朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Muhammad Shoaib Akhtar,Tao Feng

DOI: https://doi.org/10.3390/sym14112304

2022-11-04

Symmetry

Abstract:One of the most significant issues facing internet users nowadays is malware. Polymorphic malware is a new type of malicious software that is more adaptable than previous generations of viruses. Polymorphic malware constantly modifies its signature traits to avoid being identified by traditional signature-based malware detection models. To identify malicious threats or malware, we used a number of machine learning techniques. A high detection ratio indicated that the algorithm with the best accuracy was selected for usage in the system. As an advantage, the confusion matrix measured the number of false positives and false negatives, which provided additional information regarding how well the system worked. In particular, it was demonstrated that detecting harmful traffic on computer systems, and thereby improving the security of computer networks, was possible using the findings of malware analysis and detection with machine learning algorithms to compute the difference in correlation symmetry (Naive Byes, SVM, J48, RF, and with the proposed approach) integrals. The results showed that when compared with other classifiers, DT (99%), CNN (98.76%), and SVM (96.41%) performed well in terms of detection accuracy. DT, CNN, and SVM algorithms' performances detecting malware on a small FPR (DT = 2.01%, CNN = 3.97%, and SVM = 4.63%,) in a given dataset were compared. These results are significant, as malicious software is becoming increasingly common and complex.

Xu ZHENG,Jian YUAN

DOI: https://doi.org/10.3969/j.issn.1009-8054.2014.09.080

2014-01-01

Abstract:The methods of virtual machine detection are veried,but the remote virtual machine detection always lacks effective means. This paper describes an improved time-relied method based on virtual machine. Taking advantage of the connection between TCP timestamp and real time and by integrating the study of machine,this paper proposes a remote virtual detection based on SVM.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

WEN Shi-qiang,DUAN Hai-xin,WU Jian-ping

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.05.007

2005-01-01

Abstract:New internet worm including many attack measures, such as virus, trojan and DDDS, will cause network block even paralysis, when it breaks out. A detection algorithm is brought forward which can find abnormity in the forepart of worm eruption by detection on variable rate of network flux, and then network administrators and emergency response teams can gain more time to take measures before worm blocks the network. This algorithm is evaluatedby DARPA98 intrusion detection evaluation system and has applied to real flux data of worm (Blaster、Nachi、slammer) eruption.

БОГДАН САВЕНКО

DOI: https://doi.org/10.31891/2307-5732-2024-331-2

2024-02-29

Abstract:The work presents the results of research on worm viruses and methods of their detection. Malware distribution happens all the time. The analyzed modern tools and systems for prevention, detection and countermeasures against malicious software and computer attacks are quite effective, provide a high percentage of detection and function at an adequate level. But criminals constantly study the capabilities of such tools and systems, improve malicious software and computer attacks, and achieve certain results. Therefore, developers of tools and systems for prevention, detection and countermeasures against malicious software and computer attacks must constantly improve them. The protection of corporate networks is relevant. They can be effectively configured to increase computing resources when solving the tasks of warning, detecting and countering malicious software and computer attacks to protect corporate networks. Therefore, the article defines as an urgent scientific task - the development of methods to improve the efficiency of the functioning of distributed systems with partial centralization for detection of malicious software and computer attacks in computer networks and detection of malicious software with their use due to the synthesis of their architecture in such a way that the principles of functioning of such systems make it difficult for criminals to understand them. The work considers a set of worm viruses, which covers network features as much as possible. Therefore, to study the effectiveness of methods of creating distributed systems and the systems themselves based on them, worm viruses were considered. The purpose of the work is to develop a method for detecting worm viruses in corporate networks. The work developed a method of detecting worm viruses using their division into classes based on common features and defined criteria according to the classification of objects according to many classes and taking into account its implementation in the architecture of partially centralized distributed systems to obtain a complete sensor and make a decision regarding the classification of worms virus to a certain class. This improved the reliability of detection by 8-11% compared to using the method without directly involving the elements and components of the system. As a result of setting up experiments and conducting them, results were obtained that confirm the correct functioning of a partially centralized distributed system for the detection of worm viruses.

