proposed ensemble method is effective and efficient, outperforming many other compared methods.

Jianbin Mai,Chunjie Cao,Qian Wu

DOI: https://doi.org/10.1007/978-3-030-73671-2_7

2021-01-01

Abstract:Being able to detect malware variants is an important problem due to the rapid development and the security threats of new malware variations. Machine learning methods are currently one of the most popular malware variant detection methods, however, most of these methods only use single type of features (e.g. opcode) and shallow learning algorithms (e.g. SVM), which also makes these methods have demonstrated poor detection accuracy and low detection speeds. In this paper, we propose a method that combines multiple features of malware with deep learning methods to optimize the detection of malware variants. To implement the proposed method, we use Deep Convolutional Neural Network (DCNN) and Information Gain (IG) to extract effective features from the grayscale map and disassembly file mapped from the malware, respectively. Then we construct a fusion feature space by combining the different types of extracted features and use it to train a Multilayer Perceptron (MLP) to obtain results. The experimental results demonstrated that our method achieved good accuracy as compared with other common malware detection methods.

Hui-Juan Zhu,Liang-Min Wang,Sheng Zhong,Yang Li,Victor S. Sheng,Huijuan Zhu,Liangmin Wang

DOI: https://doi.org/10.1109/tkde.2021.3067658

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Android is a growing target for malicious software (malware) because of its popularity and functionality. Malware poses a serious threat to users' privacy, money, equipment and file integrity. A series of data-driven malware detection methods were proposed. However, there exist two key challenges for these methods: (1) how to learn effective feature representation from raw data; (2) how to reduce the dependence on the prior knowledge or human labors in feature learning. Inspired by the success of deep learning methods in the feature representation learning community, we propose a malware detection framework which starts with learning rich-features by a novel unsupervised feature learning algorithm Merged Sparse Auto-Encoder (MSAE). In order to extract more compact and discriminative feature from the rich-features to further boost the malware detection capability, a hybrid deep network learning algorithm Stacked Hybrid Learning MSAE and SDAE (SHLMD) is established by further incorporating a classical deep learning method Stacked Denoising Auto-encoders (SDAE). After that, we feed the feature learned by MSAE and SHLMD respectively to classification algorithms, e.g., Support Vector Machine (SVM) or K-NearestNeighbor (KNN), to train a malware detection model. Evaluation results on two real-world datasets demonstrate that SHLMD achieves 94.46 and 90.57 percent accuracy respectively, which outperforms the classical unsupervised feature representation learning Sparse Auto-encoder (SAE). MSAE performs similarly to SAE. SHLMD can further improve the performance of MSAE and the supervised fine-tuned method SDAE. Besides, we compare the performance of our methods with that of state-of-the-art detection approaches, including classical deep-learning-based methods. Extensive experiments show that our proposed methods are effective enough to detect Android malware.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Boyun Zhang,Jianping Yin,Jingbo Hao,Dingxing Zhang,Shulin Wang

DOI: https://doi.org/10.1007/978-3-540-73547-2_48

2007-01-01

Abstract:As malicious codes become more complex and sophisticated, the scanning detection method is no longer able to detect various forms of viruses effectively. In this paper, we explore solutions based on multiple classifiers fusion and not strictly dependent on certain malicious code. Motivated by the standard signature-based technique for detecting viruses, we explore the idea of automatically detecting malicious code using the n-gram analysis. After selecting features based on information gain, the probabilistic neural network is used in the process of building and testing the proposed multi-classifiers system. Each one of the individual classifiers is used to produce classification evidences. Then these evidences are combined by the Dempster-Shafer combination rules to form the final classification results for new malicious code. Experimental results produced by the proposed detection engine shows improvement compared to the classification results produced by the individual classifiers.

Chong Wang,Jianwei Ding,Tao Guo,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-319-69811-3_39

2017-11-02

Abstract:AbstractWith the development of software security technology, more and more malicious programs constantly uses new confusion and feature hiding techniques, the malware detection technology need to upgrade urgently. This paper presents a malware detection method based on sandbox, binary instrumentation and multidimensional feature extraction. We introduced the design and implementation of sandbox, feature extractor and the classifier. Finally, we merged multiple models and get a pretty well classifier for the malware detection.

S. Teo,Jia Yi Loo,Tram Truong-Huu,Dima Rabadi,Mao V. Ngo

DOI: https://doi.org/10.48550/arXiv.2211.13860

2022-11-25

Abstract:In malware detection, dynamic analysis extracts the runtime behavior of malware samples in a controlled environment and static analysis extracts features using reverse engineering tools. While the former faces the challenges of anti-virtualization and evasive behavior of malware samples, the latter faces the challenges of code obfuscation. To tackle these drawbacks, prior works proposed to develop detection models by aggregating dynamic and static features, thus leveraging the advantages of both approaches. However, simply concatenating dynamic and static features raises an issue of imbalanced contribution due to the heterogeneous dimensions of feature vectors to the performance of malware detection models. Yet, dynamic analysis is a time-consuming task and requires a secure environment, leading to detection delays and high costs for maintaining the analysis infrastructure. In this paper, we first introduce a method of constructing aggregated features via concatenating latent features learned through deep learning with equally-contributed dimensions. We then develop a knowledge distillation technique to transfer knowledge learned from aggregated features by a teacher model to a student model trained only on static features and use the trained student model for the detection of new malware samples. We carry out extensive experiments with a dataset of 86709 samples including both benign and malware samples. The experimental results show that the teacher model trained on aggregated features constructed by our method outperforms the state-of-the-art models with an improvement of up to 2.38% in detection accuracy. The distilled student model not only achieves high performance (97.81% in terms of accuracy) as that of the teacher model but also significantly reduces the detection time (from 70046.6 ms to 194.9 ms) without requiring dynamic analysis.

Computer Science