Shuwei Wang,Baosheng Wang,Tang Yong,Bo Yu

DOI: https://doi.org/10.1007/978-3-319-27051-7_16

2015-01-01

Abstract:Clustering is an important part of the malware analysis. The malware clustering algorithms commonly used at present have gradually can not adapt to the growing number of malware. In order to improve the malware clustering algorithm, this paper uses the clustering algorithm based on Shared Nearest Neighbor (SNN), and uses frequencies of the system calls as the features for input. This algorithm combined with the DBSCAN which is traditional density-based clustering algorithm in data mining. This makes it is a better application in the process of clustering of malware. The results of clusters demonstrate that the effect of the algorithm of clustering is good. And the algorithm is simple to implement and easy to complete automated analysis. It can be applied to actual automated analysis of malware.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Jin-Qi XIAO,Jun-Feng WANG

DOI: https://doi.org/10.3969/j.issn.0490-6756.2018.03.009

2018-01-01

Abstract:Internet Security companies collect tens of millions of new malware variants each year ,Virus Share ,the online malware repository ,has stored more than 27 million unlabeled malwares .Clustering malware variant according to certain behavior patterns ,not only makes the new attack easier to be detec-ted ,but also helps us to obtain the malware trends in time and take the corresponding preventive meas-ures .Therefore ,this paper proposes a malware variant clustering method which use dynamic analysis technology to extract malware features ,including import and export function name ,strings ,system re-source records and system calls ,then convert these features to the fuzzy hashes ,finally clustering mal-ware samples through the CFSFDP clustering algorithm .We select the number of clusters ,precision , recall ,F-score and entropy as external criteria ,select the intra-cluster cohesion and inter-cluster separa-tion as internal criteria .The experimental results demonstrate that compared with Symantec and ESET-NOD32 ,the F-score obtained in this paper increased by 11 .632% and 2 .41% ,and the number of clus-ters is closest to the artificial labeled .

Xin Chen,Dongjin Yu,Xinxin Cai,He Jiang,Haihua Yu

DOI: https://doi.org/10.1109/tr.2023.3332090

IF: 5.883

2024-01-01

IEEE Transactions on Reliability

Abstract:Familiar analysis for malware plays an important role in comprehending the diversity of malicious behaviors and identifying the emerging security threats. Existing studies mainly focus on classifying malware into known families by supervised learning. However, these methods face two main challenges, 1) the lack of a large amount of labeled data and 2) the poor effectiveness in identifying unknown families of malware. To overcome these challenges, we propose a new method called multiple features (MulFC) based on unsupervised learning. In the method, we first leverage a decompiling tool to extract multiple features, including manifest features, application programming interface (API) features, and opcode features. Then, the opcode features are preprocessed to filter out the redundant ones to reduce the calculation cost. After that, we adopt the Jaccard index to calculate the similarities between malware and construct a malware network. Finally, InfoMap is applied to perform the clustering on the basis of the malware network. Overall, MulFC does not require the use of labeled data and can identify unknown families of malware. Experiments are conducted on two datasets for the performance evaluation of MulFC. The experimental results show that MulFC achieves 0.810 in terms of normalized mutual information, 0.576 in terms of adjusted rand index, 0.620 in terms of the Fowlkes-Mallows index, and 0.805 in terms of V-measure on average, and outperforms the state-of-the-art baseline method by 0.060, 0.054, 0.038, and 0.065, respectively.

Olha Jurečková,Martin Jureček,Mark Stamp

2024-05-06

Abstract:Malware attacks have become significantly more frequent and sophisticated in recent years. Therefore, malware detection and classification are critical components of information security. Due to the large amount of malware samples available, it is essential to categorize malware samples according to their malicious characteristics. Clustering algorithms are thus becoming more widely used in computer security to analyze the behavior of malware variants and discover new malware families. Online clustering algorithms help us to understand malware behavior and produce a quicker response to new threats. This paper introduces a novel machine learning-based model for the online clustering of malicious samples into malware families. Streaming data is divided according to the clustering decision rule into samples from known and new emerging malware families. The streaming data is classified using the weighted k-nearest neighbor classifier into known families, and the online k-means algorithm clusters the remaining streaming data and achieves a purity of clusters from 90.20% for four clusters to 93.34% for ten clusters. This work is based on static analysis of portable executable files for the Windows operating system. Experimental results indicate that the proposed online clustering model can create high-purity clusters corresponding to malware families. This allows malware analysts to receive similar malware samples, speeding up their analysis.

