Junan Zhang,Kaifeng Huang,Yiheng Huang,Bihuan Chen,Ruisi Wang,Chong Wang,Xin Peng

DOI: https://doi.org/10.1145/3705304

IF: 3.685

2024-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Open-source software (OSS) supply chain enlarges the attack surface of a software system, which makes package registries attractive targets for attacks. Recently, multiple package registries have received intensified attacks with malicious packages. Of those package registries, NPM and PyPI are two of the most severe victims. Existing malicious package detectors are developed with features from a list of packages of the same ecosystem and deployed within the same ecosystem exclusively, which is infeasible to utilize the knowledge of a new malicious NPM package detected recently to detect the new malicious package in PyPI. Moreover, existing detectors lack support to model malicious behavior of OSS packages in a sequential way To address the two limitations, we propose a single detection model using malicious behavior sequence, named Cerebro, to detect malicious packages in NPM and PyPI. We curate a feature set based on a high-level abstraction of malicious behavior to enable multi-lingual knowledge fusing. We organize extracted features into a behavior sequence to model sequential malicious behavior. We fine-tune the pre-trained language model to understand the semantics of malicious behavior. Extensive evaluation has demonstrated the effectiveness of Cerebro over the state-of-the-art as well as the practically acceptable efficiency. Cerebro has detected 683 and 799 new malicious packages in PyPI and NPM, and received 707 thank letters from the official PyPI and NPM teams.

Piergiorgio Ladisa,Serena Elisa Ponta,Nicola Ronzoni,Matias Martinez,Olivier Barais

DOI: https://doi.org/10.1145/3627106.3627138

2023-10-14

Abstract:Current software supply chains heavily rely on open-source packages hosted in public repositories. Given the popularity of ecosystems like npm and PyPI, malicious users started to spread malware by publishing open-source packages containing malicious code. Recent works apply machine learning techniques to detect malicious packages in the npm ecosystem. However, the scarcity of samples poses a challenge to the application of machine learning techniques in other ecosystems. Despite the differences between JavaScript and Python, the open-source software supply chain attacks targeting such languages show noticeable similarities (e.g., use of installation scripts, obfuscated strings, URLs). In this paper, we present a novel approach that involves a set of language-independent features and the training of models capable of detecting malicious packages in npm and PyPI by capturing their commonalities. This methodology allows us to train models on a diverse dataset encompassing multiple languages, thereby overcoming the challenge of limited sample availability. We evaluate the models both in a controlled experiment (where labels of data are known) and in the wild by scanning newly uploaded packages for both npm and PyPI for 10 days. We find that our approach successfully detects malicious packages for both npm and PyPI. Over an analysis of 31,292 packages, we reported 58 previously unknown malicious packages (38 for npm and 20 for PyPI), which were consequently removed from the respective repositories.

Cryptography and Security,Software Engineering

Haya Samaana,Diego Elias Costa,Emad Shihab,Ahmad Abdellatif

2024-12-07

Abstract:Background. In modern software development, the use of external libraries and packages is increasingly prevalent, streamlining the software development process and enabling developers to deploy feature-rich systems with little coding. While this reliance on reusing code offers substantial benefits, it also introduces serious risks for deployed software in the form of malicious packages - harmful and vulnerable code disguised as useful libraries. Aims. Popular ecosystems, such PyPI, receive thousands of new package contributions every week, and distinguishing safe contributions from harmful ones presents a significant challenge. There is a dire need for reliable methods to detect and address the presence of malicious packages in these environments. Method. To address these challenges, we propose a data-driven approach that uses machine learning and static analysis to examine the package's metadata, code, files, and textual characteristics to identify malicious packages. Results. In evaluations conducted within the PyPI ecosystem, we achieved an F1-measure of 0.94 for identifying malicious packages using a stacking ensemble classifier. Conclusions. This tool can be seamlessly integrated into package vetting pipelines and has the capability to flag entire packages, not just malicious function calls. This enhancement strengthens security measures and reduces the manual workload for developers and registry maintainers, thereby contributing to the overall integrity of the ecosystem.

