Liang Hu,Shinan Song,Xiaolu Zhang,Zhenzhen Xie,Xiangyu Meng,Kuo Zhao

DOI: https://doi.org/10.4304/jnw.8.11.2512-2519

2013-01-01

Abstract:To explain the necessity of comprehensive and automatically analysis process for volatile memory, this paper summarized ordinarily analyzing methods and their common points especially for concerned data source. Then, a memory analysis framework Volatiltiy-2.2 and statistical output file size are recommended. In addition, to address the limitation of plug-ins classification in analyzing procedure, a user perspective classify is necessary and proposed. Furthermore, according to target data source differences on the base of result data set volume and employed relational method is introduced for comprehensive analysis guideline procedure. Finally, a test demo including DLLs loading order list analyzing is recommend, in which DLL load list is regard as different kind of characteristics typical data source with process and convert into process behavior fingerprint. The clustering for the fingerprint is employed string similar degree algorithm model in the demo, which has a wide range applications in traditional malware behavior analysis, and it is proposed that these methods also can be applied for volatile memory

Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Sajedul Talukder

DOI: https://doi.org/10.48550/arXiv.2002.06819

2020-07-01

Abstract:One of the major and serious threats that the Internet faces today is the vast amounts of data and files which need to be evaluated for potential malicious intent. Malicious software, often referred to as a malware that are designed by attackers are polymorphic and metamorphic in nature which have the capability to change their code as they spread. Moreover, the diversity and volume of their variants severely undermine the effectiveness of traditional defenses which typically use signature based techniques and are unable to detect the previously unknown malicious executables. The variants of malware families share typical behavioral patterns reflecting their origin and purpose. The behavioral patterns obtained either statically or dynamically can be exploited to detect and classify unknown malware into their known families using machine learning techniques. This survey paper provides an overview of techniques and tools for detecting and analyzing the malware.

Cryptography and Security

Asad Arfeen,Muhammad Asim Khan,Obad Zafar,Usama Ahsan

DOI: https://doi.org/10.1002/cpe.6672

2021-10-11

Concurrency and Computation: Practice and Experience

Abstract:Ransomware is an emerging category of malware that locks computer data via powerful cryptographic algorithms. The global propagation of ransomware is a serious threat for individuals and organizations. The banking sector and financial institutions are the prime targets of such ransomware attacks. In case of such an attack, the field of digital forensics helps in estimation of the severity and data loss caused by the attack. Traditional digital forensics investigations make use of static or behavioral analysis to detect malware in infected systems. However, these procedures are challenged by malware obfuscation techniques. Malicious processes can stay inactive and undetected if only a single memory dump is analyzed. Thus, there is a need to collect numerous memory dumps of an individual program that can help with comprehensive and accurate analysis. In this article, we have developed a framework for volatile memory acquisition at regular time intervals to analyze the behavior of individual processes in memory. Through memory forensics, salient features are extracted from the infected memory dumps. These features can be utilized to classify malicious and benign processes efficiently through machine learning as compared to conventional techniques.

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

Riya Nair,Kiranbhai R Dodiya,Parth Lakhalani

DOI: https://doi.org/10.22214/ijraset.2023.57649

2023-12-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Malicious code presents a severe risk to computer systems, making work difficult for information security and cyber experts. Malware analysis is in great demand because of its importance and function in digital forensics and cyber security. Malware, often known as malicious software, is purposefully written software that harms or damages people, computers, servers, or networks. An overview of malware analysis methods and techniques in the fields of digital forensics and cyber security is given in this article. The study examines several malware types, their characteristics, and analysts' challenges in locating and analyzing them. It also highlights the importance of continuing this field's research and development to stay ahead of evolving malware threats. Trojan horses, worms, backdoors, rootkits, and adware are examples of malware. There are several methods for analyzing malware, but one of the most well-known is static analysis. This article will look at several methods for doing malware analysis and detection on corporate systems, as well as the resources available to assist with sample inspection to reduce the impact of malware assaults on an organization's operations. The investigator must first choose which methods and instruments to use for analysis. Static analysis, which includes malware scanners and detectors, is the first line of defense against malware. As technology advances, malware creators use various techniques to conceal their source code from scanners and detectors that search for strings, pattern matching, and other similar patterns to determine hash values that may be used to identify the infection. Malware experts decompress the packed file into unpacked one to examine obfuscated malware. This study examines efforts to investigate the many techniques and instruments malware uses in the real world.

Et al. Rajesh Yadav

DOI: https://doi.org/10.17762/ijritcc.v11i11s.9817

2023-11-30

International Journal on Recent and Innovation Trends in Computing and Communication

Abstract:The huge amounts of data and information that need to be analyzed for possible malicious intent are one ofthe big and significant challenges that the Web faces today. Malicious software, also referred to as malware developed by attackers, is polymorphic and metamorphic in nature which can modify the code as it spreads.In addition, the diversity and volume of their variants severely undermine the effectiveness of traditional defenses that typically use signature-based techniques and are unable to detect malicious executables previously unknown. Malware family variants share typical patterns of behavior that indicate their origin and purpose. The behavioral trends observed either statically or dynamically can be manipulated by usingmachine learning techniques to identify and classify unknown malware into their established families. Thissurvey paper gives an overview of the malware detection and analysis techniques and tools.

Pascal Maniriho,Abdun Naser Mahmood,Mohammad Jabed Morshed Chowdhury

DOI: https://doi.org/10.1016/j.future.2021.11.030

IF: 7.307

2022-05-01

Future Generation Computer Systems

Abstract:There has been an increasing trend of malware release, which raises the alarm for security professionals worldwide. It is often challenging to stay on top of different types of malware and their detection techniques, which are essential, particularly for researchers and the security community. Analysing malware to get insights into what it intends to perform on the victim’s system is one of the crucial steps towards malware detection. Malware analysis can be performed through static analysis, code analysis, dynamic analysis, memory analysis and hybrid analysis techniques. The next step to malware analysis is the detection model’s design using malware’s extracted patterns from the analysis. Machine learning and deep learning methods have drawn attention to researchers, owing to their ability to implement sophisticated malware detection models that can deal with known and unknown malicious activities. Therefore, this survey presents a comprehensive study and analysis of current malware and detection techniques using the snowball approach. It presents a comprehensive study on malware analysis testbeds, dynamic malware analysis and memory analysis, the taxonomy of malware behaviour analysis tools, datasets repositories, feature selection, machine learning and deep learning techniques. Moreover, comparisons of behaviour-based malware detection techniques have been grouped by categories of machine learning and deep learning techniques. This study also looks at various performance evaluation metrics, current research challenges in this area and possible future direction of research.

Amir Afianian,Salman Niksefat,Babak Sadeghiyan,David Baptiste

DOI: https://doi.org/10.48550/arXiv.1811.01190

2018-11-03

Abstract:The Cyber world is plagued with ever-evolving malware that readily infiltrates all defense mechanisms, operates viciously unbeknownst to the user and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a leverage to effectively combat them. This understanding, is pursued through dynamic analysis which is conducted manually or automatically. Malware authors accordingly, have devised and advanced evasion techniques to thwart or evade these analyses. In this paper, we present a comprehensive survey on malware dynamic analysis evasion techniques. In addition, we propose a detailed classification of these techniques and further demonstrate how their efficacy hold against different types of detection and analysis approach. Our observations attest that evasive behavior is mostly interested in detecting and evading sandboxes. The primary tactic of such malware we argue is fingerprinting followed by new trends for reverse Turing test tactic which aims at detecting human interaction. Furthermore, we will posit that the current defensive strategies beginning with reactive methods to endeavors for more transparent analysis systems are readily foiled by zero-day fingerprinting techniques or other evasion tactics such as stalling. Accordingly, we would recommend pursuit of more generic defensive strategies with emphasis on path exploration techniques that have the potential to thwart all the evasive tactics.

Cryptography and Security

Rami Sihwail,Khairuddin Omar,Khairul Akram Zainol Ariffin,Sanad Al Afghani,Khairul Zainol Ariffin

DOI: https://doi.org/10.3390/app9183680

2019-09-05

Applied Sciences

Abstract:The need to detect malware before it harms computers, mobile phones and other electronic devices has caught the attention of researchers and the anti-malware industry for many years. To protect users from malware attacks, anti-virus software products are downloaded on the computer. The anti-virus mainly uses signature-based techniques to detect malware. However, this technique fails to detect malware that uses packing, encryption or obfuscation techniques. It also fails to detect unseen (new) ones. This paper proposes an integrated malware detection approach that applies memory forensics to extract malicious artifacts from memory and combines them to features extracted during the execution of malware in a dynamic analysis. Pre-modeling techniques were also applied for feature engineering before training and testing the data set on the machine learning models. The experimental results show a significant improvement in both detection accuracy rate and false positive rate, 98.5% and 1.7% respectively, by applying the support vector machine. The results verify that our integrated analysis approach outperforms other analysis methods. In addition, the proposed approach overcomes the limitation of single path file execution in dynamic analysis by adding more relevant memory artifacts that can reveal the real intention of malicious files.

Christopher Arden Anugerah,Erwid Musthofa Jadied,Niken Cahyani

DOI: https://doi.org/10.21108/ijoict.v10i1.940

2024-07-03

International Journal on Information and Communication Technology (IJoICT)

Abstract:Malware, short for malicious software, is software or code specifically designed to damage, disrupt computer systems, or gain unauthorized access to sensitive information. Based on type classification, one of the well-known types of malware is ransomware. Usually, ransomware will encrypt the files on a computer system and then demand a ransom from the owner of the computer system so that the owner can regain access to the encrypted files. Sometimes in some cases, ransomware is able to delete files without input from the computer system owner. This research includes the analysis process of three ransomware samples that are known for successfully causing losses to many computer systems throughout the world, namely WannaCry, Locky, and Jigsaw, using a dynamic approach and the use of tools to track the processes carried out by the ransomware. The purpose of this research is to determine which of the three samples has the highest to lowest level of damage based on metrics based on file access capabilities and file modification capabilities for various types of files such as system files, boot-related files, program files, etc. The findings of this research indicate that WannaCry has the highest impact followed by Locky and then Jigsaw.

mesut guven,Mesut Guven

DOI: https://doi.org/10.22399/ijcesen.460

2024-09-26

International Journal of Computational and Experimental Science and Engineering

Abstract:Dynamic malware analysis plays a pivotal role in modern cybersecurity, offering insights into malware behavior through dynamic execution and network traffic analysis. In this study, we present a comprehensive approach to dynamic malware analysis using a sandbox environment and network traffic logs. Our methodology involves the extraction of relevant features from network traffic captured in pcap files. We conducted experiments using a virtualized Oracle VirtualBox environment, where benign and malicious software samples were executed within a Windows virtual machine controlled by Python scripts. For network emulation, we utilized tools from the REMnux distribution, including InetSim and FakeDNS, to simulate realistic network interactions during malware execution. The collected pcap data underwent preprocessing and feature extraction to capture essential behavioral patterns and network indicators. Machine learning and artificial intelligence models were developed to classify malware based on these extracted features. Our findings underscore the efficacy of dynamic analysis coupled with machine learning in detecting and classifying malware variants based on their network behavior. This research contributes to advancing techniques for real-time threat detection and response in cybersecurity, emphasizing the importance of dynamic malware analysis in mitigating evolving cyber threats.

Irina Baptista,Stavros Shiaeles,Nicholas Kolokotronis

DOI: https://doi.org/10.48550/arXiv.1904.00859

2019-04-01

Abstract:The continued evolution and diversity of malware constitutes a major threat in modern systems. It is well proven that security defenses currently available are ineffective to mitigate the skills and imagination of cyber-criminals necessitating the development of novel solutions. Deep learning algorithms and artificial intelligence (AI) are rapidly evolving with remarkable results in many application areas. Following the advances of AI and recognizing the need for efficient malware detection methods, this paper presents a new approach for malware detection based on binary visualization and self-organizing incremental neural networks. The proposed method's performance in detecting malicious payloads in various file types was investigated and the experimental results showed that a detection accuracy of 91.7% and 94.1% was achieved for ransomware in .pdf and .doc files respectively. With respect to other formats of malicious code and other file types, including binaries, the proposed method behaved well with an incremental detection rate that allows efficiently detecting unknown malware at real-time.

Cryptography and Security

Mathew Ashik,A. Jyothish,S. Anandaram,P. Vinod,Francesco Mercaldo,Fabio Martinelli,Antonella Santone

DOI: https://doi.org/10.3390/electronics10141694

IF: 2.9

2021-07-15

Electronics

Abstract:Malware is one of the most significant threats in today’s computing world since the number of websites distributing malware is increasing at a rapid rate. Malware analysis and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. This software exploits the system’s vulnerabilities to steal valuable information without the user’s knowledge, and stealthily send it to remote servers controlled by attackers. Traditionally, anti-malware products use signatures for detecting known malware. However, the signature-based method does not scale in detecting obfuscated and packed malware. Considering that the cause of a problem is often best understood by studying the structural aspects of a program like the mnemonics, instruction opcode, API Call, etc. In this paper, we investigate the relevance of the features of unpacked malicious and benign executables like mnemonics, instruction opcodes, and API to identify a feature that classifies the executable. Prominent features are extracted using Minimum Redundancy and Maximum Relevance (mRMR) and Analysis of Variance (ANOVA). Experiments were conducted on four datasets using machine learning and deep learning approaches such as Support Vector Machine (SVM), Naïve Bayes, J48, Random Forest (RF), and XGBoost. In addition, we also evaluate the performance of the collection of deep neural networks like Deep Dense network, One-Dimensional Convolutional Neural Network (1D-CNN), and CNN-LSTM in classifying unknown samples, and we observed promising results using APIs and system calls. On combining APIs/system calls with static features, a marginal performance improvement was attained comparing models trained only on dynamic features. Moreover, to improve accuracy, we implemented our solution using distinct deep learning methods and demonstrated a fine-tuned deep neural network that resulted in an F1-score of 99.1% and 98.48% on Dataset-2 and Dataset-3, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Prachi Ahlawat,Namita Dabas,Prabha Sharma

DOI: https://doi.org/10.2139/ssrn.4295237

2022-01-01

SSRN Electronic Journal

Abstract:Malware is a serious cyber security threat that is extremely difficult to combat. Over the past few years, the frequency of malware attacks has increased manifold and is expected to grow further in the coming years. Many studies suggest API call sequences generated by a process can serve as an effective tool for malware detection. However, most of the existing works based on API call sequences suffer from high dimensional feature sets. This paper proposes a novel API call sequences based malware detection model, MalAnalyser, to address these issues. To reduce the computational overhead involved with the extensive original call sequences, MalAnalyser extracts frequent API call subsequences (patterns) as features for differentiating malware from benign processes, as they encompass the most representative and valuable behavioural information of a process. The model then uses Global Local Best Particle Swarm Optimization (GLBPSO) for identifying the discriminatory features with an objective of reducing computational overhead of the malware detection algorithm without jeopardizing the detection accuracy. Extensive experimentation performed on benign and malware samples exhibit that the proposed model delivers better performance in comparison to the current state-of-the-art models. Experiments conducted on the complete feature set as well as a set of randomly selected 60% features as input, exhibit a detection accuracy of up to 99.71% on both the sets with up to 50.52% and 74.46% reduction in size of feature set respectively. Another major contribution of this work is detection of rare or unseen malware behavior by generating new malware patterns from the existing patterns using Genetic Algorithm. MalAnalyser reported a significant performance gain with this enriched feature set and attained up to 100% accuracy with up to 70% reduced feature set. Further, effectiveness of MalAnalyser is evaluated for detecting a specific type of malware i.e. ransomware.

S M Rakib Hasan,Aakar Dhakal

2024-04-03

Abstract:In the era of the internet and smart devices, the detection of malware has become crucial for system security. Malware authors increasingly employ obfuscation techniques to evade advanced security solutions, making it challenging to detect and eliminate threats. Obfuscated malware, adept at hiding itself, poses a significant risk to various platforms, including computers, mobile devices, and IoT devices. Conventional methods like heuristic-based or signature-based systems struggle against this type of malware, as it leaves no discernible traces on the system. In this research, we propose a simple and cost-effective obfuscated malware detection system through memory dump analysis, utilizing diverse machine-learning algorithms. The study focuses on the CIC-MalMem-2022 dataset, designed to simulate real-world scenarios and assess memory-based obfuscated malware detection. We evaluate the effectiveness of machine learning algorithms, such as decision trees, ensemble methods, and neural networks, in detecting obfuscated malware within memory dumps. Our analysis spans multiple malware categories, providing insights into algorithmic strengths and limitations. By offering a comprehensive assessment of machine learning algorithms for obfuscated malware detection through memory analysis, this paper contributes to ongoing efforts to enhance cybersecurity and fortify digital ecosystems against evolving and sophisticated malware threats. The source code is made open-access for reproducibility and future research endeavours. It can be accessed at

Cryptography and Security,Computation and Language,Machine Learning

Hannah Nyholm,Kristine Monteith,Seth Lyles,Micaela Gallegos,Mark DeSantis,John Donaldson,Claire Taylor

DOI: https://doi.org/10.3390/jcp2030028

2022-07-20

Journal of Cybersecurity and Privacy

Abstract:The collection and analysis of volatile memory is a vibrant area of research in the cybersecurity community. The ever-evolving and growing threat landscape is trending towards fileless malware, which avoids traditional detection but can be found by examining a system’s random access memory (RAM). Additionally, volatile memory analysis offers great insight into other malicious vectors. It contains fragments of encrypted files’ contents, as well as lists of running processes, imported modules, and network connections, all of which are difficult or impossible to extract from the file system. For these compelling reasons, recent research efforts have focused on the collection of memory snapshots and methods to analyze them for the presence of malware. However, to the best of our knowledge, no current reviews or surveys exist that systematize the research on both memory acquisition and analysis. We fill that gap with this novel survey by exploring the state-of-the-art tools and techniques for volatile memory acquisition and analysis for malware identification. For memory acquisition methods, we explore the trade-offs many techniques make between snapshot quality, performance overhead, and security. For memory analysis, we examined the traditional forensic methods used, including signature-based methods, dynamic methods performed in a sandbox environment, as well as machine learning-based approaches. We summarize the currently available tools, and suggest areas for more research.