Cryptography and Security,Machine Learning

Yuping Li,Jiyong Jang,Xin Hu,Xinming Ou

DOI: https://doi.org/10.48550/arXiv.1707.04795

2017-07-15

Cryptography and Security

Abstract:Clustering has been well studied for desktop malware analysis as an effective triage method. Conventional similarity-based clustering techniques, however, cannot be immediately applied to Android malware analysis due to the excessive use of third-party libraries in Android application development and the widespread use of repackaging in malware development. We design and implement an Android malware clustering system through iterative mining of malicious payload and checking whether malware samples share the same version of malicious payload. Our system utilizes a hierarchical clustering technique and an efficient bit-vector format to represent Android apps. Experimental results demonstrate that our clustering approach achieves precision of 0.90 and recall of 0.75 for Android Genome malware dataset, and average precision of 0.98 and recall of 0.96 with respect to manually verified ground-truth.

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

XU Xiao-lin,YUN Xiao-chun,ZHOU Yong-lin,KANG Xue-bin

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.08.019

2013-01-01

Journal of Communications

Abstract:In order to improve the effectiveness and efficiency of mass malicious code analysis,an online analytical model was proposed including feature space construction,automatic feature extraction and fast clustering.Our research focused on the law of malware behavior and code string distribution by dynamic and static techniques.In this model,a sample was described with its API and key code fragment.This model proposed a fast clustering approach to identify group samples that exhibit similar feature when applied this model to real-world malware collections.The result demonstrates that the proposed model is able to extract feature automatically,support streaming data clustering on large-scale,and achieve better precision.

Shanxi Li,Qingguo Zhou,Wei

DOI: https://doi.org/10.3837/tiis.2021.09.010

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:Malware is a severe threat to the computing system and there's a long history of the battle between malware detection and anti-detection. Most traditional detection methods are based on static analysis with signature matching and dynamic analysis methods that are focused on sensitive behaviors. However, the usual detections have only limited effect when meeting the development of malware, so that the manual update for feature sets is essential. Besides, most of these methods match target samples with the usual feature database, which ignored the characteristics of the sample itself. In this paper, we propose a new malware detection method that could combine the features of a single sample and the general features of malware. Firstly, a structure of Directed Cyclic Graph (DCG) is adopted to extract features from samples. Then the sensitivity of each API call is computed with Markov Chain. Afterward, the graph is merged with the chain to get the final features. Finally, the detectors based on machine learning or deep learning are devised for identification. To evaluate the effect and robustness of our approach, several experiments were adopted. The results showed that the proposed method had a good performance in most tests, and the approach also had stability with the development and growth of malware.

Yi WANG,Yong TANG,Zexin LU,Xin YU

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.09.013

2016-01-01

Abstract:The increment of malware has exploded in recent years. As a result, using cluster algorithm to detect malware families has received the favors of security vendors. Malware clustering is the task of converging sample that has similar behavior or structure in the same group (called a cluster), and features selection plays a vital role in malware clustering. Firstly this paper discusses carefully the common features used in existing study of malware clustering and compares these features with each other. The most of existing works focus on the clustering based on single feature vector, while single feature vector is not capable of describing all the characteristics of malware. To solve this problem, then multi feature vector pairs are proposed to cluster malware. Also, according to the clustering results, the speciifc indexes are deifned to evaluate the selected feature vectors. Finally, combining with DBSCAN clustering algorithm, several feature vectors and their combinations are selected to test. The result shows that multi feature vector pairs are superior to single feature vector in identifying malware families.

Ying Fang,Bo Yu,Yong Tang,Liu Liu,Zexin Lu,Yi Wang,Qiang Yang

DOI: https://doi.org/10.1007/978-3-319-59870-3_10

2017-01-01

Abstract:Dynamic analysis plays an important role in analyzing malware variants which have used obfuscation, polymorphism and metamorphism techniques. Malware classification is an emerging approach for discriminating different malware families. However, existing malware classification methods have mediocre performance in small scale datasets and some machine learning algorithms have difficulties in handling imbalanced datasets. To solve these issues, we propose an ensemble learning based dynamic malware classification approach aiming at datasets of different scales. Additionally a novel feature selection method is presented to select features with strong discrimination power. In particular, we continue to explore issues in feature representation and feature selection. To verify the efficiency of our approach, we perform a series of comparative experiments with existing feature selection methods, commercial anti-malware tools and current malware classification techniques. The experimental results demonstrate that our approach can classify malware variants in high F1-score while imposing low classification time in datasets of different scales.

