Rakshit Agrawal,Jack W. Stokes,Mady Marinescu,Karthik Selvaraj

DOI: https://doi.org/10.48550/arXiv.1806.10741

2018-06-28

Abstract:Malicious software, or malware, presents a continuously evolving challenge in computer security. These embedded snippets of code in the form of malicious files or hidden within legitimate files cause a major risk to systems with their ability to run malicious command sequences. Malware authors even use polymorphism to reorder these commands and create several malicious variations. However, if executed in a secure environment, one can perform early malware detection on emulated command sequences. The models presented in this paper leverage this sequential data derived via emulation in order to perform Neural Malware Detection. These models target the core of the malicious operation by learning the presence and pattern of co-occurrence of malicious event actions from within these sequences. Our models can capture entire event sequences and be trained directly using the known target labels. These end-to-end learning models are powered by two commonly used structures - Long Short-Term Memory (LSTM) Networks and Convolutional Neural Networks (CNNs). Previously proposed sequential malware classification models process no more than 200 events. Attackers can evade detection by delaying any malicious activity beyond the beginning of the file. We present specialized models that can handle extremely long sequences while successfully performing malware detection in an efficient way. We present an implementation of the Convoluted Partitioning of Long Sequences approach in order to tackle this vulnerability and operate on long sequences. We present our results on a large dataset consisting of 634,249 file sequences, with extremely long file sequences.

Artificial Intelligence,Cryptography and Security,Machine Learning

Bona Xuan,Jin Li,Yafei Song

DOI: https://doi.org/10.1016/j.cose.2024.103734

IF: 5.105

2024-01-28

Computers & Security

Abstract:This paper proposes a bi-directional temporal convolutional networks transfer learning atrous spatial pyramid pooling EfficientNet (BiTCN-TAEfficientNet) malware classification approach based on multi-feature fusion. This approach utilizes the assembly data and API sequences of malware as features. It enhances the classification accuracy of the algorithm by introducing bi-directional temporal convolutional networks to mine bi-directional timing features. In addition, an RGB image-based malware feature representation method is proposed. The method focuses on the similarity relationship between malware variants and raw binary, Opcode operands, and API calls to create images with rich textures representing deeper dependent features. Using the atrous spatial pyramid pooling to enhance the transfer learning-based EfficientNet model to resolve the data loss and redundancy issue caused by image size normalization, thus improving its accuracy. The proposed algorithm refines the above two algorithms by utilizing a fusion classifier and a quantum particle swarm optimization algorithm to optimize BiTCN-TAEfficientNet. This approach not only addresses sequences susceptible to confusion interference but circumvents the adverse effects of adversarial techniques by visualizing methods to show the similarity of malicious families. The results show that the classification accuracy of this method for Kaggle and DataCon datasets reaches 99.461% and 97.92%, which are 0.38% and 0.87% higher than other methods, respectively.

computer science, information systems

Weina Niu,Jie Zhou,Yibin Zhao,Xiaosong Zhang,Yujie Peng,Cheng Huang

DOI: https://doi.org/10.1016/j.cose.2022.102809

IF: 5.105

2022-01-01

Computers & Security

Abstract:Traditional malware detection methods based on static traffic characteristics and machine learning are hard to cope with the increasing number of APT malware variants. In order to alleviate this problem, this paper proposes a deep-learning-based malware classification approach that combines time sequence features and association rules features. This method uses the improved LSTM neural network structure named RESNET_LSTM and PARALLEL_LSTM to extract time sequence features of different protocol traffic. It also utilizes association analysis to generate quantitative rule features. Finally, we connect the time sequence feature vector and the quantization rule vector as input to deep learning models to detect malware traffic. We evaluated our proposed approach on a dataset consisting of malicious traffic generated by 57 types of malware and normal traffic. The experimental results demonstrate that the loss decline rate of PARALLEL_LSTM structure during the training phase is faster than that of the LSTM and RESNET_LSTM structures. When the RESNET_LSTM structure is used, the prediction accuracy is close to 100%, which is slightly higher than the other two structures. The accuracy of the detection methods proposed in this paper are all above 96%, while the accuracy of malware detection methods combined with static traffic characteristics and machine learning is about 85%.