Ahmed Alghamdi

DOI: https://doi.org/10.52783/cana.v31.1476

2024-09-02

Abstract:The growing sophistication of malware in exisiting environment poses tough demands on its detection methods of another kind. This paper introduces a framework for cyber security improvement, a means to solve strongly the probability issue of how to determine the behavior algorithmically in your system. This research is applied to malware detection systems based on methods (Support Vector Machines, Random Forest) and Neural Networks that are robust against deception. Statistical analysis of security threats and a review of current methods used for malware detection are given at its outset. The proposed framework, with its statistical framework analysis, looks for patterns and anomalies that indicate malice. It then integrates cryptographic techniques onto data transmission, computation processes; that the core of our system remains untouched by potential disturbances. The concept is further elaborated with open-source code from the field, Machine Learning (SVM, Random Forest, Neural Networks), As if with this variety of tools we can now detect and classify types of malware that generate irregular patterns but do not necessarily resemble known signatures at all. Such a hybrid security mechanism as described here, combining the best of statistics, cryptographic security, and machine learning, gives a precision of detection beyond compare to today's systems. The experiments show large gains in both detection accuracy and response speed, demonstrating this whole-element approach's potential to better safeguard cybersecurity in all manner of fields. It may be foreseen that this proposed line of research could well become a key new tool, capable of adaptation and expansion with the needs expanding around us.

Amir Moradibaad,Ramin Jalilian Mashhoud

DOI: https://doi.org/10.48550/arXiv.1812.03173

2018-12-13

Abstract:In the world today computer networks have a very important position and most of the urban and national infrastructure as well as organizations are managed by computer networks, therefore, the security of these systems against the planned attacks is of great importance. Therefore, researchers have been trying to find these vulnerabilities so that after identifying ways to penetrate the system, they will provide system protection through preventive or countermeasures. SVM is one of the major algorithms for intrusion detection. In this research, we studied a variety of malware and methods of intrusion detection, provide an efficient method for detecting attacks and utilizing dimension <a class="link-external link-http" href="http://reduction.Thus" rel="external noopener nofollow">this http URL</a>, we will be able to detect attacks by carefully combining these two algorithms and pre-processes that are performed before the two on the input data. The main question raised is how we can identify attacks on computer networks with the above-mentioned method. In anomalies diagnostic method, by identifying behavior as a normal behavior for the user, the host, or the whole system, any deviation from this behavior is considered as an abnormal behavior, which can be a potential occurrence of an attack. The network intrusion detection system is used by anomaly detection method that uses the SVM algorithm for classification and SVD to reduce the size. Steps of the proposed method include pre-processing of the data set, feature selection, support vector machine, and <a class="link-external link-http" href="http://evaluation.The" rel="external noopener nofollow">this http URL</a> NSL-KDD data set has been used to teach and test the proposed model. In this study, we inferred the intrusion detection using the SVM algorithm for classification and SVD for diminishing dimensions with no classification <a class="link-external link-http" href="http://algorithm.Also" rel="external noopener nofollow">this http URL</a> the KNN algorithm has been compared in situations with and without diminishing dimensions,the results have shown that the proposed method has a better performance than comparable methods.

Cryptography and Security,Machine Learning

Alan Nafiiev,Andrii Rodionov

DOI: https://doi.org/10.20535/tacs.2664-29132023.2.277959

2023-11-06

Theoretical and Applied Cybersecurity

Abstract:Cyber wars and cyber attacks are an urgent problem in the global digital environment. Based on existing popular detection methods, malware authors are creating ever more advanced and sophisticated malware. Therefore, this study aims to create a malware analysis system that uses both dynamic and static analysis. Our system is based on a machine learning method - support vector machine. The set of data used was collected from various Internet sources. It consists of 257 executable files in .exe format, 178 of which are malicious and 79 are benign. We use 5 different types of data representation: binary information, trace instructions, control flow graph, information obtained from the dynamic operation of the file, and file metadata. Then, using multiple kernel learning, we combine all data views and create one summative machine learning model.

Wei Wang,Peng-tao Zhang,Ying Tan,Xin-gui He

DOI: https://doi.org/10.1631/jzus.c1000445

2011-01-01

Journal of Zhejiang University SCIENCE C

Abstract:Along with the evolution of computer viruses, the number of file samples that need to be analyzed has constantly increased. An automatic and robust tool is needed to classify the file samples quickly and efficiently. Inspired by the human immune system, we developed a local concentration based virus detection method, which connects a certain number of two-element local concentration vectors as a feature vector. In contrast to the existing data mining techniques, the new method does not remember exact file content for virus detection, but uses a non-signature paradigm, such that it can detect some previously unknown viruses and overcome the techniques like obfuscation to bypass signatures. This model first extracts the viral tendency of each fragment and identifies a set of statical structural detectors, and then uses an information-theoretic preprocessing to remove redundancy in the detectors’ set to generate ‘self’ and ‘nonself’ detector libraries. Finally, ‘self’ and ‘nonself’ local concentrations are constructed by using the libraries, to form a vector with an array of two elements of local concentrations for detecting viruses efficiently. Several standard data mining classifiers, including K-nearest neighbor (KNN), radial basis function (RBF) neural networks, and support vector machine (SVM), are leveraged to classify the local concentration vector as the feature of a benign or malicious program and to verify the effectiveness and robustness of this approach. Experimental results show that the proposed approach not only has a much faster speed, but also gives around 98% of accuracy.

