Rajvardhan Patil,Wei Deng

DOI: https://doi.org/10.1109/southeastcon44009.2020.9368268

2020-01-01

Abstract:In this era, where the volume and diversity of malware is rising exponentially, new techniques need to be employed for faster and accurate identification of the malwares. Manual heuristic inspection of malware analysis are neither effective in detecting new malware, nor efficient as they fail to keep up with the high spreading rate of malware. Machine learning approaches have therefore gained momentum. They have been used to automate static and dynamic analysis investigation where malware having similar behavior are clustered together, and based on the proximity unknown malwares get classified to their respective families. Although many such research efforts have been conducted where data-mining and machine-learning techniques have been applied, in this paper we show how the accuracy can further be improved using deep learning networks. As deep learning offers superior classification by constructing neural networks with a higher number of potentially diverse layers it leads to improvement in automatic detection and classification of the malware variants.In this research, we present a framework which extracts various feature-sets such as system calls, operational codes, sections, and byte codes from the malware files. In the experimental and result section, we compare the accuracy obtained from each of these features and demonstrate that feature vector for system calls yields the highest accuracy. The paper concludes by showing how deep learning approach performs better than the traditional shallow machine learning approaches.

Aparna Sunil Kale,Fabio Di Troia,Mark Stamp

DOI: https://doi.org/10.48550/arXiv.2103.02711

2021-03-04

Abstract:Malware classification is an important and challenging problem in information security. Modern malware classification techniques rely on machine learning models that can be trained on features such as opcode sequences, API calls, and byte $n$-grams, among many others. In this research, we consider opcode features. We implement hybrid machine learning techniques, where we engineer feature vectors by training hidden Markov models -- a technique that we refer to as HMM2Vec -- and Word2Vec embeddings on these opcode sequences. The resulting HMM2Vec and Word2Vec embedding vectors are then used as features for classification algorithms. Specifically, we consider support vector machine (SVM), $k$-nearest neighbor ($k$-NN), random forest (RF), and convolutional neural network (CNN) classifiers. We conduct substantial experiments over a variety of malware families. Our experiments extend well beyond any previous work in this field.

Cryptography and Security,Computation and Language,Machine Learning

Fang-Qi Li,Shi-Lin Wang,Alan Wee-Chung Liew,Weiping Ding,Gong-Shen Liu

DOI: https://doi.org/10.1109/tfuzz.2020.3016023

IF: 12.253

2021-11-01

IEEE Transactions on Fuzzy Systems

Abstract:Classification of malicious software, especially in a very large dataset, is a challenging task for machine intelligence. Malware can have highly diversified features, each of which has highly heterogeneous distributions. These factors increase the difficulties for traditional data analytic approaches to deal with them. Although deep learning based methods have reported good classification performance, the deep models usually lack interpretability and are fragile under adversarial attacks. To solve these problems, fuzzy systems have become a competitive candidate in malware analysis. In this article, a new fuzzy-based approach is proposed for malware classification. We focused on portable executable files in the Windows platform and analyzed the distributions of static features and content-oriented features. Fuzzification was used to reduce the ubiquitous impact of noise and outliers in a very large dataset. Finally, a novel boosted classifier consisted of fuzzy decision trees and support vector machine is proposed to perform the malware classification. By using fuzzy decision trees, the inner structure of the classifier can be readily interpreted as discriminative rules, whereas the novel boosting strategy provides state-of-the-art classification performance. Extensive experimental results showed that our method significantly outperformed several state-of-the-art classifiers.