Ye Yao,Yian Zhu,Yao Jia,Xianchen Shi,Lixiang Zhang,Dong Zhong,Junhua Duan

DOI: https://doi.org/10.3390/math12010020

IF: 2.4

2023-12-22

Mathematics

Abstract:With the development of the Internet, the types and quantities of malware have grown rapidly, and how to identify unknown malware is becoming a new challenge. The traditional malware detection method based on fixed features is becoming more and more difficult. In order to improve detection accuracy and efficiency for mobile terminals, this paper proposed a malware detection method for mobile terminals based on application programming interface (API) call sequence, which was characterized by the API call sequence and used a series of feature preprocessing techniques to remove redundant processing of the API call sequence. Finally, the recurrent neural network method (RNN) was used to build the model and perform detection and verification. Furthermore, this paper constructed a malware detection model based on a two-way recurrent neural network and used the two-way long short-term memory network model (LSTM) to train the data set containing 5986 malware samples and 5065 benign software samples to obtain the final detection model and its parameters. Finally, the feature vector of the APK file to be detected was passed into the model and obtained the detection results. The experimental results indicated that the detection accuracy of this method can reach 93.68%.

mathematics

Ruitao Feng,Jing Qiang Lim,Sen Chen,Shang-Wei Lin,Yang Liu

DOI: https://doi.org/10.48550/arXiv.2011.05218

2020-11-11

Abstract:With the proliferation of Android malware, the demand for an effective and efficient malware detection system is on the rise. The existing device-end learning based solutions tend to extract limited syntax features (e.g., permissions and API calls) to meet a certain time constraint of mobile devices. However, syntax features lack the semantics which can represent the potential malicious behaviors and further result in more robust model with high accuracy for malware detection. In this paper, we propose an efficient Android malware detection system, named SeqMobile, which adopts behavior-based sequence features and leverages customized deep neural networks on mobile devices instead of the server. Different from the traditional sequence-based approaches on server, to meet the performance demand, SeqMobile accepts three effective performance optimization methods to reduce the time cost. To evaluate the effectiveness and efficiency of our system, we conduct experiments from the following aspects 1) the detection accuracy of different recurrent neural networks; 2) the feature extraction performance on different mobile devices, 3) the detection accuracy and prediction time cost of different sequence lengths. The results unveil that SeqMobile can effectively detect malware with high accuracy. Moreover, our performance optimization methods have proven to improve the performance of training and prediction by at least twofold. Additionally, to discover the potential performance optimization from the SOTA TensorFlow model optimization toolkit for our approach, we also provide an evaluation on the toolkit, which can serve as a guidance for other systems leveraging on sequence-based learning approach. Overall, we conclude that our sequence-based approach, together with our performance optimization methods, enable us to detect malware under the performance demands of mobile devices.

Cryptography and Security,Software Engineering

Hong Huang,Rui Du,Zhaolian Wang,Xin Li,Guotao Yuan

DOI: https://doi.org/10.3390/s23167084

IF: 3.9

2023-08-11

Sensors

Abstract:To address the challenges of weak model generalization and limited model capacity adaptation in traditional malware detection methods, this article presents a novel malware detection approach based on stacked depthwise separable convolutions and self-attention, termed CoAtNet. This method combines the strengths of the self-attention module's robust model adaptation and the convolutional networks' powerful generalization abilities. The initial step involves transforming the malicious code into grayscale images. These images are subsequently processed using a detection model that employs stacked depthwise separable convolutions and an attention mechanism. This model effectively recognizes and classifies the images, automatically extracting essential features from malicious software images. The effectiveness of the method was validated through comparative experiments using both the Malimg dataset and the augmented Blended+ dataset. The approach's performance was evaluated against popular models, including XceptionNet, EfficientNetB0, ResNet50, VGG16, DenseNet169, and InceptionResNetV2. The experimental results highlight that the model surpasses other malware detection models in terms of accuracy and generalization ability. In conclusion, the proposed method addresses the limitations of traditional malware detection approaches by leveraging stacked depthwise separable convolutions and self-attention. Comprehensive experiments demonstrate its superior performance compared to existing models. This research contributes to advancing the field of malware detection and provides a promising solution for enhanced accuracy and robustness.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ahmed Bensaoud,Jugal Kalita

DOI: https://doi.org/10.1016/j.knosys.2024.111543

2024-05-04

Abstract:In this paper, we propose a novel model for a malware classification system based on Application Programming Interface (API) calls and opcodes, to improve classification accuracy. This system uses a novel design of combined Convolutional Neural Network and Long Short-Term Memory. We extract opcode sequences and API Calls from Windows malware samples for classification. We transform these features into N-grams (N = 2, 3, and 10)-gram sequences. Our experiments on a dataset of 9,749,57 samples produce high accuracy of 99.91% using the 8-gram sequences. Our method significantly improves the malware classification performance when using a wide range of recent deep learning architectures, leading to state-of-the-art performance. In particular, we experiment with ConvNeXt-T, ConvNeXt-S, RegNetY-4GF, RegNetY-8GF, RegNetY-12GF, EfficientNetV2, Sequencer2D-L, Swin-T, ViT-G/14, ViT-Ti, ViT-S, VIT-B, VIT-L, and MaxViT-B. Among these architectures, Swin-T and Sequencer2D-L architectures achieved high accuracies of 99.82% and 99.70%, respectively, comparable to our CNN-LSTM architecture although not surpassing it.

Cryptography and Security,Artificial Intelligence,Machine Learning

Wanyu Li,Hailiang Tang,Hailin Zhu,Wenxiao Zhang,Chen Liu

DOI: https://doi.org/10.1016/j.cose.2024.103752

IF: 5.105

2024-02-14

Computers & Security

Abstract:The cyber ecosystem is facing severe threats from malware attacks, making it imperative to detect malware to safeguard a purified Internet environment. However, current studies primarily concentrate on examining the time-based correlation between APIs for malware detection while neglecting the contextual associations derived from API categories, resulting in inadequate detection performance. In this paper, we present TS-Mal, a novel Mal ware detection model incorporated T emporal and S tructural features learning. Particularly, TS-Mal first designs a temporal vector learning method to automatically capture the evolving representation from the non-repetitive API sequences, which can efficiently pursue the attack preferences of malware. Then TS-Mal introduces heterogeneous graphs to model the interactive relationships between APIs and presents a dense-interactive structural embedding approach to generate the fine-grained API structural representation, which is capable of utilizing API category interaction information to boost detection effectiveness. Finally, TS-Mal simultaneously integrates temporal and structural attack features to accurately identify the unknown malware, effectively defending against new malware attacks. Experimental results on real-world datasets demonstrate that our proposed TS-Mal model outperforms existing state-of-the-art methods.

computer science, information systems

Jinpei Yan,Yong Qi,Qifan Rao

DOI: https://doi.org/10.1155/2018/7247095

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Malware detection plays a crucial role in computer security. Recent researches mainly use machine learning based methods heavily relying on domain knowledge for manually extracting malicious features. In this paper, we propose MalNet, a novel malware detection method that learns features automatically from the raw data. Concretely, we first generate a grayscale image from malware file, meanwhile extracting its opcode sequences with the decompilation tool IDA. Then MalNet uses CNN and LSTM networks to learn from grayscale image and opcode sequence, respectively, and takes a stacking ensemble for malware classification. We perform experiments on more than 40,000 samples including 20,650 benign files collected from online software providers and 21,736 malwares provided by Microsoft. The evaluation result shows that MalNet achieves 99.88% validation accuracy for malware detection. In addition, we also take malware family classification experiment on 9 malware families to compare MalNet with other related works, in which MalNet outperforms most of related works with 99.36% detection accuracy and achieves a considerable speed-up on detecting efficiency comparing with two state-of-the-art results on Microsoft malware dataset.

Jinting Zhu,Julian Jang-Jaccard,Amardeep Singh,Paul A. Watters,Seyit Camtepe

DOI: https://doi.org/10.3390/fi15060214

2023-06-15

Abstract:Malware authors apply different techniques of control flow obfuscation, in order to create new malware variants to avoid detection. Existing Siamese neural network (SNN)-based malware detection methods fail to correctly classify different malware families when such obfuscated malware samples are present in the training dataset, resulting in high false-positive rates. To address this issue, we propose a novel task-aware few-shot-learning-based Siamese Neural Network that is resilient against the presence of malware variants affected by such control flow obfuscation techniques. Using the average entropy features of each malware family as inputs, in addition to the image features, our model generates the parameters for the feature layers, to more accurately adjust the feature embedding for different malware families, each of which has obfuscated malware variants. In addition, our proposed method can classify malware classes, even if there are only one or a few training samples available. Our model utilizes few-shot learning with the extracted features of a pre-trained network (e.g., VGG-16), to avoid the bias typically associated with a model trained with a limited number of training samples. Our proposed approach is highly effective in recognizing unique malware signatures, thus correctly classifying malware samples that belong to the same malware family, even in the presence of obfuscated malware variants. Our experimental results, validated by N-way on N-shot learning, show that our model is highly effective in classification accuracy, exceeding a rate \textgreater 91\%, compared to other similar methods.

Cryptography and Security,Artificial Intelligence

Xingyuan Wei,Ce Li,Qiujian Lv,Ning Li,Degang Sun,Yan Wang

2024-08-03

Abstract:In dynamic Windows malware detection, deep learning models are extensively deployed to analyze API sequences. Methods based on API sequences play a crucial role in malware prevention. However, due to the continuous updates of APIs and the changes in API sequence calls leading to the constant evolution of malware variants, the detection capability of API sequence-based malware detection models significantly diminishes over time. We observe that the API sequences of malware samples before and after evolution usually have similar malicious semantics. Specifically, compared to the original samples, evolved malware samples often use the API sequences of the pre-evolution samples to achieve similar malicious behaviors. For instance, they access similar sensitive system resources and extend new malicious functions based on the original functionalities. In this paper, we propose a frame(MME), a framework that can enhance existing API sequence-based malware detectors and mitigate the adverse effects of malware evolution. To help detection models capture the similar semantics of these post-evolution API sequences, our framework represents API sequences using API knowledge graphs and system resource encodings and applies contrastive learning to enhance the model's encoder. Results indicate that, compared to Regular Text-CNN, our framework can significantly reduce the false positive rate by 13.10% and improve the F1-Score by 8.47% on five years of data, achieving the best experimental results. Additionally, evaluations show that our framework can save on the human costs required for model maintenance. We only need 1% of the budget per month to reduce the false positive rate by 11.16% and improve the F1-Score by 6.44%.

Cryptography and Security

Weiwei Hu,Ying Tan

DOI: https://doi.org/10.48550/arXiv.1705.08131

IF: 5.414

2017-05-23

Machine Learning

Abstract:Recent researches have shown that machine learning based malware detection algorithms are very vulnerable under the attacks of adversarial examples. These works mainly focused on the detection algorithms which use features with fixed dimension, while some researchers have begun to use recurrent neural networks (RNN) to detect malware based on sequential API features. This paper proposes a novel algorithm to generate sequential adversarial examples, which are used to attack a RNN based malware detection system. It is usually hard for malicious attackers to know the exact structures and weights of the victim RNN. A substitute RNN is trained to approximate the victim RNN. Then we propose a generative RNN to output sequential adversarial examples from the original sequential malware inputs. Experimental results showed that RNN based malware detection algorithms fail to detect most of the generated malicious adversarial examples, which means the proposed model is able to effectively bypass the detection algorithms.