Che Jing,Zhang Ying

DOI: https://doi.org/10.3969/j.issn.1009-6833.2012.10.022

2012-01-01

Abstract:First,the conception of malicious behavior characteristics signatures from the database session behavior is defined.Then,the risk factor to describe the dangers of the malicious behavior of a short sequence is proposed.Last,the risk rand is introduced to divide the software into malicious software and normal software.And a prototype system is developed in MySQL.The experimental results show that the malicious behavior detection correct rate of about 82% with this method which has a high detection correct rate and a low false alarm rate and false negative rate.

Shahab Shamshirband,Anthony T. Chronopoulos

DOI: https://doi.org/10.48550/arXiv.1906.12198

2019-06-27

Cryptography and Security

Abstract:A vital element of a cyberspace infrastructure is cybersecurity. Many protocols proposed for security issues, which leads to anomalies that affect the related infrastructure of cyberspace. Machine learning (ML) methods used to mitigate anomalies behavior in mobile devices. This paper aims to apply a High Performance Extreme Learning Machine (HP-ELM) to detect possible anomalies in two malware datasets. Two widely used datasets (the CTU-13 and Malware) are used to test the effectiveness of HP-ELM. Extensive comparisons are carried out in order to validate the effectiveness of the HP-ELM learning method. The experiment results demonstrate that the HP-ELM was the highest accuracy of performance of 0.9592 for the top 3 features with one activation function.

Muhammad Shoaib Akhtar,Tao Feng

DOI: https://doi.org/10.3390/s23020946

IF: 3.9

2023-01-14

Sensors

Abstract:This research study mainly focused on the dynamic malware detection. Malware progressively changes, leading to the use of dynamic malware detection techniques in this research study. Each day brings a new influx of malicious software programmes that pose a threat to online safety by exploiting vulnerabilities in the Internet. The proliferation of harmful software has rendered manual heuristic examination of malware analysis ineffective. Automatic behaviour-based malware detection using machine learning algorithms is thus considered a game-changing innovation. Threats are automatically evaluated based on their behaviours in a simulated environment, and reports are created. These records are converted into sparse vector models for use in further machine learning efforts. Classifiers used to synthesise the results of this study included kNN, DT, RF, AdaBoost, SGD, extra trees and the Gaussian NB classifier. After reviewing the test and experimental data for all five classifiers, we found that the RF, SGD, extra trees and Gaussian NB Classifier all achieved a 100% accuracy in the test, as well as a perfect precision (1.00), a good recall (1.00), and a good f1-score (1.00). Therefore, it is reasonable to assume that the proof-of-concept employing autonomous behaviour-based malware analysis and machine learning methodologies might identify malware effectively and rapidly.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Abien Fred Agarap

DOI: https://doi.org/10.48550/arXiv.1801.00318

2019-02-07

Abstract:Effective and efficient mitigation of malware is a long-time endeavor in the information security community. The development of an anti-malware system that can counteract an unknown malware is a prolific activity that may benefit several sectors. We envision an intelligent anti-malware system that utilizes the power of deep learning (DL) models. Using such models would enable the detection of newly-released malware through mathematical generalization. That is, finding the relationship between a given malware $x$ and its corresponding malware family $y$, $f: x \mapsto y$. To accomplish this feat, we used the Malimg dataset (Nataraj et al., 2011) which consists of malware images that were processed from malware binaries, and then we trained the following DL models 1 to classify each malware family: CNN-SVM (Tang, 2013), GRU-SVM (Agarap, 2017), and MLP-SVM. Empirical evidence has shown that the GRU-SVM stands out among the DL models with a predictive accuracy of ~84.92%. This stands to reason for the mentioned model had the relatively most sophisticated architecture design among the presented models. The exploration of an even more optimal DL-SVM model is the next stage towards the engineering of an intelligent anti-malware system.

Neural and Evolutionary Computing,Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning