Liting Deng,Chengli Yu,Hui Wen,Mingfeng Xin,Yue Sun,Limin Sun,Hongsong Zhu

DOI: https://doi.org/10.1007/s11036-024-02383-z

2024-08-31

Mobile Networks and Applications

Abstract:Malware has now grown into one of the most important threats on the Internet. To meet this challenge, researchers regard malware classification as an effective method in malware analysis, which can classify the malicious samples with similar features into the same family. Although machine learning based malware classification models have great performance, they rely heavily on large-scale labeled datasets. In the real world, many malware families only have a small number of samples, which makes the traditional data-driven models perform poor results. In this paper, we propose an attention-based transductive learning network to solve the problem. In order to extract features, our approach first converts malware binaries into gray-scale images, and encodes them into feature maps using an embedding function. Then, we build a Gaussian similarity graph based on attention mechanism to transfer information from labeled instances to unknown instances. Through the end-to-end training, we demonstrate the effectiveness of the proposed approach on a malware dataset containing 11,236 samples with 30 different malware families. Comparing with state-of-the-art approaches, the experimental results show that our approach achieves a better performance.

computer science, information systems,telecommunications, hardware & architecture

Ziyue Wang,Weizheng Wang,Yaoqi Yang,Zhaoyang Han,Dequan Xu,Chunhua Su

DOI: https://doi.org/10.1002/int.23094

IF: 8.993

2022-10-27

International Journal of Intelligent Systems

Abstract:Malicious code attacks have severely hindered the current development of the Internet technologies. Once the devices are infected with virus, the damages to companies and users are unpredictable. Although researchers have developed malware detection methods, the analysis result still cannot achieve the desired accuracy due to complicated malicious code families and fast‐growing variants. In this paper, to solve this problem, we combine Convolutional Neural Networks (CNNs) with Generative Adversarial Networks (GANs) to design an efficient and accurate malware detection method. First, we implement a code visualization method and utilize GAN to generate more samples of malicious code variants in the role of data augmentation. Then, the lightweight AlexNet originated from CNN to classify malware families. Finally, simulation experiments are conducted to evaluate that our CNN plus GAN model can achieve a higher classification accuracy (i.e., 97.78%) compared with some related work.

computer science, artificial intelligence

Yanli Shao,Yang Lu,Dan Wei,Jinglong Fang,Feiwei Qin,Bin Chen

DOI: https://doi.org/10.1155/2022/3301718

2022-07-08

Wireless Communications and Mobile Computing

Abstract:Edge computing is a feasible solution for effectively collecting and processing data in industrial Internet of Things (IIoT) systems, and edge security is an important guarantee for edge computing. Fast and accurate classification of malicious code in the whole lift cycle of edge computing is of great significance, which can effectively prevent malicious code from attacking wireless sensor networks and ensure the stable and secure transmission of data in smart devices. Considering that there is a large amount of code reuse in the same malicious code family, making their visual feature similar, many studies use visualization technology to assist malicious code classification. However, traditional malicious code visual classification schemes have the problems such as single image source, weak ability of deep-level feature extraction, and lack of attention to key image details. Therefore, an innovative malicious code visual classification method based on a deep residual network and hybrid attention mechanism for edge security is proposed in this study. Firstly, the malicious code visualization scheme integrates the bytecode file and assembly file of the malware and converts them into a four-channel RGBA image to fully represent malicious code feature information without increasing the computational complexity. Secondly, a hybrid attention mechanism is introduced into the deep residual network to construct an effective classification model, which extracts image texture features of malicious code from two dimensions of the channel and spatial to improve the classification performance. Finally, the experimental results on the BIG2015 and Malimg datasets show that the proposed scheme is feasible and effective and can be widely applied used in various malicious code classification issues, and the classification accuracy rate is relatively higher than the existing better-performing malicious code classification methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Limin Shen,Jiayin Feng,Zhen Chen,Zhongkui Sun,Dongkui Liang,Hui Li,Yuying Wang

