Ding Yuxin,Yuan Xuebing,Zhou Di,Dong Li,An Zhanchao

DOI: https://doi.org/10.1016/j.cose.2011.05.007

IF: 5.105

2011-01-01

Computers & Security

Abstract:Currently almost all static methods for detecting malicious code are signature-based, this leads the result that viruses can easily escape detection by simple mechanisms such as code obfuscation. In this paper, a behavior-based detection approach is proposed to address this problem. The behaviors of interest are defined as static system call sequences. Unlike the traditional approach, which derives system call sequences by running executables (i.e., dynamic system call sequences), this approach statically analyzes binary code to derive system call sequences. In this paper, a method for deriving static system call sequences is presented, and two automatic feature-selection methods based on n-grams are proposed. We use machine-learning methods, including the K-nearest neighbor, Support Vector Machine, and decision tree methods to classify executables. The proposed approach is compared with the dynamic detection approach using dynamic system call sequences. The experimental results show that the proposed approach has higher accuracy and a lower false positive rate than the dynamic detection approach.

Wei Li,Chenyi Zhang,Jieying Zhou,Dan Wang,Nuannuan Li

DOI: https://doi.org/10.1088/1742-6596/2010/1/012165

2021-09-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, malicious code emerges in endlessly. New types of malicious code evade the traditional malicious code detection technology through polymorphism, shelling, confusion and other ways. In order to solve the challenges brought by various technologies to the research of malicious code detection, in this paper, we propose a malicious code detection method based on static features and ensemble learning. This method extracts the information in the PE header file of malicious code samples as static features, and on this basis, builds a malicious code detection model by using stacking ensemble learning. In order to verify the effectiveness of the model, experiments are carried out on a dataset containing 5000 malicious codes and 4943 benign codes. Experiments show that the classification model based on stacking ensemble learning is the best, with 97.22% precision rate and 96.45% stable F1 score.

Yuehan Wang,Tong Li,Yongquan Cai,Zhenhu Ning,Fei Xue,Di Jiao

DOI: https://doi.org/10.4018/978-1-7998-2460-2.ch080

2017-01-01

Abstract:AbstractIn this article, the authors present a new malicious code detection model. The detection model improves typical n-gram feature extraction algorithms that are easy to be obfuscated. Specifically, the proposed model can dynamically determine obfuscation features and then adjust the selection of meaningful features to improve corresponding machine learning analysis. The experimental results show that the feature database, which is built based on the proposed feature selection and cleaning method, contains a stable number of features and can automatically get rid of obfuscation features. Overall, the proposed detection model has features of long timeliness, high applicability and high accuracy of identification.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Yongkai Fan,Jing Lei,Cong Peng,Jinghan Wang,Jiaxu Liu,Guanqun Zhao,Jianrong Bai

DOI: https://doi.org/10.1109/CYBER46603.2019.9066678

2019-01-01

Abstract:Malware issue puzzles software users. Under the development of Internet, software technology has been involved in all parts of life such as Robot Control Software. There have been many methods to detect malicious Android applications. However, most of these are single behavior analysis models. In order to better detect the malicious behavior for more fields, we propose a malicious behavior analysis model based on system call and function interface with machine learning algorithm training. To clear the analysis model, we discuss the reasonable feature selection, data collection and analyze the implementation of static methods, dynamic methods and hybrid methods. In addition, we compare several important algorithm models to get the optimal model. Experimental result shows that our proposed optimal model has a higher accuracy than traditional way.

XU Xiao-lin,YUN Xiao-chun,ZHOU Yong-lin,KANG Xue-bin

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.08.019

2013-01-01

Journal of Communications

Abstract:In order to improve the effectiveness and efficiency of mass malicious code analysis,an online analytical model was proposed including feature space construction,automatic feature extraction and fast clustering.Our research focused on the law of malware behavior and code string distribution by dynamic and static techniques.In this model,a sample was described with its API and key code fragment.This model proposed a fast clustering approach to identify group samples that exhibit similar feature when applied this model to real-world malware collections.The result demonstrates that the proposed model is able to extract feature automatically,support streaming data clustering on large-scale,and achieve better precision.

Fathi H. Amsaad,Junjie Zhang,M. Pk,Al Amin Hossain

DOI: https://doi.org/10.1109/NAECON61878.2024.10670668

2024-07-15

Abstract:The rapid evolution of cyber threats raises the inevitability of the advancement of innovative and effective approaches in cybersecurity. There are numerous cyber threats; among these threats, malicious code, including viruses, worms, and sophisticated malware, poses significant risks to digital systems. The existing threat detection methods often rely on signature-based techniques and need help to keep pace with the dynamic and evolving characteristics of malware. Large language models (LLMs) such as GPT-4, renowned for their ability to perform natural language processing, offer a promising alternative for enhancing malicious code detection. This research paper proposes a novel approach using large language models (LLMs) to detect unwanted malicious code in Java source code, leveraging the Mixtral architecture. The Mixtral model is trained on a diverse dataset of benign and malicious Java code, enabling it to learn complex patterns and characteristics of malicious code. Experimental results validate the efficiency of the proposed in identifying malicious code, outperforming existing static analysis tools.

