Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Xinguang Xiao,Bing Wu,Xiaochun Yun,Yongliang Qiu

2012-01-01

Abstract:After detailed analysis of the structure of traditional IDS, we believe that it doesn’t work well on a high speed network with various viruses. What we need is accurate and high-speed detection of virus transmission and of the attacks of known viruses as well as as-yet-unkown viruses. Based on port mirroring and the normalization theory, we developed the algorithm efficiency oriented Virus Detection System (VDS). We implemented a mechanism which adapts to the bandwidth by adopting simple divergence, a parallel large sign set and high speed matching, and parallel protocol resolution. This paper presents the data processing method used by VDS by introducing the AVML and DEDL. Deep processing and unknown virus discovery are also introduced.

ZHAO Yun-cheng,MU De-jun,DAI Hang

DOI: https://doi.org/10.3969/j.issn.1673-629X.2013.10.028

2013-01-01

Abstract:With the constantly accelerating process of global informationization,the computer network is widely applicable.Meanwhile,network security issues are also increasingly intensified.Static detection and dynamic detection are two major malware detection technologies.However,both techniques have their merits and shortcomings,cannot respond to changing network situation.Therefore,on the basis of fully integrated with the merits and shortcomings of these two kinds of detection technologies,propose a novel malware detection system based on the combination of the static and dynamic.Experimental verification shows that the system can be more efficient detection of malware,reducing the rate of false positives,and consuming less system resources.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Yanfang Ye,Dingding Wang,Tao Li,Dongyi Ye

DOI: https://doi.org/10.1145/1281192.1281308

2007-01-01

Abstract:The proliferation of malware has presented a serious threat to the security of computer systems. Traditional signature-based antivirus systems fail to detect polymorphic and new, previously unseen malicious executables. In this paper, resting on the analysis of Windows API execution sequences called by PE files, we develop the Intelligent Malware Detection System (IMDS) using Objective-Oriented Association (OOA) mining based classification. IMDS is an integrated system consisting of three major modules: PE parser, OOA rule generator, and rule based classifier. An OOA_Fast_FP-Growth algorithm is adapted to efficiently generate OOA rules for classification. A comprehensive experimental study on a large collection of PE files obtained from the anti-virus laboratory of King-Soft Corporation is performed to compare various malware detection approaches. Promising experimental results demonstrate that the accuracy and efficiency of our IMDS system outperform popular anti-virus software such as Norton AntiVirus and McAfee VirusScan, as well as previous data mining based detection systems which employed Naive Bayes, Support Vector Machine (SVM) and Decision Tree techniques.

Zhentan Feng,Shuguang Xiong,Deqiang Cao,Xiaolu Deng,Xin Wang,Yang Yang,Xiaobo Zhou,Yan Huang,Guangzhu Wu

DOI: https://doi.org/10.1145/2713579.2713585

2015-01-01

Abstract:ABSTRACTTraditional signature-based detection methods fail to detect unknown malwares, while data mining methods for detection are proved useful to new malwares but suffer for high false positive rate. In this paper, we provide a novel hybrid framework called HRS based on the analysis for 50 millions of malware samples across 20,000 malware classes from our antivirus platform. The distribution of the samples are elaborated and a hybrid framework HRS is proposed, which consists of Hash-based, Rule-based and SVM-based models trained from different classes of malwares according to the distribution. Rule-based model is the core component of the hybrid framework. It is convenient to control false positives by adjusting the factor of a boolean expression in rule-based method, while it still has the ability to detect the unknown malwares. The SVM-based method is enhanced by examining the critical sections of the malwares, which can significantly shorten the scanning and training time. Rigorous experiments have been performed to evaluate the HRS approach based on the massive dataset and the results demonstrate that HRS achieves a true positive rate of 99.84% with an error rate of 0.17%. The HRS method has already been deployed into our security platform.

Jeyaprakash Hemalatha,Subbiah Geetha,Seifedine Kadry,Robertas Damaševičius,S. Roseline

DOI: https://doi.org/10.3390/e23030344

IF: 2.738

2021-03-15

Entropy

Abstract:Recently, there has been a huge rise in malware growth, which creates a significant security threat to organizations and individuals. Despite the incessant efforts of cybersecurity research to defend against malware threats, malware developers discover new ways to evade these defense techniques. Traditional static and dynamic analysis methods are ineffective in identifying new malware and pose high overhead in terms of memory and time. Typical machine learning approaches that train a classifier based on handcrafted features are also not sufficiently potent against these evasive techniques and require more efforts due to feature-engineering. Recent malware detectors indicate performance degradation due to class imbalance in malware datasets. To resolve these challenges, this work adopts a visualization-based method, where malware binaries are depicted as two-dimensional images and classified by a deep learning model. We propose an efficient malware detection system based on deep learning. The system uses a reweighted class-balanced loss function in the final classification layer of the DenseNet model to achieve significant performance improvements in classifying malware by handling imbalanced data issues. Comprehensive experiments performed on four benchmark malware datasets show that the proposed approach can detect new malware samples with higher accuracy (98.23% for the Malimg dataset, 98.46% for the BIG 2015 dataset, 98.21% for the MaleVis dataset, and 89.48% for the unseen Malicia dataset) and reduced false-positive rates when compared with conventional malware mitigation techniques while maintaining low computational time. The proposed malware detection solution is also reliable and effective against obfuscation attacks.

physics, multidisciplinary

Lin Chen,Bo Liu,Huaping Hu,Qianbing Zheng

DOI: https://doi.org/10.1109/trustcom.2012.35

2012-01-01

Abstract:Virtual machine monitor (VMM)-based anti-malware systems have recently become a popular research topic in finding ways of overcoming the fundamental limitations of traditional host-based anti-malware systems, which are likely to be deceived and attacked by malicious codes. This paper analyzes existing VMM-based models of malware detection. "Out-of-the-box" detection, active defense model, or In-VM models have the same defects: (1) on top of the VMM, two virtual machines are used, one by the user (Guest OS) and the other as monitor (Host OS), and (2) users cannot directly view the detection results nor configure detection system in the Guest OS. A layered detection model is proposed to overcome these issues, the bottom layer is responsible for security for the layers above it. Detection results can be directly displayed in the Guest OS, and users can view and configure the detection system. Furthermore, the detection model can isolate malware attacks to the detection system in the Guest OS. Experiment results show the validity of the proposed detection model.

Alan Nafiiev,Andrii Rodionov

DOI: https://doi.org/10.20535/tacs.2664-29132023.2.277959

2023-11-06

Theoretical and Applied Cybersecurity

Abstract:Cyber wars and cyber attacks are an urgent problem in the global digital environment. Based on existing popular detection methods, malware authors are creating ever more advanced and sophisticated malware. Therefore, this study aims to create a malware analysis system that uses both dynamic and static analysis. Our system is based on a machine learning method - support vector machine. The set of data used was collected from various Internet sources. It consists of 257 executable files in .exe format, 178 of which are malicious and 79 are benign. We use 5 different types of data representation: binary information, trace instructions, control flow graph, information obtained from the dynamic operation of the file, and file metadata. Then, using multiple kernel learning, we combine all data views and create one summative machine learning model.

Zhuoxuan Lan,Binquan Zhang,Jie Wen,Zhihua Cui,Xiao-Zhi Gao

DOI: https://doi.org/10.1007/s10489-023-05049-7

IF: 5.3

2023-10-21

Applied Intelligence

Abstract:In order to solve the problem that traditional two-way decision based malicious code detection methods fail to consider the influence of decision making under the condition of insufficient information when facing complex and massive data in dynamic environment, this paper proposes a malicious code detection model based on sequential three-way decision. This model introduces sequential three-way decision into the domain of malicious code to avoid the risk of possible error detection due to insufficient information. In order to improve the overall performance of the detection model and eliminate the subjectivity of threshold selection, this paper designs a multi-objective sequential three-way decision model based on the above model, while considering the decision efficiency and decision accuracy of the model. In addition, the multi-objective optimization algorithm is used to solve the model. The simulation results show that the model not only guarantees the detection performance, but also improves the decision efficiency effectively. The real dynamic detection environment is better fitted.

computer science, artificial intelligence

Ahmed Alghamdi

DOI: https://doi.org/10.52783/cana.v31.1476

2024-09-02

Abstract:The growing sophistication of malware in exisiting environment poses tough demands on its detection methods of another kind. This paper introduces a framework for cyber security improvement, a means to solve strongly the probability issue of how to determine the behavior algorithmically in your system. This research is applied to malware detection systems based on methods (Support Vector Machines, Random Forest) and Neural Networks that are robust against deception. Statistical analysis of security threats and a review of current methods used for malware detection are given at its outset. The proposed framework, with its statistical framework analysis, looks for patterns and anomalies that indicate malice. It then integrates cryptographic techniques onto data transmission, computation processes; that the core of our system remains untouched by potential disturbances. The concept is further elaborated with open-source code from the field, Machine Learning (SVM, Random Forest, Neural Networks), As if with this variety of tools we can now detect and classify types of malware that generate irregular patterns but do not necessarily resemble known signatures at all. Such a hybrid security mechanism as described here, combining the best of statistics, cryptographic security, and machine learning, gives a precision of detection beyond compare to today's systems. The experiments show large gains in both detection accuracy and response speed, demonstrating this whole-element approach's potential to better safeguard cybersecurity in all manner of fields. It may be foreseen that this proposed line of research could well become a key new tool, capable of adaptation and expansion with the needs expanding around us.

Ping Wang,Yu-Shih Wang

DOI: https://doi.org/10.1016/j.jcss.2014.12.014

IF: 1.043

2014-01-01

Journal of Computer and System Sciences

Abstract:Most existing approaches for detecting viruses involve signature-based analyses to match the precise patterns of malware threats. However, the problem of classification accuracy regarding unspecified malware detection depends on correct extraction and completeness of training signatures. In practice, malware detection system uses the generalization ability of support vector models (SVMs) to guarantee a small classification error by machine learning. This study developed an automatic malware detection system by training an SVM classifier based on behavioural signatures. A cross-validation scheme was used for solving classification accuracy problems by using SVMs associated with 60 families of real malware. The experimental results reveal that the classification error decreases as the sizing of testing data is increased. For different sizing (N) of malware samples, the prediction accuracy of malware detection goes up to 98.7% with N=100. The overall detection accuracy of the SVC is more than 85% for unspecific mobile malware.

Yanfang Ye,Dingding Wang,Tao Li,Dongyi Ye,Qingshan Jiang

DOI: https://doi.org/10.1007/s11416-008-0082-4

2008-01-01

Journal in Computer Virology

Abstract:The proliferation of malware has presented a serious threat to the security of computer systems. Traditional signature-based anti-virus systems fail to detect polymorphic/metamorphic and new, previously unseen malicious executables. Data mining methods such as Naive Bayes and Decision Tree have been studied on small collections of executables. In this paper, resting on the analysis of Windows APIs called by PE files, we develop the Intelligent Malware Detection System (IMDS) using Objective-Oriented Association (OOA) mining based classification. IMDS is an integrated system consisting of three major modules: PE parser, OOA rule generator, and rule based classifier. An OOA_Fast_FP-Growth algorithm is adapted to efficiently generate OOA rules for classification. A comprehensive experimental study on a large collection of PE files obtained from the anti-virus laboratory of KingSoft Corporation is performed to compare various malware detection approaches. Promising experimental results demonstrate that the accuracy and efficiency of our IMDS system outperform popular anti-virus software such as Norton AntiVirus and McAfee VirusScan, as well as previous data mining based detection systems which employed Naive Bayes, Support Vector Machine (SVM) and Decision Tree techniques. Our system has already been incorporated into the scanning tool of KingSoft’s Anti-Virus software.

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Nadra Guizani,Arif Ghafoor

DOI: https://doi.org/10.1109/jsac.2020.2986618

IF: 16.4

2020-06-01

IEEE Journal on Selected Areas in Communications

Abstract:The exponential growth in the use of Internet of Things (IoT) devices has introduced numerous challenges, in particular dealing with new security threats. In addition, for connecting heterogeneous devices using different protocols, large networks need resilient software-based security systems that can defend against unprecedented attacks for which the traditional security countermeasures prove to be ineffective. Furthermore, to deal with the ever growing onslaught on data and networks, modern security systems need to utilize novel machine learning mechanisms. This paper proposes a software-based architecture that provides network function virtualization (NFV) capability to combat malware spread for heterogeneous IoT networks. To build a scalable and generalized Intrusion Detection System (IDS), we propose for these networks a RNN-LSTM learning model that can predict malware attacks in a timely manner for the NFV to deploy appropriate countermeasures. In addition, we investigate the scalability of the network and discuss how the generalized IDS can deal with a broad range of malwares that can be detected. The analysis utilizes the susceptible (S), exposed (E), infected (I), and resistant (R) (SEIR) epidemic model to moniter the spread of the malware attack and subsequently provides patching to the system. Our analysis focuses primarily on the feasibility and the performance evaluation of the proposed integrated RNN-LSTM and NFV architecture.

telecommunications,engineering, electrical & electronic

XIE Yi,TANG Cheng-hua,HUANG Xiang-nong

DOI: https://doi.org/10.3969/j.issn.1000-1220.2013.09.027

2013-01-01

Abstract:Application-layer DDoS attack is a main threat to most of modern network service providers.The main drawback of conventional detection methods is that they are hard to describe the non-stationary and time-varying user behavior and cannot automatically adjust the model parameters according to the evolution of normal user behavior.In this paper,a new dynamic application-layer DDoS detection approach is proposed.The proposed scheme utilizes semi-Markov chain to describe the profile of normal behavior.A new dynamic recursive algorithm is introduced to adjust the model's parameters.The model is applied to detect the Application-layer DDoS attacks.Experiments based on a real trace are implemented to validate the proposal.

Mohammad Aziz,Ali Saeed Alfoudi

2023-08-09

Abstract:Malicious software is an integral part of cybercrime defense. Due to the growing number of malicious attacks and their target sources, detecting and preventing the attack becomes more challenging due to the assault's changing behavior. The bulk of classic malware detection systems is based on statistics, analytic techniques, or machine learning. Virus signature methods are widely used to identify malware. The bulk of anti-malware systems categorizes malware using regular expressions and patterns. While antivirus software is less likely to update its databases to identify and block malware, file features must be updated to detect and prevent newly generated malware. Creating attack signatures requires practically all of a human being's work. The purpose of this study is to undertake a review of the current research on intrusion detection models and the datasets that support them. In this article, we discuss the state-of-the-art, focusing on the strategy that was devised and executed, the dataset that was utilized, the findings, and the assessment that was undertaken. Additionally, the surveyed articles undergo critical analysis and statements in order to give a thorough comparative review. Machine learning and deep learning methods, as well as new classification and feature selection methodologies, are studied and researched. Thus far, each technique has proved the capability of constructing very accurate intrusion detection models. The survey findings reveal that Clearly, the MultiTree and adaptive voting algorithms surpassed all other models in terms of persistency and performance, averaging 99.98 percent accuracy on average.

Cryptography and Security

Wanyu Li,Hailiang Tang,Hailin Zhu,Wenxiao Zhang,Chen Liu

DOI: https://doi.org/10.1016/j.cose.2024.103752

IF: 5.105

2024-02-14

Computers & Security

Abstract:The cyber ecosystem is facing severe threats from malware attacks, making it imperative to detect malware to safeguard a purified Internet environment. However, current studies primarily concentrate on examining the time-based correlation between APIs for malware detection while neglecting the contextual associations derived from API categories, resulting in inadequate detection performance. In this paper, we present TS-Mal, a novel Mal ware detection model incorporated T emporal and S tructural features learning. Particularly, TS-Mal first designs a temporal vector learning method to automatically capture the evolving representation from the non-repetitive API sequences, which can efficiently pursue the attack preferences of malware. Then TS-Mal introduces heterogeneous graphs to model the interactive relationships between APIs and presents a dense-interactive structural embedding approach to generate the fine-grained API structural representation, which is capable of utilizing API category interaction information to boost detection effectiveness. Finally, TS-Mal simultaneously integrates temporal and structural attack features to accurately identify the unknown malware, effectively defending against new malware attacks. Experimental results on real-world datasets demonstrate that our proposed TS-Mal model outperforms existing state-of-the-art methods.

computer science, information systems

Peige Ren,Xiaofeng Wang,Chunqing Wu,Baokang Zhao,Hao Sun

DOI: https://doi.org/10.1007/978-3-642-55032-4_67

2014-01-01

Abstract:With the development of information technology, there are massive and heterogeneous data resources in the internet, as well as the malwares are appearing in different forms, traditional text-based malware detection cannot efficiently detect the various malwares. So it is becoming a great challenge about how to realize semantic-based malware detection. This paper proposes an intelligent and active data interactive coordination model based on channels. The coordination channels are the basic construction unit of this model, which can realize various data transmissions. By defining the coordination channels, the coordination atoms and the coordination units, the model can support diverse data interactions and can understand the semantic of different data resources. Moreover, the model supports graphical representation of data interaction, so we can design complex data interaction system in the forms of flow graph. Finally, we design a semantic-based malware detection system using our model; the system can understand the behavior semantics of different malwares, realizing the intelligent and active malware detection.