DOI: https://doi.org/10.1007/s10489-022-03523-2

IF: 5.3

2022-04-20

Applied Intelligence

Abstract:To accurately find malware in a large number of mobile APPs, and determine which family it belongs to is one of the most important challenges in Android malware detection. Existed research focuses on using the extracted features to distinguish Android malicious APPs, and less attention is paid to the category and family classification of Android malware. Meanwhile, feature selection has always been a choose-difficult issue in malware detection with machine learning methods. In this paper, SelAttConvLstm was designed to classify android malware by category and family without manually selecting features. To identify Android malware, we first convert all the network traffic flows into grayscale images according to chronological order through data preprocessing. Second, we design SelAttConvLstm, a deep learning model to detect malicious Android APPs with network flows images. This model can consider both the spatial and temporal features of network flow at the same time. In addition, to improve the performance of the model, self-attention weights are added to focus on different features of the input. Finally, comprehensive experiments are conducted to verify the effectiveness of the detection model. Experimental results showed that our method can not only effectively detect malware, but also classify malware in detail and accurately by category and family.

computer science, artificial intelligence

Hong Huang,Rui Du,Zhaolian Wang,Xin Li,Guotao Yuan

DOI: https://doi.org/10.3390/s23167084

IF: 3.9

2023-08-11

Sensors

Abstract:To address the challenges of weak model generalization and limited model capacity adaptation in traditional malware detection methods, this article presents a novel malware detection approach based on stacked depthwise separable convolutions and self-attention, termed CoAtNet. This method combines the strengths of the self-attention module's robust model adaptation and the convolutional networks' powerful generalization abilities. The initial step involves transforming the malicious code into grayscale images. These images are subsequently processed using a detection model that employs stacked depthwise separable convolutions and an attention mechanism. This model effectively recognizes and classifies the images, automatically extracting essential features from malicious software images. The effectiveness of the method was validated through comparative experiments using both the Malimg dataset and the augmented Blended+ dataset. The approach's performance was evaluated against popular models, including XceptionNet, EfficientNetB0, ResNet50, VGG16, DenseNet169, and InceptionResNetV2. The experimental results highlight that the model surpasses other malware detection models in terms of accuracy and generalization ability. In conclusion, the proposed method addresses the limitations of traditional malware detection approaches by leveraging stacked depthwise separable convolutions and self-attention. Comprehensive experiments demonstrate its superior performance compared to existing models. This research contributes to advancing the field of malware detection and provides a promising solution for enhanced accuracy and robustness.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Dongzhi Cao,Xinglan Zhang,Zhenhu Ning,Jianfeng Zhao,Fei Xue,Yongli Yang

DOI: https://doi.org/10.1145/3297156.3297246

2018-01-01

Abstract:With the rapid development of the Internet, people have variety in their life style. While the Internet is developing rapidly, some malware has also been generated, and the number of malicious codes grows exponentially, which seriously affects the security of the Internet. In the prevention of malicious code, the accurate classification of malicious code is the most critical components. At present, researchers mainly focus on static detection and dynamic detection to study malicious code variant detection schemes. In the study of malicious code classification, this paper first analyzes the limitations of static detection and dynamic detection, then employs convolution neural networks to classify and identify malicious code, and finally implements an efficient malicious code detection system based on convolutional neural networks. Our malware detection model realizes the idea of automatic detection of malicious code variants. Experimental results demonstrated that the proposed malicious code detection system is efficient.

Gaoning Shen,Zhixiang Chen,Hui Wang,Heng Chen,Shuqi Wang

DOI: https://doi.org/10.1016/j.cose.2022.102761

2022-08-01

Abstract:Malicious code has become an important factor threatening network security. Single feature-based malicious code detection methods have achieved good detection results, but when faced with some similar malicious code families, the detection effect is often poor. To address this concern, we propose a feature fusion-based malicious code detection with dual attention mechanism and Bi-directional Long Short-Term Memory (BiLSTM). The dual attention mechanism module gives different focuses on the channel and space of feature maps to extract local texture features of malicious code grayscale images. At the same time, the BiLSTM module extracts global texture structure features of malicious code grayscale images, and fuse local texture features with global texture features, which can not only reflect the detailed characteristics of malicious code, but also retain the overall structural characteristics. Finally, we use the focal loss function to reduce the impact of data imbalance. The experimental results show that our feature fusion approach has a better detection effect compared with the single feature approach, especially in the detection of similar malicious code families.

computer science, information systems

Zhihua Cui,Fei Xue,Xingjuan Cai,Yang Cao,Gai-ge Wang,Jinjun Chen

DOI: https://doi.org/10.1109/tii.2018.2822680

IF: 12.3

2018-07-01

IEEE Transactions on Industrial Informatics

Abstract:With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Zilin Zhao,Dawei Zhao,Shumian Yang,Lijuan Xu