computer science, artificial intelligence,engineering, electrical & electronic

Viktor Zenkov,Jason Laska

DOI: https://doi.org/10.48550/arXiv.1910.02021

2019-09-22

Abstract:Criminals use malware to disrupt cyber-systems. The number of these malware-vulnerable systems is increasing quickly as common systems, such as vehicles, routers, and lightbulbs, become increasingly interconnected cyber-systems. To address the scale of this problem, analysts divide malware into classes and develop, for each class, a specialized defense. In this project we classified malware with machine learning. In particular, we used a supervised multi-class long short term memory (LSTM) model. We trained the algorithm with thousands of malware files annotated with class labels (the training set), and the algorithm learned patterns indicative of each class. We used disassembled malware files (provided by Microsoft) and separated the constituent data into parsed instructions, which look like human-readable machine code text, and raw bytes, which are hexadecimal values. We are interested in which format, text or hex, is more valuable as input for classification. To solve this, we investigated four cases: a text-only model, a hexadecimal-only model, a multi-input model using both text and hexadecimal inputs, and a model based on combining the individual results. We performed this investigation using the machine learning Python package Keras, which allows easily configurable deep learning architectures and training. We hoped to understand the trade-offs between the different formats. Due to the class imbalance in the data, we used multiple methods to compare the formats, using test accuracies, balanced accuracies (taking into account weights of classes), and an accuracy derived from tables of confusion. We found that the multi-input model, which allows learning on both input types simultaneously, resulted in the best performance. Our finding expedites malware classification research by providing researchers a suitable deep learning architecture to train a tailored version to their malware.

Cryptography and Security,Machine Learning

Junwei Tang,Wei Xu,Tao Peng,Sijie Zhou,Qiaosen Pi,Ruhan He,Xinrong Hu

DOI: https://doi.org/10.1016/j.jisa.2024.103721

IF: 4.96

2024-01-01

Journal of Information Security and Applications

Abstract:Mobile applications have been deeply integrated into the daily life of ordinary users. Android malware seriously threatens the privacy and property security of users. However, code obfuscation and other technologies have reduced the effectiveness of traditional static analysis methods, and more and more studies are extracting grayscale image features for malware detection. We propose a classification method for Android malware based on a novel mixed bytecode image and deep neural network combined with attention mechanism. Firstly, for the executable file of the target malware, read one character every 8 bits, fix the line and width, and output it as a vector. Each element in this vector is between 0 and 255, which is the range of values for grayscale images. Furthermore, the executable files are generated into grayscale images and Markov images, respectively. Then a new texture feature space is constructed by the fusion of grayscale and Markov images using the transfer probability, which is mapped to a two-dimensional space to obtain the mixed image feature. The constructed fusion feature space can more clearly characterize Android malware. What is more, the convolutional attention mechanism is added to ResNet to increase the depth of the network and improve the network effect. Finally, experiments are performed on Drebin and CICMalDroid 2020. Our experimental results show that our method can efficiently perform uniform representation of bytecode sequence files and extract and classify feature sequences. On the basis of mixed image features, the accuracy of malware detection can reach 98.67%, which outperforms the classification based on Markov images, grayscale images and other similar methods.

Maryam Nisa,Jamal Hussain Shah,Shansa Kanwal,Mudassar Raza,Muhammad Attique Khan,Robertas Damaševičius,Tomas Blažauskas

DOI: https://doi.org/10.3390/app10144966

2020-07-19

Applied Sciences

Abstract:As the number of internet users increases so does the number of malicious attacks using malware. The detection of malicious code is becoming critical, and the existing approaches need to be improved. Here, we propose a feature fusion method to combine the features extracted from pre-trained AlexNet and Inception-v3 deep neural networks with features attained using segmentation-based fractal texture analysis (SFTA) of images representing the malware code. In this work, we use distinctive pre-trained models (AlexNet and Inception-V3) for feature extraction. The purpose of deep convolutional neural network (CNN) feature extraction from two models is to improve the malware classifier accuracy, because both models have characteristics and qualities to extract different features. This technique produces a fusion of features to build a multimodal representation of malicious code that can be used to classify the grayscale images, separating the malware into 25 malware classes. The features that are extracted from malware images are then classified using different variants of support vector machine (SVM), k-nearest neighbor (KNN), decision tree (DT), and other classifiers. To improve the classification results, we also adopted data augmentation based on affine image transforms. The presented method is evaluated on a Malimg malware image dataset, achieving an accuracy of 99.3%, which makes it the best among the competing approaches.