Aidong Xu,Lin Chen,Xiaoyun Kuang,Huahui Lv,Hang Yang,Yixin Jiang,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00021

2020-01-01

Abstract:In recent years, malicious programs seriously threaten the security of information system. Because of its particularity, complexity and vulnerability, power information system is difficult to detect and kill by traditional anti-virus software. To solve the above problems, this paper proposes a malicious behavior detection method based on deep learning, which can identify malicious programs and attack types according to the activities of malicious programs and malicious software behaviors. In this paper, a hybrid deep learning structure based on convolutional neural network (CNN) and long-and-short term memory (LSTM) network is proposed. The call sequence of API is combined with other statistical features. The vector information obtained is input into LSTM unit through convolution, and the classification results are obtained through the above model. Compared with the existing methods, this method significantly improves the preparation rate and execution efficiency.

Zeliang Kan,Haoyu Wang,Guoai Xu,Yao Guo,Xiangqun Chen

DOI: https://doi.org/10.1109/COMPSAC.2018.00092

2018-01-01

Abstract:The explosive amount of malware continues threating the security of operating systems and networks. Traditional malware detection approaches fail to meet the requirements of detecting polymorphic and new samples. Existing neural network based detection approaches performs better, but consuming much more time in both feature extraction and training. In this paper, we propose a light-weight PC malware detection system which is based on deep convolutional neural network (CNN). The raw inputs of our system are sequences of grouped instructions, which were generated by our Instruction Analyzer in according to different functionalities of the instructions. The network will automatically learn features of malware from the grouped instruction sequences. The experiment results suggest that in a large dataset which contains roughly 70,000 samples, our detection system can achieve an overall accuracy of 95\%. The training time of our system with single convolutional layer was only about 10 hours, which is one order of magnitude less than traditional methods.

Susu Cui,Cong Dong,Meng Shen,Yuling Liu,Bo Jiang,Zhigang Lu

DOI: https://doi.org/10.1109/tifs.2023.3300521

IF: 7.231

2023-08-22

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning and neural networks have become increasingly popular solutions for encrypted malware traffic detection. They mine and learn complex traffic patterns, enabling detection by fitting boundaries between malware traffic and benign traffic. Compared with signature-based methods, they have higher scalability and flexibility. However, affected by the frequent variants and updates of malware, current methods suffer from a high false positive rate and do not work well for unknown malware traffic detection. It remains a critical task to achieve effective malware traffic detection. In this paper, we introduce CBSeq to address the above problems. CBSeq is a method that constructs a stable traffic representation, behavior sequence, to characterize attacking intent and achieve malware traffic detection. We novelly propose the channels with similar behavior as the detection object and extract side-channel content to construct behavior sequence. Unlike benign activities, the behavior sequences of malware and its variant's traffic exhibit solid internal correlations. Moreover, we design the MSFormer, a powerful Transformer-based multi-sequence fusion classifier. It captures the internal similarity of behavior sequence, thereby distinguishing malware traffic from benign traffic. Our evaluations demonstrate that CBSeq performs effectively in various known malware traffic detection and exhibits superior performance in unknown malware traffic detection, outperforming state-of-the-art methods.

computer science, theory & methods,engineering, electrical & electronic

Jeyaprakash Hemalatha,Subbiah Geetha,Seifedine Kadry,Robertas Damaševičius,S. Roseline

DOI: https://doi.org/10.3390/e23030344

IF: 2.738

2021-03-15

Entropy

Abstract:Recently, there has been a huge rise in malware growth, which creates a significant security threat to organizations and individuals. Despite the incessant efforts of cybersecurity research to defend against malware threats, malware developers discover new ways to evade these defense techniques. Traditional static and dynamic analysis methods are ineffective in identifying new malware and pose high overhead in terms of memory and time. Typical machine learning approaches that train a classifier based on handcrafted features are also not sufficiently potent against these evasive techniques and require more efforts due to feature-engineering. Recent malware detectors indicate performance degradation due to class imbalance in malware datasets. To resolve these challenges, this work adopts a visualization-based method, where malware binaries are depicted as two-dimensional images and classified by a deep learning model. We propose an efficient malware detection system based on deep learning. The system uses a reweighted class-balanced loss function in the final classification layer of the DenseNet model to achieve significant performance improvements in classifying malware by handling imbalanced data issues. Comprehensive experiments performed on four benchmark malware datasets show that the proposed approach can detect new malware samples with higher accuracy (98.23% for the Malimg dataset, 98.46% for the BIG 2015 dataset, 98.21% for the MaleVis dataset, and 89.48% for the unseen Malicia dataset) and reduced false-positive rates when compared with conventional malware mitigation techniques while maintaining low computational time. The proposed malware detection solution is also reliable and effective against obfuscation attacks.