DOI: https://doi.org/10.1155/2023/6390023

IF: 1.968

2023-04-19

Security and Communication Networks

Abstract:In recent years, malware has experienced explosive growth and has become one of the most severe security threats. However, feature engineering easily restricts the traditional machine learning methods-based malware classification and is hard to deal with massive malware. At the same time, the dynamic analysis methods have the problems of complex operation and high cost, which are not suitable for efficiently classifying large quantities of malware. Therefore, we propose a novel static malware detection method based on this study's AlexNet convolutional neural network (CNN). Unlike existing solutions, we convert all malware bytes into color images, propose an improved AlexNet architecture, and solve the unbalanced datasets with the data enhancement method. Extensive experiments are performed using the Microsoft malware dataset and the Google Code Jam (GCJ) dataset. The experimental results show that the accuracy of the Microsoft malware dataset reaches 99.99%, and the GCJ dataset reaches 99.38%. We also verify that our method can better extract the texture features of malware and improve the accuracy and detection efficiency.

computer science, information systems,telecommunications

Jinting Zhu,Julian Jang-Jaccard,Amardeep Singh,Paul A. Watters,Seyit Camtepe

DOI: https://doi.org/10.3390/fi15060214

2023-06-15

Abstract:Malware authors apply different techniques of control flow obfuscation, in order to create new malware variants to avoid detection. Existing Siamese neural network (SNN)-based malware detection methods fail to correctly classify different malware families when such obfuscated malware samples are present in the training dataset, resulting in high false-positive rates. To address this issue, we propose a novel task-aware few-shot-learning-based Siamese Neural Network that is resilient against the presence of malware variants affected by such control flow obfuscation techniques. Using the average entropy features of each malware family as inputs, in addition to the image features, our model generates the parameters for the feature layers, to more accurately adjust the feature embedding for different malware families, each of which has obfuscated malware variants. In addition, our proposed method can classify malware classes, even if there are only one or a few training samples available. Our model utilizes few-shot learning with the extracted features of a pre-trained network (e.g., VGG-16), to avoid the bias typically associated with a model trained with a limited number of training samples. Our proposed approach is highly effective in recognizing unique malware signatures, thus correctly classifying malware samples that belong to the same malware family, even in the presence of obfuscated malware variants. Our experimental results, validated by N-way on N-shot learning, show that our model is highly effective in classification accuracy, exceeding a rate \textgreater 91\%, compared to other similar methods.

Cryptography and Security,Artificial Intelligence

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Chao Ding,Nurbol Luktarhan,Bei Lu,Wenhui Zhang

DOI: https://doi.org/10.3390/e23081009

2021-08-03

Abstract:With the popularity of Android, malware detection and family classification have also become a research focus. Many excellent methods have been proposed by previous authors, but static and dynamic analyses inevitably require complex processes. A hybrid analysis method for detecting Android malware and classifying malware families is presented in this paper, and is partially optimized for multiple-feature data. For static analysis, we use permissions and intent as static features and use three feature selection methods to form a subset of three candidate features. Compared with various models, including k-nearest neighbors and random forest, random forest is the best, with a detection rate of 95.04%, while the chi-square test is the best feature selection method. After using feature selection to explore the critical static features contained in this dataset, we analyzed a subset of important features to gain more insight into the malware. In a dynamic analysis based on network traffic, unlike those that focus on a one-way flow of traffic and work on HTTP protocols and transport layer protocols, we focused on sessions and retained protocol layers. The Res7LSTM model is then used to further classify the malicious and partially benign samples detected in the static detection. The experimental results show that our approach can not only work with fewer static features and guarantee sufficient accuracy, but also improve the detection rate of Android malware family classification from 71.48% in previous work to 99% when cutting the traffic in terms of the sessions and protocols of all layers.

Aidong Xu,Lin Chen,Xiaoyun Kuang,Huahui Lv,Hang Yang,Yixin Jiang,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00021

2020-01-01

Abstract:In recent years, malicious programs seriously threaten the security of information system. Because of its particularity, complexity and vulnerability, power information system is difficult to detect and kill by traditional anti-virus software. To solve the above problems, this paper proposes a malicious behavior detection method based on deep learning, which can identify malicious programs and attack types according to the activities of malicious programs and malicious software behaviors. In this paper, a hybrid deep learning structure based on convolutional neural network (CNN) and long-and-short term memory (LSTM) network is proposed. The call sequence of API is combined with other statistical features. The vector information obtained is input into LSTM unit through convolution, and the classification results are obtained through the above model. Compared with the existing methods, this method significantly improves the preparation rate and execution efficiency.