Muhammad Furqan Rafique,Muhammad Ali,Aqsa Saeed Qureshi,Asifullah Khan,Anwar Majid Mirza

DOI: https://doi.org/10.48550/arXiv.1910.10958

2020-12-27

Abstract:In the case of malware analysis, categorization of malicious files is an essential part after malware detection. Numerous static and dynamic techniques have been reported so far for categorizing malware. This research presents a deep learning-based malware detection (DLMD) technique based on static methods for classifying different malware families. The proposed DLMD technique uses both the byte and ASM files for feature engineering, thus classifying malware families. First, features are extracted from byte files using two different Deep Convolutional Neural Networks (CNN). After that, essential and discriminative opcode features are selected using a wrapper-based mechanism, where Support Vector Machine (SVM) is used as a classifier. The idea is to construct a hybrid feature space by combining the different feature spaces to overcome the shortcoming of particular feature space and thus, reduce the chances of missing a malware. Finally, the hybrid feature space is used to train a Multilayer Perceptron, which classifies all nine different malware families. Experimental results show that proposed DLMD technique achieves log-loss of 0.09 for ten independent runs. Moreover, the proposed DLMD technique's performance is compared against different classifiers and shows its effectiveness in categorizing malware. The relevant code and database can be found at <a class="link-external link-https" href="https://github.com/cyberhunters/Malware-Detection-Using-Machine-Learning" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Machine Learning

Swapnil Singh,Deepa Krishnan,Vidhi Vazirani,Vinayakumar Ravi,Suliman A. Alsuhibany

DOI: https://doi.org/10.1016/j.eij.2024.100539

IF: 4.195

2024-09-15

Egyptian Informatics Journal

Abstract:Malware attacks have escalated significantly with an increase in the number of internet users and connected devices. With the increasingly different types of malware released by hackers, designing new and competitive techniques to detect advanced malware is essential. In the proposed research, we have developed a multi-level feature extraction technique using deep learning architectures and a classification model to classify malware families. The essential features from the malware images are extracted using the Gated Recurrent Unit in the first step, which are further fed to a Convolutional Neural Network model for extracting the final feature vector. The multi-level feature selection is followed by classification into various malware families using Cost-sensitive Boot Strapped Weighted Random Forest (CSBW-RF). The proposed approach gave promising results of 99.58 % accuracy in distinguishing the 25 different malware families on the Mallmg dataset. This hybrid model gave significantly better performance scores for classifying visually similar malware families. The generalizability of the proposed model is benchmarked with the popular Microsoft Big 2015 dataset and has achieved comparatively higher performance scores than many existing models. This benchmarking demonstrates the robustness and scalability of our approach. The use of cost-sensitive learning and bootstrapping techniques also contributed to the model's ability to generalize well to new and unseen data. These enhancements ensure that our model can be effectively applied in diverse real-world scenarios, maintaining high performance across different environments and malware types. This research can contribute to detecting malware attacks and can be integrated in threat monitoring systems. The successful application of this hybrid model indicates its potential for deployment in real-world cybersecurity environments, providing a strong defense against evolving malware threats.

computer science, information systems, artificial intelligence

Muhammad Rehan Naeem,Rashid Amin,Sultan S Alshamrani,Abdullah Alshehri

DOI: https://doi.org/10.1155/2022/6294058

2022-04-21

Abstract:The most often reported danger to computer security is malware. Antivirus company AV-Test Institute reports that more than 5 million malware samples are created each day. A malware classification method is frequently required to prioritize these occurrences because security teams cannot address all of that malware at once. Malware's variety, volume, and sophistication are all growing at an alarming rate. Hackers and attackers routinely design systems that can automatically rearrange and encrypt their code to escape discovery. Traditional machine learning approaches, in which classifiers learn based on a hand-crafted feature vector, are ineffective for classifying malware. Recently, deep convolutional neural networks (CNNs) successfully identified and classified malware. To categorize malware, a smart system has been suggested in this research. A novel model of deep learning is introduced to categorize malware families and multiclassification. The malware file is converted to a grayscale picture, and the image is then classified using a convolutional neural network. To evaluate the performance of our technique, we used a Microsoft malware dataset of 10,000 samples with nine distinct classifications. The findings stood out among the deep learning models with 99.97% accuracy for nine malware types.