physics, multidisciplinary

Thakur, Preeti

DOI: https://doi.org/10.1007/s11277-024-11366-y

IF: 2.017

2024-06-27

Wireless Personal Communications

Abstract:Malware analysis is essential for detecting and mitigating the effects of malicious software. This study introduces a novel hybrid approach using a combination of long short-term memory (LSTM) and convolutional neural networks (CNN) to enhance malware analysis. The proposed work uses a malware classification method combining image processing and machine learning. Malware binaries are converted into grayscale images and analyzed with CNN-LSTM networks. Dynamic features are extracted, ranked, and reduced via Principal Component Analysis (PCA). Various classifiers are used, with final classification by a voting scheme, providing a robust solution for accurate malware family classification. Our approach processes binary code inputs, with the LSTM capturing temporal dependencies and the CNN performing parallel feature extraction. PCA is employed for prominent feature selection, reducing computational time. The proposed approach was evaluated on a public malware dataset and captured through network traffic, demonstrating state-of-the-art performance in identifying various malware families. It significantly reduces the resources required for manual analysis and improves system security. Our approach achieved high precision, recall, accuracy, and F1 score, outperforming existing methods. Future research directions include improving feature extraction techniques and developing real-time detection models that offer a powerful malware detection and analysis tool with promising results and potential for further advancements.

telecommunications

Chaopeng Li,Jinlin Wang,Xiaozhou Ye

DOI: https://doi.org/10.14704/nq.2018.16.5.1391

2018-01-01

NeuroQuantology

Abstract:In the studies of intrusion detection/prevention systems (IDS/IPS) and network security situational awareness, malicious traffic detection has been given significantly more attention to prevent malicious traffic. Meanwhile, with the development of machine learning technology, an increasing number of algorithms and models have been employed for attack detection. Previous studies generally used common and typical machine learning models such as SVM, KNN, or a random forest. However, the bottleneck of these types of approaches is two-fold. The input of the model is constructed using the feature engineering method of artificially designed representation, which requires a substantial amounts expertise. Additionally, most detection methods ignore the temporal information between network packets in one micro-flow. In this paper, we regard malicious traffic detection as a classification task and propose a hybrid model that combines a recurrent neural network (RNN) with restricted Boltzmann machines (RBM) which take byte-level raw data as input without feature engineering. Specifically, distributed embedding is utilized to pre-process network data to make it more suitable for deep neural network models. Subsequently, an RBM model is used to extract the feature vectors of the network packets and an RNN model is used to extract the flow feature vector. Finally, the flow vectors are sent to the Softmax layer to obtain the detection result. Experiments based on the ISCX-2012 and DARPA-1998 published datasets show that our proposed RNN-RBM model has a greater detection accuracy, recall rate, and lower false alarm rate than most traditional machine learning models. This proves the effectiveness of the proposed RNN-RBM model in malicious traffic detection.

Sifan Wu,Xi Xiao

2019-01-01

Abstract:The explosive amount of Android malware have threatened the security of legitimate users. In Recent years, with the development of the neural network, more and more research is focusing on detecting malware based on the neural network. Where, most of these techniques are depending on the complex feature engineering process and have a resource and time expensive classification neural network. In this paper, we propose a novel lightweight convolution neural network model, ConvDroid, with the system call sequences as features. Different from the existing n-gram models utilizing system call sequences, we construct a two-layer convolution neural network to learn the global information of sequences instead of limited windows. Furthermore, we assess ConvDroid for accuracy, efficiency using a dataset consisting of 3567 malicious applications and 3536 benign ones. Our experiments show that ConvDroid achieves an accuracy of more than 98% with a low time cost. We further demonstrate ConvDroid’s superiority against state-of-the-art approaches.