Computer Science

Zhimin Yin,Xiangzhan Yu,Linhua Niu

DOI: https://doi.org/10.2991/icaise.2013.45

2013-01-01

Abstract:The malicious code on the network is increasingly rampant that the traditional detection method of characteristic code has been difficult to deal with malicious code, with features of various variants, deformations and other problems. In this paper we present a new static analysis model based on software fingerprint to distinguish malicious codes. Through obtaining the software call graph by disassembling the binary file and mapping it as an image, shape moments can be obtained as the software fingerprint based on the retrieval theory of content image, combined with moment theory and the image's color, texture and shape features. The idea of pattern matching is used to measure the extracted software fingerprint similarity to determine whether it is malicious code or not. Then, we analyze the collected program samples. Test and verify whether the program has good performance in uniqueness, invariability and sensibility.

Lai Ying-Xu

DOI: https://doi.org/10.1109/snpd.2008.18

2008-01-01

Abstract:The detection of unknown malicious executables is beyond the capability of many existing detection approaches. Machine learning or data mining methods can identify new or unknown malicious executables with some degree of success. Feature selection is a key to apply data mining or machine learning to successfully detect malicious executables. We propose a method to extract features which are most representative of viral properties. We show that our classifier, based on strings, achieves high detection rates and can be expected to perform as well in real-world conditions.

Yong Fang,Cheng Huang,Yu Su,Yaoyao Qiu

DOI: https://doi.org/10.1016/j.cose.2020.101764

IF: 5.105

2020-01-01

Computers & Security

Abstract:Web development technology has undergone tremendous evolution, the creation of JavaScript has greatly enriched the interactive capabilities of the client. However, attackers use the dynamics feature of JavaScript language to embed malicious code into web pages for the purpose of drive-by-download, redirection, etc. The traditional method based on static feature detection is difficult to detect the malicious code after obfuscation, and the method based on dynamic analysis has low efficiency. To overcome these challenges, this paper proposes a static detection model based on semantic analysis. The model firstly generates an abstract syntax tree from JavaScript source codes, then automatically converts them to syntactic unit sequences. FastText algorithm is introduced to training word vectors. The syntactic unit sequences are represented as word vectors which will be input into Bi-LSTM network with attention mechanism. The detection model with Bi-LSTM network with attention mechanism is the key to detect malicious JavaScript. We experimented with the dataset using a five-fold cross-validation method. Experiments showed that the model can effectively detect obfuscated malicious JavaScript code and improve the detection speed, with a precision of 0.977 and recall of 0.974.

Jianguo Ding,Jian Jin,Pascal Bouvry,Yongtao Hu,Haibing Guan

DOI: https://doi.org/10.1109/ICIMP.2009.20

2009-01-01

Abstract:With the rising popularity of the Internet, the resulting increase in the number of available vulnerable machines, and the elevated sophistication of the malicious code itself, the detection and prevention of unknown malicious codes meet great challenges. Traditional anti-virus scanner employs static features to detect malicious executable codes and is hard to detect the unknown malicious codes effectively. We propose behavior-based dynamic heuristic analysis approach for proactive detection of unknown malicious codes. The behavior of malicious codes is identified by system calling through virtual emulation and the changes in system resources. A statistical detection model and mixture of expert (MoE) model are designed to analyze the behavior of malicious codes. The experiment results demonstrate the behavior-based proactive detection is efficient in detecting unknown malicious executable codes.

Lin Liu,Wang Ren,Feng Xie,Shengwei Yi,Junkai Yi,Peng Jia

DOI: https://doi.org/10.1155/2021/9964224

IF: 1.968

2021-08-19

Security and Communication Networks

Abstract:The malicious APK (Android Application Package) makers use some techniques such as code obfuscation and code encryption to avoid existing detection methods, which poses new challenges for accurate virus detection and makes it more and more difficult to detect the malicious code. A report indicates that a new malicious app for Android is created every 10 seconds. To combat this serious malware activity, a scalable malware detection approach is needed, which can effectively and efficiently identify the malware apps. Common static detection methods often rely on Hash matching and analysis of viruses, which cannot quickly detect new malicious Android applications and their variants. In this paper, a malicious Android application detection method is proposed, which is implemented by the deep network fusion model. The hybrid model only needs to use the sample training model to achieve high accuracy in the identification of the malicious applications, which is more suitable for the detection of the new malicious Android applications than the existing methods. This method extracts the static features in the core code of the Android application by decompiling APK files, then performs code vectorization processing, and uses the deep learning network for classification and discrimination. Our experiments with a data set containing 10,170 apps show that the decisions from the hybrid model can increase the malware detection rate significantly on a real device, which verifies the superiority of this method in the detection of malicious codes.