Xiao Chen,Zhengwei Jiang,Shuwei Wang,Rongqi Jing,Chen Ling,Qiuyun Wang

DOI: https://doi.org/10.1007/978-3-031-17551-0_20

2022-01-01

Abstract:The amount of malware has proliferated in recent years because malware developers can easily exploit existing malware to develop new ones. To identify the interrelationships between old and new malware and unify the defense, researchers have continuously tried to automatically classify malware families, and deep neural networks have proven to be a reliable solution to this problem, but as the number of families increases, the robustness of the model is susceptible to data drift and deteriorates, and the validation work of deep neural networks remains insufficient. In this paper, we classify malware families based on semantic learning of disassembled code and graph neural networks, and also provide a judgment basis for family classification so that analysts can quickly verify the classification results. Experiments show that our model can effectively classify families and is robust to data drift.

Wenhao fan,Liang Zhao,Jiayang Wang,Ye Chen,Fan Wu,Yuan'an Liu

DOI: https://doi.org/10.48550/arXiv.2101.03965

2021-01-29

Abstract:Android is currently the most extensively used smartphone platform in the world. Due to its popularity and open source nature, Android malware has been rapidly growing in recent years, and bringing great risks to users' privacy. The malware applications in a malware family may have common features and similar behaviors, which are beneficial for malware detection and inspection. Thus, classifying Android malware into their corresponding families is an important task in malware analysis. At present, the main problem of existing research works on Android malware family classification lies in that the extracted features are inadequate to represent the common behavior characteristics of the malware in malicious families, and leveraging a single classifier or a static ensemble classifier is restricted to further improve the accuracy of classification. In this paper, we propose FamDroid, a learning-based Android malware family classification scheme using static analysis technology. In FamDroid, the explicit features including permissions, hardware components, app components, intent filters are extracted from the apk files of a malware application. Besides, a hidden feature generated from the extracted APIs is used to represents the API call relationship in the application. Then, we design an adaptive weighted ensemble classifier, which considers the adaptability of the sample to each base classifier, to carry out accurate malware family classification. We conducted experiments on the Drebin dataset which contains 5560 Android malicious applications. The superiority of FamDroid is demonstrated through comparing it with 5 traditional machine learning models and 4 state-of-the-art reference schemes. FamDroid can correctly classify 98.92% of malware samples into their families and achieve 99.12% F1-Score.

Cryptography and Security

Junwei Tang,Wei Xu,Tao Peng,Sijie Zhou,Qiaosen Pi,Ruhan He,Xinrong Hu

DOI: https://doi.org/10.1016/j.jisa.2024.103721

IF: 4.96

2024-01-01

Journal of Information Security and Applications

Abstract:Mobile applications have been deeply integrated into the daily life of ordinary users. Android malware seriously threatens the privacy and property security of users. However, code obfuscation and other technologies have reduced the effectiveness of traditional static analysis methods, and more and more studies are extracting grayscale image features for malware detection. We propose a classification method for Android malware based on a novel mixed bytecode image and deep neural network combined with attention mechanism. Firstly, for the executable file of the target malware, read one character every 8 bits, fix the line and width, and output it as a vector. Each element in this vector is between 0 and 255, which is the range of values for grayscale images. Furthermore, the executable files are generated into grayscale images and Markov images, respectively. Then a new texture feature space is constructed by the fusion of grayscale and Markov images using the transfer probability, which is mapped to a two-dimensional space to obtain the mixed image feature. The constructed fusion feature space can more clearly characterize Android malware. What is more, the convolutional attention mechanism is added to ResNet to increase the depth of the network and improve the network effect. Finally, experiments are performed on Drebin and CICMalDroid 2020. Our experimental results show that our method can efficiently perform uniform representation of bytecode sequence files and extract and classify feature sequences. On the basis of mixed image features, the accuracy of malware detection can reach 98.67%, which outperforms the classification based on Markov images, grayscale images and other similar methods.