Software Engineering

S. Halder,M. Bewong,A. Mahboubi,Y. Jiang,R. Islam,Z. Islam,R. Ip,E. Ahmed,G. Ramachandran,A. Babar

DOI: https://doi.org/10.48550/arXiv.2402.07444

2024-02-12

Cryptography and Security

Abstract:Protecting software supply chains from malicious packages is paramount in the evolving landscape of software development. Attacks on the software supply chain involve attackers injecting harmful software into commonly used packages or libraries in a software repository. For instance, JavaScript uses Node Package Manager (NPM), and Python uses Python Package Index (PyPi) as their respective package repositories. In the past, NPM has had vulnerabilities such as the event-stream incident, where a malicious package was introduced into a popular NPM package, potentially impacting a wide range of projects. As the integration of third-party packages becomes increasingly ubiquitous in modern software development, accelerating the creation and deployment of applications, the need for a robust detection mechanism has become critical. On the other hand, due to the sheer volume of new packages being released daily, the task of identifying malicious packages presents a significant challenge. To address this issue, in this paper, we introduce a metadata-based malicious package detection model, MeMPtec. This model extracts a set of features from package metadata information. These extracted features are classified as either easy-to-manipulate (ETM) or difficult-to-manipulate (DTM) features based on monotonicity and restricted control properties. By utilising these metadata features, not only do we improve the effectiveness of detecting malicious packages, but also we demonstrate its resistance to adversarial attacks in comparison with existing state-of-the-art. Our experiments indicate a significant reduction in both false positives (up to 97.56%) and false negatives (up to 91.86%).

Yiheng Huang,Ruisi Wang,Wen Zheng,Zhuotong Zhou,Susheng Wu,Shulin Ke,Bihuan Chen,Shan Gao,Xin Peng

DOI: https://doi.org/10.1145/3691620.3695492

2024-01-01

Abstract:Open source software (OSS) supply chains have been attractive targets for attacks. One of the significant, popular attacks is realized by malicious packages on package registries. NPM, as the largest package registry, has been recently flooded with malicious packages. In response to this severe security risk, many detection tools have been proposed. However, these tools do not model malicious behavior in a holistic way; only consider a predefined set of sensitive APIs; and require huge manual confirmation effort due to high false positives and binary detection results. Thus, their practical usefulness is hindered. To address these limitations, we propose a practical tool, named SpiderScan, to identify malicious NPM packages based on graph-based behavior modeling and matching. In the offline phase, given a set of malicious packages, SpiderScan models each malicious behavior in a graph that considers control flows and data dependencies across sensitive API calls, while leveraging LLM to recognize sensitive APIs in both built-in modules and third-party dependencies. In the online phase, given a target package, SpiderScan constructs its suspicious behavior graphs and matches them with malicious behavior graphs, and uses dynamic analysis and LLM to confirm the maliciousness only for certain malicious behaviors. Our extensive evaluation has demonstrated the effectiveness of SpiderScan over the state-of-the-art. SpiderScan has detected 249 new malicious packages in NPM, and received 70 thank letters from the official team of NPM.

Ningke Li,Shenao Wang,Mingxi Feng,Kailong Wang,Meizhen Wang,Haoyu Wang

DOI: https://doi.org/10.1109/ase56229.2023.00073

2024-01-01

Abstract:In the face of increased threats within software registries and management systems, we address the critical need for effective malicious code detection. In this paper, we propose an innovative approach that integrates source code slicing, inter-procedural analysis, and cross-file inter-procedural analysis, thereby enhancing the detection precision and reducing false positives. This approach has been encapsulated within a multi-analysis-based framework for automatic detection of malicious code in real-world software packages. In its application to major third-party software registries like PyPI and NPM, our framework has proven effective, identifying 130 malicious packages from a total of 169,640 monitored over a continuous period of five weeks. This work advances the current state-of-the-art solution to malicious code detection, demonstrating significant practical impact in strengthening the software supply chain defense.

Wenbo Guo,Chengwei Liu,Limin Wang,Jiahui Wu,Zhengzi Xu,Cheng Huang,Yong Fang,Yang Liu

2024-09-27

Abstract:The rise of malicious packages in public registries poses a significant threat to software supply chain (SSC) security. Although academia and industry employ methods like software composition analysis (SCA) to address this issue, existing approaches often lack timely and comprehensive intelligence updates. This paper introduces PackageIntel, a novel platform that revolutionizes the collection, processing, and retrieval of malicious package intelligence. By utilizing exhaustive search techniques, snowball sampling from diverse sources, and large language models (LLMs) with specialized prompts, PackageIntel ensures enhanced coverage, timeliness, and accuracy. We have developed a comprehensive database containing 20,692 malicious NPM and PyPI packages sourced from 21 distinct intelligence repositories. Empirical evaluations demonstrate that PackageIntel achieves a precision of 98.6% and an F1 score of 92.0 in intelligence extraction. Additionally, it detects threats on average 70% earlier than leading databases like Snyk and OSV, and operates cost-effectively at $0.094 per intelligence piece. The platform has successfully identified and reported over 1,000 malicious packages in downstream package manager mirror registries. This research provides a robust, efficient, and timely solution for identifying and mitigating threats within the software supply chain ecosystem.

Software Engineering

Nige Li,Ziang Lu,Yuanyuan Ma,Yanjiao Chen,Jiahan Dong

DOI: https://doi.org/10.3390/electronics13061092

IF: 2.9

2024-03-16

Electronics

Abstract:To address the issue of low accuracy in detecting malicious program behaviors in new power system edge-side applications, we present a detection model based on API call sequences that combines rule matching and deep learning techniques in this paper. We first use the PrefixSpan algorithm to mine frequent API call sequences in different threads of the same program within a malicious program dataset to create a rule base for malicious behavior sequences. The API call sequences to be examined are then matched using the malicious behavior sequence matching model, and those that do not match are fed into the TextCNN deep learning detection model for additional detection. The two models collaborate to accomplish program behavior detection. Experimental results demonstrate that the proposed detection model can effectively identify malicious samples and discern malicious program behaviors.

engineering, electrical & electronic,computer science, information systems,physics, applied

Cheng Huang,Nannan Wang,Ziyan Wang,Siqi Sun,Lingzi Li,Junren Chen,Qianchong Zhao,Jiaxuan Han,Zhen Yang,Lei Shi

DOI: https://doi.org/10.48550/arXiv.2403.08334

2024-03-13

Abstract:With the growing popularity of modularity in software development comes the rise of package managers and language ecosystems. Among them, npm stands out as the most extensive package manager, hosting more than 2 million third-party open-source packages that greatly simplify the process of building code. However, this openness also brings security risks, as evidenced by numerous package poisoning incidents. In this paper, we synchronize a local package cache containing more than 3.4 million packages in near real-time to give us access to more package code details. Further, we perform manual inspection and API call sequence analysis on packages collected from public datasets and security reports to build a hierarchical classification framework and behavioral knowledge base covering different sensitive behaviors. In addition, we propose the DONAPI, an automatic malicious npm packages detector that combines static and dynamic analysis. It makes preliminary judgments on the degree of maliciousness of packages by code reconstruction techniques and static analysis, extracts dynamic API call sequences to confirm and identify obfuscated content that static analysis can not handle alone, and finally tags malicious software packages based on the constructed behavior knowledge base. To date, we have identified and manually confirmed 325 malicious samples and discovered 2 unusual API calls and 246 API call sequences that have not appeared in known samples.

Cryptography and Security

Susu Cui,Cong Dong,Meng Shen,Yuling Liu,Bo Jiang,Zhigang Lu

DOI: https://doi.org/10.1109/tifs.2023.3300521

IF: 7.231

2023-08-22

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning and neural networks have become increasingly popular solutions for encrypted malware traffic detection. They mine and learn complex traffic patterns, enabling detection by fitting boundaries between malware traffic and benign traffic. Compared with signature-based methods, they have higher scalability and flexibility. However, affected by the frequent variants and updates of malware, current methods suffer from a high false positive rate and do not work well for unknown malware traffic detection. It remains a critical task to achieve effective malware traffic detection. In this paper, we introduce CBSeq to address the above problems. CBSeq is a method that constructs a stable traffic representation, behavior sequence, to characterize attacking intent and achieve malware traffic detection. We novelly propose the channels with similar behavior as the detection object and extract side-channel content to construct behavior sequence. Unlike benign activities, the behavior sequences of malware and its variant's traffic exhibit solid internal correlations. Moreover, we design the MSFormer, a powerful Transformer-based multi-sequence fusion classifier. It captures the internal similarity of behavior sequence, thereby distinguishing malware traffic from benign traffic. Our evaluations demonstrate that CBSeq performs effectively in various known malware traffic detection and exhibits superior performance in unknown malware traffic detection, outperforming state-of-the-art methods.

computer science, theory & methods,engineering, electrical & electronic

Aidong Xu,Lin Chen,Xiaoyun Kuang,Huahui Lv,Hang Yang,Yixin Jiang,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00021

2020-01-01

Abstract:In recent years, malicious programs seriously threaten the security of information system. Because of its particularity, complexity and vulnerability, power information system is difficult to detect and kill by traditional anti-virus software. To solve the above problems, this paper proposes a malicious behavior detection method based on deep learning, which can identify malicious programs and attack types according to the activities of malicious programs and malicious software behaviors. In this paper, a hybrid deep learning structure based on convolutional neural network (CNN) and long-and-short term memory (LSTM) network is proposed. The call sequence of API is combined with other statistical features. The vector information obtained is input into LSTM unit through convolution, and the classification results are obtained through the above model. Compared with the existing methods, this method significantly improves the preparation rate and execution efficiency.

Ruitong Liu,Yanbin Wang,Haitao Xu,Zhan Qin,Yiwei Liu,Zheng Cao

2023-11-21

Abstract:The widespread use of the Internet has revolutionized information retrieval methods. However, this transformation has also given rise to a significant cybersecurity challenge: the rapid proliferation of malicious URLs, which serve as entry points for a wide range of cyber threats. In this study, we present an efficient pre-training model-based framework for malicious URL detection. Leveraging the subword and character-aware pre-trained model, CharBERT, as our foundation, we further develop three key modules: hierarchical feature extraction, layer-aware attention, and spatial pyramid pooling. The hierarchical feature extraction module follows the pyramid feature learning principle, extracting multi-level URL embeddings from the different Transformer layers of CharBERT. Subsequently, the layer-aware attention module autonomously learns connections among features at various hierarchical levels and allocates varying weight coefficients to each level of features. Finally, the spatial pyramid pooling module performs multiscale downsampling on the weighted multi-level feature pyramid, achieving the capture of local features as well as the aggregation of global features. The proposed method has been extensively validated on multiple public datasets, demonstrating a significant improvement over prior works, with the maximum accuracy gap reaching 8.43% compared to the previous state-of-the-art method. Additionally, we have assessed the model's generalization and robustness in scenarios such as cross-dataset evaluation and adversarial attacks. Finally, we conducted real-world case studies on the active phishing URLs.

Cryptography and Security

Rakshit Agrawal,Jack W. Stokes,Mady Marinescu,Karthik Selvaraj

DOI: https://doi.org/10.48550/arXiv.1806.10741

2018-06-28

Abstract:Malicious software, or malware, presents a continuously evolving challenge in computer security. These embedded snippets of code in the form of malicious files or hidden within legitimate files cause a major risk to systems with their ability to run malicious command sequences. Malware authors even use polymorphism to reorder these commands and create several malicious variations. However, if executed in a secure environment, one can perform early malware detection on emulated command sequences. The models presented in this paper leverage this sequential data derived via emulation in order to perform Neural Malware Detection. These models target the core of the malicious operation by learning the presence and pattern of co-occurrence of malicious event actions from within these sequences. Our models can capture entire event sequences and be trained directly using the known target labels. These end-to-end learning models are powered by two commonly used structures - Long Short-Term Memory (LSTM) Networks and Convolutional Neural Networks (CNNs). Previously proposed sequential malware classification models process no more than 200 events. Attackers can evade detection by delaying any malicious activity beyond the beginning of the file. We present specialized models that can handle extremely long sequences while successfully performing malware detection in an efficient way. We present an implementation of the Convoluted Partitioning of Long Sequences approach in order to tackle this vulnerability and operate on long sequences. We present our results on a large dataset consisting of 634,249 file sequences, with extremely long file sequences.

Artificial Intelligence,Cryptography and Security,Machine Learning

Chao Jing,Chaoyuan Cui,Yun Wu

DOI: https://doi.org/10.1109/tifs.2024.3407655

IF: 7.231

2024-06-14

IEEE Transactions on Information Forensics and Security

Abstract:API call sequence-based approaches are proven to have significant superiority in malware detection but generally overlook or evade two core issues: ( ) ignoring parameters and return values that contain more fine-grained security semantic sensitive information (SSSI) and ( ) handling lengthy API call sequences roughly, causing the poor interpretability and incompleteness of program behavior semantics. To effectively overcome these issues, we propose SIa-CBc, a sensitive intent-assisted and crucial behavior-cognized malware detection method leveraging human brain cognitive theory, which consists of two key modules. ( ) SIa divides the vast and heterogeneous SSSI space into a few categories, meanwhile representing the sensitive intents to assist API calls. ( ) CBc extracts crucial snippets from lengthy API call sequences via judgment and multi-step reasoning and further obtains their representations. The embedding representations from the previous two modules are concatenated as the input of ten representative baseline networks. Our experimental results indicate that SIa-CBc achieves an enhancement in malware detection accuracy ranging from 14.08% to 28.01%, reduces the average detection time per sample by 0.28 to 16.29 ms, and improves the defense against adversarial sample attacks by 4.86% to 55.04%. Moreover, SIa-CBc demonstrates outstanding performance compared to recent methods, not only limited to detection but also encompassing enhanced resilience to intricate adversarial tactics, thereby ensuring reliable protection without the need for frequent re-training. This underscores the model's innovative approach in leveraging human brain cognitive theory-based techniques for heightened security efficacy.