Liu,Bao-sheng Wang,Bo Yu,Qiu-xi Zhong

DOI: https://doi.org/10.1631/fitee.1601325

IF: 2.526

2017-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:The explosive growth of malware variants poses a major threat to information security. Traditional anti-virus systems based on signatures fail to classify unknown malware into their corresponding families and to detect new kinds of malware programs. Therefore, we propose a machine learning based malware analysis system, which is composed of three modules: data processing, decision making, and new malware detection. The data processing module deals with gray-scale images, Opcode n-gram, and import functions, which are employed to extract the features of the malware. The decision-making module uses the features to classify the malware and to identify suspicious malware. Finally, the detection module uses the shared nearest neighbor (SNN) clustering algorithm to discover new malware families. Our approach is evaluated on more than 20 000 malware instances, which were collected by Kingsoft, ESET NOD32, and Anubis. The results show that our system can effectively classify the unknown malware with a best accuracy of 98.9%, and successfully detects 86.7% of the new malware.

Joris Kinable,Orestis Kostakis

DOI: https://doi.org/10.48550/arXiv.1008.4365

2010-08-26

Abstract:Each day, anti-virus companies receive tens of thousands samples of potentially harmful executables. Many of the malicious samples are variations of previously encountered malware, created by their authors to evade pattern-based detection. Dealing with these large amounts of data requires robust, automatic detection approaches. This paper studies malware classification based on call graph clustering. By representing malware samples as call graphs, it is possible to abstract certain variations away, and enable the detection of structural similarities between samples. The ability to cluster similar samples together will make more generic detection techniques possible, thereby targeting the commonalities of the samples within a cluster. To compare call graphs mutually, we compute pairwise graph similarity scores via graph matchings which approximately minimize the graph edit distance. Next, to facilitate the discovery of similar malware samples, we employ several clustering algorithms, including k-medoids and DBSCAN. Clustering experiments are conducted on a collection of real malware samples, and the results are evaluated against manual classifications provided by human malware analysts. Experiments show that it is indeed possible to accurately detect malware families via call graph clustering. We anticipate that in the future, call graphs can be used to analyse the emergence of new malware families, and ultimately to automate implementation of generic detection schemes.

Cryptography and Security

Yao Du,Junfeng Wang,Qi Li

DOI: https://doi.org/10.1109/access.2017.2720160

IF: 3.9

2017-01-01

IEEE Access

Abstract:With the development of code obfuscation and application repackaging technologies, an increasing number of structural information-based methods have been proposed for malware detection. Although, many offer improved detection accuracy via a similarity comparison of specific graphs, they still face limitations in terms of computation time and the need for manual operation. In this paper, we present a new malware detection method that automatically divides a function call graph into community structures. The features of these community structures can then be used to detect malware. Our method reduces the computation time by improving the Girvan–Newman algorithm and using machine learning classification instead of a similarity comparison of subgraphs. To evaluate our method, 5040 malware samples and 8750 benign samples were collected as an experimental data set. The evaluation results show that the detection accuracy of our method is higher than that of three well-known anti-virus software and two previous control flow graph-based methods for many malware families. The runtime performance of our method exhibits a clear improvement over the GN algorithm for community structure generation.

ZhiXue Han,Shaorong Feng,Yanfang Ye,Qingshan Jiang

DOI: https://doi.org/10.1109/icasid.2009.5276982

2009-01-01

Abstract:Nowadays, numerous attacks made by the malware, such as viruses, backdoors, spyware, trojans and worms, have presented a major security threat to computer users. The most significant line of defense against malware is anti-virus products which detects, removes, and characterizes these threats. The ability of these AV products to successfully characterize these threats greatly depends on the method for categorizing these profiles of malware into groups. Therefore, clustering malware into different families is one of the computer security topics that are of great interest. In this paper, resting on the analysis of the extracted instruction of malware samples, we propose a novel parameter-free hybrid clustering algorithm (PFHC) which combines the merits of hierarchical clustering and K-means algorithms for malware clustering. It can not only generate stable initial division, but also give the best K. PFHC first utilizes agglomerative hierarchical clustering algorithm as the frame, starting with N singleton clusters, each of which exactly includes one sample, then reuses the centroids of upper level in every level and merges the two nearest clusters, finally adopts K-means algorithm for iteration to achieve an approximate global optimal division. PFHC evaluates clustering validity of each iteration procedure and generates the best K by comparing the values. The promising studies on real daily data collection illustrate that, compared with popular existing K-means and hierarchical clustering approaches, our proposed PFHC algorithm always generates much higher quality clusters and it can be well used for malware categorization.

Jing Liu,Yongjun Wang,Peidai Xie,Xingkong Ma

DOI: https://doi.org/10.1007/978-981-10-3023-9_9

2017-01-01

Abstract:Nowadays, the dramatically increased malware causes severe challenges to computer security. Most emerging instances are variants of previously encountered malware through polymorphism and metamorphism techniques. The traditional signature-based detecting methods are ineffective to recognize the enormous variants. Malware similarity analysis has become the mainstream technique of identifying variants. However, most existing methods are either hard to handle polymorphic and metamorphic samples based on static structure feature, or time consuming and resource intensive by using dynamic behavior feature. In this paper, we propose a novel malware similarity analysis method based on a fine-grained hybrid feature by exploiting the complementary nature of static and dynamic analysis. We integrate dynamic runtime behavior with static function-call graph. The hybrid feature overcomes the limitation of using static and dynamic feature separately and with more accuracy. Furtherly, we use graph edit distance, and inexact graph matching algorithm as metric to measure the distance between malicious instances. We have evaluated our algorithm on real-world dataset and compared with other approach. The experiments demonstrate that our method achieves higher accuracy.