Wenbo Zhang,Yongxin Feng,Guangjie Han,Hongbo Zhu,Xiaobo Tan

DOI: https://doi.org/10.3390/s22228739

IF: 3.9

2022-11-13

Sensors

Abstract:It is critical to detect malicious code for the security of the Internet of Things (IoT). Therefore, this work proposes a malicious code detection algorithm based on the novel feature fusion–malware image convolutional neural network (FF-MICNN). This method combines a feature fusion algorithm with deep learning. First, the malicious code is transformed into grayscale image features by image technology, after which the opcode sequence features of the malicious code are extracted by the n-gram technique, and the global and local features are fused by feature fusion technology. The fused features are input into FF-MICNN for training, and an appropriate classifier is selected for detection. The results of experiments show that the proposed algorithm exhibits improvements in its detection speed, the comprehensiveness of features, and accuracy as compared with other algorithms. The accuracy rate of the proposed algorithm is also 0.2% better than that of a detection algorithm based on a single feature.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Wei Li,Chenyi Zhang,Jieying Zhou,Dan Wang,Nuannuan Li

DOI: https://doi.org/10.1088/1742-6596/2010/1/012165

2021-09-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, malicious code emerges in endlessly. New types of malicious code evade the traditional malicious code detection technology through polymorphism, shelling, confusion and other ways. In order to solve the challenges brought by various technologies to the research of malicious code detection, in this paper, we propose a malicious code detection method based on static features and ensemble learning. This method extracts the information in the PE header file of malicious code samples as static features, and on this basis, builds a malicious code detection model by using stacking ensemble learning. In order to verify the effectiveness of the model, experiments are carried out on a dataset containing 5000 malicious codes and 4943 benign codes. Experiments show that the classification model based on stacking ensemble learning is the best, with 97.22% precision rate and 96.45% stable F1 score.

Mazhar Javed Awan,Osama Ahmed Masood,Mazin Abed Mohammed,Awais Yasin,Azlan Mohd Zain,Robertas Damaševičius,Karrar Hameed Abdulkareem

DOI: https://doi.org/10.3390/electronics10192444

IF: 2.9

2021-10-08

Electronics

Abstract:In recent years the amount of malware spreading through the internet and infecting computers and other communication devices has tremendously increased. To date, countless techniques and methodologies have been proposed to detect and neutralize these malicious agents. However, as new and automated malware generation techniques emerge, a lot of malware continues to be produced, which can bypass some state-of-the-art malware detection methods. Therefore, there is a need for the classification and detection of these adversarial agents that can compromise the security of people, organizations, and countless other forms of digital assets. In this paper, we propose a spatial attention and convolutional neural network (SACNN) based on deep learning framework for image-based classification of 25 well-known malware families with and without class balancing. Performance was evaluated on the Malimg benchmark dataset using precision, recall, specificity, precision, and F1 score on which our proposed model with class balancing reached 97.42%, 97.95%, 97.33%, 97.11%, and 97.32%. We also conducted experiments on SACNN with class balancing on benign class, also produced above 97%. The results indicate that our proposed model can be used for image-based malware detection with high performance, despite being simpler as compared to other available solutions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wang, Runzheng

DOI: https://doi.org/10.1007/s10207-023-00699-7

2023-05-15

International Journal of Information Security

Abstract:At present, the trend of familiarization of malicious code is becoming more and more obvious, and the research on the homology of malware (the classification of malicious code family) is of great significance for maintaining network security. In order to better express the overall characteristics of malicious code and improve the effect of detection and homology analysis, this paper proposes a method for detection and homology analysis of malware based on heterogeneous graphs of assembly instructions (AIHGAT). We take the assembly instructions of malicious families as the research object and analyze the importance and correlation of assembly instructions of different malicious families. The malware detection and homology analysis are carried out in three aspects: feature extraction, feature preprocessing, and model construction. In the feature extraction of malicious code, in order to alleviate the problem that it is difficult to extract static features of malicious samples that contain countermeasures such as packing and obfuscation, we obtain binary files from dynamic memory through sandbox and then, analyze its assembly instruction set. In feature preprocessing, we divide the assembly instructions into N-tuples and construct a heterogeneous graph based on assembly instructions according to the internal correlation of the gene sequence composed of the assembly N-grams features. Finally, in terms of model construction, we analyze the homology determination effect of the traditional graph neural network and construct the Graph Attention Network based on residual connection named ResGAT to analyze the homology of malicious code. The experimental results show that the ResGAT can gather the core characteristics of malicious families and enhance the ability to recognize malicious family variants. Our model has an accuracy rate of 98.83%, which is better than traditional machine learning detection methods, and can effectively determine the homology of malicious code families.

computer science, information systems, theory & methods, software engineering