computer science, theory & methods,engineering, electrical & electronic

Adriana Sejfia,Max Schäfer

DOI: https://doi.org/10.48550/arXiv.2202.13953

2022-02-28

Cryptography and Security

Abstract:The npm registry is one of the pillars of the JavaScript and TypeScript ecosystems, hosting over 1.7 million packages ranging from simple utility libraries to complex frameworks and entire applications. Due to the overwhelming popularity of npm, it has become a prime target for malicious actors, who publish new packages or compromise existing packages to introduce malware that tampers with or exfiltrates sensitive data from users who install either these packages or any package that (transitively) depends on them. Defending against such attacks is essential to maintaining the integrity of the software supply chain, but the sheer volume of package updates makes comprehensive manual review infeasible. We present Amalfi, a machine-learning based approach for automatically detecting potentially malicious packages comprised of three complementary techniques. We start with classifiers trained on known examples of malicious and benign packages. If a package is flagged as malicious by a classifier, we then check whether it includes metadata about its source repository, and if so whether the package can be reproduced from its source code. Packages that are reproducible from source are not usually malicious, so this step allows us to weed out false positives. Finally, we also employ a simple textual clone-detection technique to identify copies of malicious packages that may have been missed by the classifiers, reducing the number of false negatives. Amalfi improves on the state of the art in that it is lightweight, requiring only a few seconds per package to extract features and run the classifiers, and gives good results in practice: running it on 96287 package versions published over the course of one week, we were able to identify 95 previously unknown malware samples, with a manageable number of false positives.

Vineet Kumar Chauhan,Awadhesh Kumar

DOI: https://doi.org/10.1016/j.eswa.2024.125507

IF: 8.5

2024-10-27

Expert Systems with Applications

Abstract:Malware is one of the most popular cyber-attacks, and it is becoming more common on the network every day. In contrast to benign transmission, which typically exhibits symmetrical patterns, malware communication often shows asymmetrical behaviours, making detection a complex challenge. Fortunately, malware can be distinguished and identified for actual activities utilizing a variety of artificial intelligence methods. However, insufficient work has been allocated to the problem of handling high-dimensional and huge data. This paper proposes a novel deep learning-based approach to identify malicious Uniform Resource Locators (URLs) specifically designed to handle the challenges posed by large-scale and complex data. Initially, input data is sourced from a comprehensive Kaggle dataset, which includes diverse and large-scale URL samples. The URLs are then transformed into vector representations using a Vector Embedding Module, which employs a character-level word embedding technique to capture intricate patterns within the URLs. To further refine the data, the Chaotic Kookaburra Efficient-Bo Network (CKEBO-Net) is applied to extract the most significant features from these vectors, effectively reducing the dimensionality and computational burden. Subsequently, the Cascaded Capsule Twin Attentional Dilated Convolutional Network (C 2 TA_DiCN) model is introduced to classify and identify malicious URLs with high precision. This model leverages the unique strengths of capsule networks and attentional mechanisms, enhancing its capability to capture subtle dependencies within the data. Furthermore, the Lyrebird Meta-heuristic Optimization (LMO) algorithm is used to fine-tune the model parameters appropriately, ensuring that the training process is efficient and robust. The proposed approach is implemented using Python and rigorously evaluated on the Kaggle dataset. Simulation results demonstrate that the proposed method significantly outperforms existing models, achieving a malicious URL detection accuracy of 99.7%.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Kai Lei,Qiuai Fu,Jiake Ni,Feiyang Wang,Min Yang,Kuai Xu

DOI: https://doi.org/10.1109/ICDCS.2019.00066

2019-01-01

Abstract:The last decade has witnessed the explosive growth of malicious Internet domains which serve as the fundamental infrastructure for establishing advanced persistent threat command and control communication channels or hosting phishing Web sites. Given the big data nature of Internet traffic data and the ability of algorithmically generating domains and acquiring and registering the domains in a near-automated fashion, detecting malicious domains in real-time is a daunting task for security analysts and network operators. In this paper, we introduce bipartite graphs to capture the interactions between end hosts and domains, identify associated IP addresses of domains, and characterize time-series patterns of DNS queries for domains, and explore one-mode projections of these bipartite graphs for modeling the behavioral, IP-structural, and temporal similarities between domains. We employ graph embedding technique to automatically learn dynamic and discriminative feature representations for over 10,000 labeled domains, and develop an SVM-based classification algorithm for predicting malicious or benign domains. Our model makes the progress towards adapting to the changing and evolving strategies of malicious domains. The experimental results have shown that our proposed algorithm achieves an area under the curve (AUC) of 0.94 based on k-fold cross-validation. To the best of our knowledge, this is the first effort to apply the combination of behavioral modeling and graph embedding for effectively and accurately detecting malicious domains.

