Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Qianfeng Chu,Gongshen Liu,Xinyu Zhu

DOI: https://doi.org/10.1049/cje.2019.11.005

IF: 1.019

2020-01-01

Chinese Journal of Electronics

Abstract:The malicious code brings a serious security threat. Researchers have found that many new types of malicious code are variants of the existing one.The homology classification of the unknown malicious code can find its corresponding family in which all the code share inherent similarities from the database, so that the defenders can make rapid response and processing.We use the algorithm of malicious code visualization to translate the homology classification problem into the image classification problem. A convolution neural network for malicious code image is constructed. We train it to complete the malicious code homology classification on two different datasets. The results show that our work outperforms most of existing work with the accuracy of 98.60%.

Bo Yun Zhang,Xi Ai Yan,De Quan Tang

DOI: https://doi.org/10.1088/1742-6596/1087/6/062026

2018-09-01

Journal of Physics: Conference Series

Abstract:This paper describes the research status and progress of malicious code intelligent detection techniques. It introduced the research background of the malicious code detection. Then the classified and analyzed research work from the theoretical research on malicious code detection, malicious code static detection and dynamic detection, integrated detection and based on biological immune detection techniques are described in detail. The contrastive analysis of different detection methods principle and further study on the future directions are discussed.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Hong-Shen YANG,Zong-Qu ZHAO,Jun-Feng WANG

DOI: https://doi.org/10.3969/j.issn.0490-6756.2013.06.012

2013-01-01

Abstract:The intermediate code is a special style of software representation which locates between the machine language and the high level programming language ,and it can take advantage of understandable semantic information and actual execution condition for malware analysis .The malicious behavior infor-mation and characteristics can be easily found from the semantic information of intermediate code ,and malware detection or classification can be realized by analyzing the whole or local information of control flow graph .Machine learning facilitates security information and rules mining in a large number of com-plex software representations ,which is deemed as a kind of advanced malware detection method in recent malware research .This paper categorizes and analyzes the malware research technologies according to the semantic information and control flow structure of software intermediate code ,and makes deep anal-ysis to intermediate code processing and application methods based on machine learning .

Zhimin Yin,Xiangzhan Yu,Linhua Niu

DOI: https://doi.org/10.2991/icaise.2013.45

2013-01-01

Abstract:The malicious code on the network is increasingly rampant that the traditional detection method of characteristic code has been difficult to deal with malicious code, with features of various variants, deformations and other problems. In this paper we present a new static analysis model based on software fingerprint to distinguish malicious codes. Through obtaining the software call graph by disassembling the binary file and mapping it as an image, shape moments can be obtained as the software fingerprint based on the retrieval theory of content image, combined with moment theory and the image's color, texture and shape features. The idea of pattern matching is used to measure the extracted software fingerprint similarity to determine whether it is malicious code or not. Then, we analyze the collected program samples. Test and verify whether the program has good performance in uniqueness, invariability and sensibility.

Wang, Runzheng

DOI: https://doi.org/10.1007/s10207-023-00699-7

2023-05-15

International Journal of Information Security

Abstract:At present, the trend of familiarization of malicious code is becoming more and more obvious, and the research on the homology of malware (the classification of malicious code family) is of great significance for maintaining network security. In order to better express the overall characteristics of malicious code and improve the effect of detection and homology analysis, this paper proposes a method for detection and homology analysis of malware based on heterogeneous graphs of assembly instructions (AIHGAT). We take the assembly instructions of malicious families as the research object and analyze the importance and correlation of assembly instructions of different malicious families. The malware detection and homology analysis are carried out in three aspects: feature extraction, feature preprocessing, and model construction. In the feature extraction of malicious code, in order to alleviate the problem that it is difficult to extract static features of malicious samples that contain countermeasures such as packing and obfuscation, we obtain binary files from dynamic memory through sandbox and then, analyze its assembly instruction set. In feature preprocessing, we divide the assembly instructions into N-tuples and construct a heterogeneous graph based on assembly instructions according to the internal correlation of the gene sequence composed of the assembly N-grams features. Finally, in terms of model construction, we analyze the homology determination effect of the traditional graph neural network and construct the Graph Attention Network based on residual connection named ResGAT to analyze the homology of malicious code. The experimental results show that the ResGAT can gather the core characteristics of malicious families and enhance the ability to recognize malicious family variants. Our model has an accuracy rate of 98.83%, which is better than traditional machine learning detection methods, and can effectively determine the homology of malicious code families.

computer science, information systems, theory & methods, software engineering

Yanchen Qiao,Xiaochun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/TrustCom.2016.0158

2016-01-01

Abstract:APT (Advanced Persistent Threat) attacks are developing rapidly and become severe threats nowadays. In this paper, homologous malware mean that they are developed and programmed by the same author or organization. To identify the homology of malware adopted by different APT attacks is conducive to constructing attack scenario, tracking attackers and even defending against new APT attacks. Currently, homology identification still relies on manual analysis and security experts' experience in the anti-malware industry. It is persuasive, but inefficient and time-consuming. In order to improve the effectiveness and efficiency, an automatic malware homology identification method is proposed in this paper. Six types of API (Application Programming Interface) call behaviors are defined according to programming habits, and extracted from the binary samples by static analysis. Based on the API call behaviors, the homologous degree of different malware is calculated using Jaccard similarity coefficient. Then the homology is identified by comparing the homologous degree with a threshold. Experimental evaluations on real-world samples show that this method achieves high accuracy rate and acceptable recall rate.

Xin-yu ZHU,Qian-feng CHU,Gong-shen LIU

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.08.031

2017-01-01

Abstract:In recent years, the packing technology develop rapidly, and this gives malicious code a new way to escape the detection. The continuous development of packing technology brings a great challenge to the detection of malicious code. How to achieve malicious code shelling and restore the original content of the program now becomes one of the important areas of computer security research. Based on analysis of the shelling principle, and from two aspects of static and dynamic, the current malicious code shelling technology is summarized, and the principles, features and limits of various detecting methods also expounded. Meanwhile, different kinds of shelling tools are sorted out and described. Finally, the development trend of shelling technology is forecasted.

Meng Li,Xiaoqi Jia,Rui Wang,Dongdai Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.08.063

2015-01-01

Abstract:In malicious code analysis and detection, the static analysis techniques are not effective to detect metamorphic/polymorphic ma-licious codes.Aiming at this problem, this paper proposes an approach for extracting the dynamic features of malicious code semantics.The method extracts the dynamic features of malicious codes in virtual environment so as to achieve the purpose of protecting physical machine. The primitive features extracted are then further sifted and processed to obtain API calling sequence information in regard to various code sam-ples.In order to make the features more effective, the traditional n-gram model is improved and the n-gram frequency information and the de-pendencies between APIs are added, the improved n-gram model is built as well.The analysis part in experimental result uses the machine learning methods, the decision trees, k-nearest neighbour, support vector machine and Bayesian networks are employed separately to perform a 10-fold crossover validation on the selected sample features.Experimental results show that this feature selection has best detection effect using decision tree J48, it can effectively detect the malicious codes using confusion and polymorphism technologies.

WU Bing,YUN Xiao-chun,GAO Qi

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.11.014

2007-01-01

Abstract:Following the analysis for traditional distributed IDS,disadvantages that applying structure of multiple engine and small rules set to detect network-level malcode were pointed out,which is based on detailed protocol decoding.Detection model and anti-malcode markup language of network-level malcode were designed for single engine and big rules set.The characteristics of network data flow were analyzed.By optimization of patterns,frequent collisions between suffix with data flow and unbalanced branched of chained list were avoided.The efficiency by using WM algorithm to detect malcode on network level can be remarkably increased.

Sungjoong Kim,Seongkyu Yeom,Haengrok Oh,Dongil Shin,Dongkyoo Shin

DOI: https://doi.org/10.3390/sym13010035

2020-12-28

Symmetry

Abstract:The development of information and communication technology (ICT) is making daily life more convenient by allowing access to information at anytime and anywhere and by improving the efficiency of organizations. Unfortunately, malicious code is also proliferating and becoming increasingly complex and sophisticated. In fact, even novices can now easily create it using hacking tools, which is causing it to increase and spread exponentially. It has become difficult for humans to respond to such a surge. As a result, many studies have pursued methods to automatically analyze and classify malicious code. There are currently two methods for analyzing it: a dynamic analysis method that executes the program directly and confirms the execution result, and a static analysis method that analyzes the program without executing it. This paper proposes a static analysis automation technique for malicious code that uses machine learning. This classification system was designed by combining a method for classifying malicious code using a portable executable (PE) structure and a method for classifying it using a PE structure. The system has 98.77% accuracy when classifying normal and malicious files. The proposed system can be used to classify various types of malware from PE files to shell code.

Fathi H. Amsaad,Junjie Zhang,M. Pk,Al Amin Hossain

DOI: https://doi.org/10.1109/NAECON61878.2024.10670668

2024-07-15

Abstract:The rapid evolution of cyber threats raises the inevitability of the advancement of innovative and effective approaches in cybersecurity. There are numerous cyber threats; among these threats, malicious code, including viruses, worms, and sophisticated malware, poses significant risks to digital systems. The existing threat detection methods often rely on signature-based techniques and need help to keep pace with the dynamic and evolving characteristics of malware. Large language models (LLMs) such as GPT-4, renowned for their ability to perform natural language processing, offer a promising alternative for enhancing malicious code detection. This research paper proposes a novel approach using large language models (LLMs) to detect unwanted malicious code in Java source code, leveraging the Mixtral architecture. The Mixtral model is trained on a diverse dataset of benign and malicious Java code, enabling it to learn complex patterns and characteristics of malicious code. Experimental results validate the efficiency of the proposed in identifying malicious code, outperforming existing static analysis tools.

Computer Science

Jianguo Ding,Jian Jin,Pascal Bouvry,Yongtao Hu,Haibing Guan

DOI: https://doi.org/10.1109/ICIMP.2009.20

2009-01-01

Abstract:With the rising popularity of the Internet, the resulting increase in the number of available vulnerable machines, and the elevated sophistication of the malicious code itself, the detection and prevention of unknown malicious codes meet great challenges. Traditional anti-virus scanner employs static features to detect malicious executable codes and is hard to detect the unknown malicious codes effectively. We propose behavior-based dynamic heuristic analysis approach for proactive detection of unknown malicious codes. The behavior of malicious codes is identified by system calling through virtual emulation and the changes in system resources. A statistical detection model and mixture of expert (MoE) model are designed to analyze the behavior of malicious codes. The experiment results demonstrate the behavior-based proactive detection is efficient in detecting unknown malicious executable codes.

Yan-chen QIAO,Xiao-chun YUN,Yong-zheng ZHANG,Shu-hao LI

DOI: https://doi.org/10.3969/j.issn.0372-2112.2016.10.019

2016-01-01

Abstract:Malware homology identification is useful for malware authorship attribution,attack scenario restoration, and so on.Current malware homology identification methods still rely on manual analysis,which is inefficient and time-con-suming.In order to improve the effectiveness and efficiency,an automatic malware homology identification method is pro-posed.Based on 7-class calling behaviors,this method constructs a model of calling habits using data mining algorithms. Then it calculates the degree of homology based on Frequent Pattern Outlier Factor.Finally,it chooses the threshold values using k-means clustering algorithm to identify homology.The experimental evaluations on real-world malwares show our method achieves high accuracy (over 99%)and acceptable recall rate.

Jia Zhang,Yuntao Guan,Xiaoxin Jiang,Hai-Xin Duan,Jianping Wu

DOI: https://doi.org/10.1109/waim.2008.44

2008-01-01

Abstract:With the development of malicious code technology, the number of malicious code has continued to increase. So it is imperative to optimize the traditional manual analysis method by automatic malicious code analysis system. This paper presents AMCAS--an automatic malicious code analysis system. It includes malicious code static analyzer, dynamic analyzer and network behavior analyzer. Compared with some existing automatic analysis systems, this system integrates the advantages of static and dynamic analysis, and imports network behavior analysis. Static analyzer can get the unpacked binary code and CallGraph; dynamic analyzer can get the host behavior of malicious code and network behavior analyzer can get the malicious network behavior profile. Experiment shows that this system can get malicious code information efficiently.

Wei Li,Chenyi Zhang,Jieying Zhou,Dan Wang,Nuannuan Li

DOI: https://doi.org/10.1088/1742-6596/2010/1/012165

2021-09-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, malicious code emerges in endlessly. New types of malicious code evade the traditional malicious code detection technology through polymorphism, shelling, confusion and other ways. In order to solve the challenges brought by various technologies to the research of malicious code detection, in this paper, we propose a malicious code detection method based on static features and ensemble learning. This method extracts the information in the PE header file of malicious code samples as static features, and on this basis, builds a malicious code detection model by using stacking ensemble learning. In order to verify the effectiveness of the model, experiments are carried out on a dataset containing 5000 malicious codes and 4943 benign codes. Experiments show that the classification model based on stacking ensemble learning is the best, with 97.22% precision rate and 96.45% stable F1 score.

Wenwu Li,Chao Li,Miyi Duan

DOI: https://doi.org/10.1109/ccis.2014.7175735

2014-01-01

Abstract:Authors of obfuscated malicious code generally use the code obfuscation counter technology to improve the difficulty of being reversely analyzed for programming and hide critical code, data and program logic. The detection for malicious code of code obfuscation has become one of the popular topics being researched both domestically and abroad. In this study, a method for detecting the obfuscated malicious code with behavior connection is proposed. In this method, malicious acts are described based on the extended control flow graph to improve the descriptive power of self-modifying and obfuscated code. Furthermore, interference from malicious code brought by shell adding and obfuscation is eliminated by combining the method of stain diffusion and symbolic execution. Then malicious codes are extracted and detected based on behavior connection feature. As a result, accuracy of detecting the obfuscated malicious code is enhanced.

Zhenyu Zhang,Wujun Zhang,Jianfeng Wang,Xiaofeng Chen

DOI: https://doi.org/10.1007/978-3-642-55032-4_71

2014-01-01

Abstract:With the rapid development of cloud computing technique, network security has attracted more and more attention. Of all the network threats, malicious code is the major one. Due to the surge of number and species diversity of the malicious code, it is intractable for the existing antivirus techniques to defense all of the attacks. In this paper, we construct an effective cloud-based active defense system against malicious code. The constructed system utilizes the honey-pot subsystem to collect threaten data, and multiple behavior analysis engines work in parallel to generate a comprehensive program behavior analysis report. Furthermore, there are intelligent algorithms running on several computing servers to achieve automatic intelligent analysis on the reports. Associated with the multiple scan engines form a comprehensive, reinforced and more intelligent active defense system.

Jun Yang,Xuyan Song,Yu Xiong,Yu Meng

DOI: https://doi.org/10.1007/978-3-319-93554-6_94

2018-06-08

Abstract:AbstractHomology detection technology plays a very important role in the copyright protection of computer software. Homology detection technology mainly includes text based technology token, based technology and abstract syntax tree based technology. This paper introduces a method of defect detection based on homology detection technology for open source software. This detection method will collect the code fragments with vulnerabilities and the source code in open source software to compare, through three levels of comparison, to find because of plagiarism code introduced by the vulnerability fragment. After that, the vulnerability fragment is compared with the trigger condition of the vulnerability, and the judgment result is obtained. Finally, the superiority of this technique is verified by experiments.