computer science, information systems, interdisciplinary applications, software engineering

Rasmi-Vlad Mahmoud,Marios Anagnostopoulos,Sergio Pastrana,Jens Myrup Pedersen

DOI: https://doi.org/10.1109/access.2024.3400167

IF: 3.9

2024-05-22

IEEE Access

Abstract:In cybersecurity, adversaries employ a myriad of tactics to evade detection and breach defenses. Malware remains a formidable weapon in their arsenal. To counter this threat, researchers unceasingly pursue dynamic analysis, which aims to comprehend and thwart established malware strains. This paper introduces an innovative methodology for dynamic malware analysis while critically evaluating prevailing technologies and their limitations. The proposed approach hinges on harnessing the capabilities of an open-source Security Information and Event Management (SIEM) toolset, namely the Elastic-Stack. This toolset is utilized to capture, structure, and analyze the behavioral patterns of malware without relying on any pre-existing sandbox framework. This augmentation facilitates a profound understanding of the activities exhibited by malware samples. With the help of the proposed ecosystem, we compile the AAU_MalData dataset that encompasses distinctly the benign and malicious behavior. Specifically, we analyzed the behavior of the 2,800 malware within a realistic network topology and systematically collected Windows event logs, which serve as a comprehensive record of the malware's actions. These event logs are precious as they are organized in a timestamped format, providing a chronological list of system activities, such as event descriptions, process and file details, and registry modifications. These are pivotal in comprehending the malware's functionality and repercussions on the compromised system. Furthermore, by incorporating the MITRE ATT&CK framework, we leveraged the event logs to correlate the malware's mode of operation, delve into its Command and Control operations, and investigate its persistence mechanisms, enabling a structured and practical approach to malware analysis. The AAU_MalData dataset, organized in a JSON format data structure, is offered to the research community first as a proof of concept to demonstrate the toolset's feasibility for dynamic malware analysis and second as a potential training ground for anti-malware mechanisms based on host and network Indicators of Compromise (IoCs).

computer science, information systems,telecommunications,engineering, electrical & electronic

Pushpam Devanand Nagdeve,Sharad Jadhav

DOI: https://doi.org/10.46610/joaat.2022.v07i01.001

2022-02-28

Journal of Android and IOS Applications and Testing

Abstract:Malware is suspicious software that nobody wants. It poses threats to the security of the networked system and is also designed to harm services or devices. They are designed to damage any data or to extract data so that cybercriminals can leverage over victims, which is advancing rapidly, states a big challenge for researchers. In this literature review, we did the manual research on the publications. The motive is to look at the available literary works on malware detection and determine how the investigation evolved and progressed based on quantity, content, and publication potential. Described the problems and challenges faced in analyzing malware and identifying system requirements. The goal of this study is to review and examine the literature on malware analysis and analyze how the study of malware has evolved from time to time. In terms of quality and publication outlets, malware has progressed as time goes on and so it becomes complex and later time, it can be difficult to understand its every detail and composition. Enlightening people about what the term malware is about and the variety of anti-evaluation techniques that can be used to thwart forensic evaluations and lessons through the post-investigation results on how to avoid malware analysis.

Alan Nafiiev,Andrii Rodionov

DOI: https://doi.org/10.20535/tacs.2664-29132023.2.277959

2023-11-06

Theoretical and Applied Cybersecurity

Abstract:Cyber wars and cyber attacks are an urgent problem in the global digital environment. Based on existing popular detection methods, malware authors are creating ever more advanced and sophisticated malware. Therefore, this study aims to create a malware analysis system that uses both dynamic and static analysis. Our system is based on a machine learning method - support vector machine. The set of data used was collected from various Internet sources. It consists of 257 executable files in .exe format, 178 of which are malicious and 79 are benign. We use 5 different types of data representation: binary information, trace instructions, control flow graph, information obtained from the dynamic operation of the file, and file metadata. Then, using multiple kernel learning, we combine all data views and create one summative machine learning model.