Anmin Zhou,Tianyi Huang,Cheng Huang,Dunhan Li,Chuangchuang Song

DOI: https://doi.org/10.3233/jifs-211557

2022-02-02

Abstract:Python is a concise language which can be used to build lightweight tools or dynamic object-orientated applications. The various attributes of Python have made it attractive to numerous malware authors. Attackers often embed malicious shell commands into Python scripts for illegal operations. However, traditional static analysis methods are not feasible to detect this kind of attack because they focus on common features and failure in finding those malicious commands. On the other hand, dynamic analysis is not optimal in this case for its time-consuming and inefficient. In this paper, we propose PyComm, a model for detecting malicious commands in Python scripts with multidimensional features based on machine learning, which considers both 12 statistical features and string sequences of Python source code. Meanwhile, three comparison experiments are designed to evaluate the validity of proposed method. Experimental results show that presented model has achieved an excellent performance based on those practical features and random forest (RF) algorithm, obtained an accuracy of 0.955 with a recall of 0.943.

Swapnil Singh,Deepa Krishnan,Vidhi Vazirani,Vinayakumar Ravi,Suliman A. Alsuhibany

DOI: https://doi.org/10.1016/j.eij.2024.100539

IF: 4.195

2024-09-15

Egyptian Informatics Journal

Abstract:Malware attacks have escalated significantly with an increase in the number of internet users and connected devices. With the increasingly different types of malware released by hackers, designing new and competitive techniques to detect advanced malware is essential. In the proposed research, we have developed a multi-level feature extraction technique using deep learning architectures and a classification model to classify malware families. The essential features from the malware images are extracted using the Gated Recurrent Unit in the first step, which are further fed to a Convolutional Neural Network model for extracting the final feature vector. The multi-level feature selection is followed by classification into various malware families using Cost-sensitive Boot Strapped Weighted Random Forest (CSBW-RF). The proposed approach gave promising results of 99.58 % accuracy in distinguishing the 25 different malware families on the Mallmg dataset. This hybrid model gave significantly better performance scores for classifying visually similar malware families. The generalizability of the proposed model is benchmarked with the popular Microsoft Big 2015 dataset and has achieved comparatively higher performance scores than many existing models. This benchmarking demonstrates the robustness and scalability of our approach. The use of cost-sensitive learning and bootstrapping techniques also contributed to the model's ability to generalize well to new and unseen data. These enhancements ensure that our model can be effectively applied in diverse real-world scenarios, maintaining high performance across different environments and malware types. This research can contribute to detecting malware attacks and can be integrated in threat monitoring systems. The successful application of this hybrid model indicates its potential for deployment in real-world cybersecurity environments, providing a strong defense against evolving malware threats.

computer science, information systems, artificial intelligence

Renjie Lu

DOI: https://doi.org/10.48550/arXiv.1906.04632

2019-06-10

Abstract:Recently, with the booming development of software industry, more and more malware variants are designed to perform malicious behaviors. The evolution of malware makes it difficult to detect using traditional signature-based methods. Moreover, malware detection has important effect on system security. In this paper, we present SCGDet, which is a novel malware detection method based on system call graph model (SCGM). We first develop a system call pruning method, which can exclude system calls that have little impact on malware detection. Then we propose the SCGM, which can capture the semantic features of run-time program by grouping the system calls based on the reachability relation. We aim to obtain the generic representation of malicious behaviors with similar system call patterns. We evaluate the performance of SCGDet using different machine learning algorithms on the dataset including 854 malware samples and 740 benign samples. Compared with the traditional n-gram method, the SCGDet has the smaller feature space, the higher detection accuracy and the lower false positives. Experimental results show that SCGDet can reduce the average FPR of 14.75% and improve the average Accuracy of 8.887%, and can obtain a TPR of 97.44%, an FPR of 1.96% and an Accuracy of 97.78% in the best case.

Cryptography and Security