computer science, information systems,telecommunications

Jing Liu,Yongjun Wang,Peidai Xie,Xingkong Ma

DOI: https://doi.org/10.1007/978-981-10-3023-9_9

2017-01-01

Abstract:Nowadays, the dramatically increased malware causes severe challenges to computer security. Most emerging instances are variants of previously encountered malware through polymorphism and metamorphism techniques. The traditional signature-based detecting methods are ineffective to recognize the enormous variants. Malware similarity analysis has become the mainstream technique of identifying variants. However, most existing methods are either hard to handle polymorphic and metamorphic samples based on static structure feature, or time consuming and resource intensive by using dynamic behavior feature. In this paper, we propose a novel malware similarity analysis method based on a fine-grained hybrid feature by exploiting the complementary nature of static and dynamic analysis. We integrate dynamic runtime behavior with static function-call graph. The hybrid feature overcomes the limitation of using static and dynamic feature separately and with more accuracy. Furtherly, we use graph edit distance, and inexact graph matching algorithm as metric to measure the distance between malicious instances. We have evaluated our algorithm on real-world dataset and compared with other approach. The experiments demonstrate that our method achieves higher accuracy.

Yingxu Lai,Zhenghui Liu

DOI: https://doi.org/10.1016/j.proeng.2011.08.718

2011-01-01

Procedia Engineering

Abstract:Analyzed Bayesian classifier with string, n-gram and API as features, we found that it is very difficult to improve Bayesian classifier detection accuracy because selected features are not completely independent. In order to solve this problem, we propose a new improved choose features method which are most representative properties, and show that our method achieve high detection rates, even on completely new, previously unseen malicious executables.

wu fan,lu jixiang,cao wenjing

DOI: https://doi.org/10.3969/j.issn.1000-1220.2018.01.030

2018-01-01

Abstract:Nowadays,there are so many malicious programs. Each of detection technology generate a lot of behavioral information. In recent years,scholars began to use data mining technology to detect malicious programs. But there are some deficiencies,such as: For one thing,the classifier needs to deal with a wide variety of data and For another thing,the same algorithm could not give full use to detect the different characteristics of malicious applications. According to the above limitations,this paper proposed hybrid algorithm based on multi features. Firstly,it uses the dynamic-static combination technology to collect the function call and system call feature.Then it uses the chi square statistical to process the huge characteristic data. Finally,it uses 49 families of 1100 malicious programs and1000 normal procedures for the experimental detection. The results show that the performance of the method is better than other related work at the time of execution efficiency and detection rate.

Yan Jia,Nie Chujiang,Su Purui

DOI: https://doi.org/10.11999/jeit191059

2020-01-01

Abstract:Machine learning is widely used in malicious code detection and plays an important role in malicious code detection products. Constructing adversarial samples for malicious code detection machine learning models is the key to discovering defects in malicious code detection models, evaluating and improving malicious code detection systems. This paper proposes a method for generating malicious code adversarial samples based on genetic algorithms. The generated samples combat effectively the malicious code detection model based on machine learning, while ensuring the consistency of the executable and malicious behavior of malicious code samples, and improving effectively the authenticity of the generated adversarial samples and the accuracy of the model adversarial evaluation are presented. The experiments show that the proposed method of generating adversarial samples reduces the detection accuracy of the MalConv malicious code detection model by 14.65%, and can directly interfere with four commercial machine-based malicious code detection engines in VirusTotal. Among them, the accuracy rate of Cylance detection is only 53.55%.

Mengsong Song Zou,Lan-sheng Han,Qi-wen Liu,Ming Liu

DOI: https://doi.org/10.1109/YCICT.2009.5382354

2009-01-01

Abstract:As more polymorphic malicious codes coming into being, traditional anti-virus methods can not satisfy the current need. In order to achieve some specific functions, malicious codes must have some behaviors which are different from that of the normal programs. Focus on the difference between normal programs and the malicious codes the paper applies Support Vector Machine (SVM) and creates a space of virus API feature vector and a hyper-plane to divide the API space into two parts: malicious codes and normal program. Moreover, behaviors of different kinds of malicious codes are collected and 1-v-1 Multi-class SVM is introduced to detect those behaviors. Furthermore the paper constructs the application structure and selects large amount of test executable samples. Through statistics, analysis and calculation on those samples, the results verify our method. ©2009 IEEE.

Wenwu Li,Chao Li,Miyi Duan

DOI: https://doi.org/10.1109/ccis.2014.7175735

2014-01-01

Abstract:Authors of obfuscated malicious code generally use the code obfuscation counter technology to improve the difficulty of being reversely analyzed for programming and hide critical code, data and program logic. The detection for malicious code of code obfuscation has become one of the popular topics being researched both domestically and abroad. In this study, a method for detecting the obfuscated malicious code with behavior connection is proposed. In this method, malicious acts are described based on the extended control flow graph to improve the descriptive power of self-modifying and obfuscated code. Furthermore, interference from malicious code brought by shell adding and obfuscation is eliminated by combining the method of stain diffusion and symbolic execution. Then malicious codes are extracted and detected based on behavior connection feature. As a result, accuracy of detecting the obfuscated malicious code is enhanced.