Hongcheng Li,Jianjun Huang,Bin Liang,Wenchang Shi,Yifang Wu,Shilei Bai

DOI: https://doi.org/10.3233/jcs-191313

2020-01-01

Journal of Computer Security

Abstract:Injecting malicious code into benign programs is popular in spreading malware. Unfortunately, for detection, the prior knowledge about the malware, e.g., the behavior or implementation patterns, isn’t always available. Our observation shows that the logic of the host program is normally unclear to parasitic malware developers, resulting in very few interactions between the host and the payloads in lots of parasitic malware. Thus we can expose the injected part by grouping the code based on the interactive relations. Particularly, we partition a target program into modules, extract the relations, cluster the modules and further inspect the outliers to identify such malware. In this paper, we design a two-stage code clustering-based approach to detecting two representative types of malware, the UEFI rootkits and the piggybacked Android applications. Parasitic malware is reported when (1) any outlier in a UEFI firmware shows a relatively long distance to the largest cluster, or (2) the largest outlier distance exceeds zero in an Android application, i.e., multiple cluster exist after re-clustering outliers. We evaluate the approach on 35 pairs of benign/infected UEFI samples we do our best to get and achieve an overall F1 score. of 100%. Applying the learned threshold to 50 other benign firmwares, we identify them without false positives. In addition, our evaluation on 1079 pairs of Android applications, shows an F1 score of 90.66% when the third-party libraries are eliminated and a score of 87.36% if we keep the popular third-party libraries, demonstrating the effectiveness of the approach.

Qian Li,Qingyuan Hu,Yong Qi,Saiyu Qi,Xinxing Liu,Pengfei Gao

DOI: https://doi.org/10.1016/j.knosys.2021.106802

IF: 8.139

2021-01-01

Knowledge-Based Systems

Abstract:With the widespread use of smartphones, Android malware has posed serious threats to its security. Given the explosive growth of Android malware variants, detecting malware families are crucial for identifying new security threats, triaging, and building reference datasets. Building behavior profiles of Android applications (apps) with holistic graph-based features would help to retain program semantics and resist obfuscation. It is more effective to use representation with the low-dimensional feature, which could reduce calculation cost and improve the efficiency of downstream analytics tasks. To achieve this goal, we design and develop a practical system for the familial analysis of Android malware named GSFDroid. We first use graph-based features that contain structural information to analyze app behavior. Then, we employ Graph Convolutional Networks (GCNs) to embed nodes into a continuous and low-dimensional space, which improves the efficiency of downstream analytics tasks. Note that distributions of the learned feature vectors of APKs are not aligned and centered caused by the random initialization and propagation strategy of GCN, whose different scales can harm the performance of downstream tasks. Inspired by the z-s c o r e, we propose a simple graph feature normalization to standardize the embedded APK features. Finally, instead of fully supervised or unsupervised learning, we propose a two-phased familial analysis method fusing a semi-supervised classifier with a cluster operation on high uncertain score samples respect to the classifier. Promising experimental results based on real-world datasets demonstrate that our approach significantly outperforms state-of-the-art approaches, and can effectively cluster new malware samples from unknown families.

Kar Wai Fok,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1109/PST52912.2021.9647814

2022-11-18

Abstract:Malwares are the key means leveraged by threat actors in the cyber space for their attacks. There is a large array of commercial solutions in the market and significant scientific research to tackle the challenge of the detection and defense against malwares. At the same time, attackers also advance their capabilities in creating polymorphic and metamorphic malwares to make it increasingly challenging for existing solutions. To tackle this issue, we propose a methodology to perform malware detection and family attribution. The proposed methodology first performs the extraction of opcodes from malwares in each family and constructs their respective opcode graphs. We explore the use of clustering algorithms on the opcode graphs to detect clusters of malwares within the same malware family. Such clusters can be seen as belonging to different sub-family groups. Opcode graph signatures are built from each detected cluster. Hence, for each malware family, a group of signatures is generated to represent the family. These signatures are used to classify an unknown sample as benign or belonging to one the malware families. We evaluate our methodology by performing experiments on a dataset consisting of both benign files and malware samples belonging to a number of different malware families and comparing the results to existing approach.

Cryptography and Security,Artificial Intelligence,Machine Learning

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).