Yao Saint Yen,Zhe Wei Chen,Ying Ren Guo,Meng Chang Chen

DOI: https://doi.org/10.48550/arXiv.1912.11249

2019-12-24

Abstract:Deep learning has been used in the research of malware analysis. Most classification methods use either static analysis features or dynamic analysis features for malware family classification, and rarely combine them as classification features and also no extra effort is spent integrating the two types of features. In this paper, we combine static and dynamic analysis features with deep neural networks for Windows malware classification. We develop several methods to generate static and dynamic analysis features to classify malware in different ways. Given these features, we conduct experiments with composite neural network, showing that the proposed approach performs best with an accuracy of 83.17% on a total of 80 malware families with 4519 malware samples. Additionally, we show that using integrated features for malware family classification outperforms using static features or dynamic features alone. We show how static and dynamic features complement each other for malware classification.

Cryptography and Security,Machine Learning

Zilin Zhao,Dawei Zhao,Shumian Yang,Lijuan Xu

DOI: https://doi.org/10.1155/2023/6390023

IF: 1.968

2023-04-19

Security and Communication Networks

Abstract:In recent years, malware has experienced explosive growth and has become one of the most severe security threats. However, feature engineering easily restricts the traditional machine learning methods-based malware classification and is hard to deal with massive malware. At the same time, the dynamic analysis methods have the problems of complex operation and high cost, which are not suitable for efficiently classifying large quantities of malware. Therefore, we propose a novel static malware detection method based on this study's AlexNet convolutional neural network (CNN). Unlike existing solutions, we convert all malware bytes into color images, propose an improved AlexNet architecture, and solve the unbalanced datasets with the data enhancement method. Extensive experiments are performed using the Microsoft malware dataset and the Google Code Jam (GCJ) dataset. The experimental results show that the accuracy of the Microsoft malware dataset reaches 99.99%, and the GCJ dataset reaches 99.38%. We also verify that our method can better extract the texture features of malware and improve the accuracy and detection efficiency.

computer science, information systems,telecommunications

Sanjay Sharma,C. Rama Krishna,Sanjay K. Sahay

DOI: https://doi.org/10.48550/arXiv.1903.02966

2019-03-07

Abstract:In today's digital world most of the anti-malware tools are signature based which is ineffective to detect advanced unknown malware viz. metamorphic malware. In this paper, we study the frequency of opcode occurrence to detect unknown malware by using machine learning technique. For the purpose, we have used kaggle Microsoft malware classification challenge dataset. The top 20 features obtained from fisher score, information gain, gain ratio, chi-square and symmetric uncertainty feature selection methods are compared. We also studied multiple classifier available in WEKA GUI based machine learning tool and found that five of them (Random Forest, LMT, NBT, J48 Graft and REPTree) detect malware with almost 100% accuracy.

Cryptography and Security,Machine Learning

Yunsick Sung,Sejun Jang,Young-Sik Jeong,Jong Hyuk Park,Jong Hyuk (James J.) Park

DOI: https://doi.org/10.1016/j.comcom.2020.02.005

IF: 5.047

2020-03-01

Computer Communications

Abstract:Recently, Internet of Drones (IoD) are issued to utilize the diverse kinds of drones for leisure, education and so on. Researchers study to prevent the situations that drones are disabled by cyber-attackers by embedding malwares into the drones and Ground Control Stations (GCS). Therefore, it is required to protect the malwares considering the diverse kinds of features of the drones and GCSs. Signature-based detection approaches are traditionally utilized. However, given that those approaches only scan files partially, some of malwares are not detected. This paper proposes a novel method for finding the malwares in GCSs that utilizes a fastText model to create lower-dimension vectors than those the vectors by one-hot encoding and a bidirectional LSTM model to analyze the correlation with sequential opcodes. In addition, API function names are utilized to increase the classification accuracy of the sequential opcodes. In the experiments, the Microsoft malware classification challenge dataset was utilized and the malwares in the dataset were classified by family types. The proposed method showed the performance improvement of 1.87% comparing with the performance by a one-hot encoding-based approach. When the proposed method was compared with a similar decision tree-based malware detection approach, the performance of the proposed method was improved by 0.76%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoqian Yun,Hongmei Zhang,Xiaoxiong Zhong,Xiaofang Deng

DOI: https://doi.org/10.1109/ICCT56141.2022.10073202

2022-11-11

Abstract:Due to the constant updates of malware and its variants and the continuous development of malware obfuscation techniques. Malware intrusions targeting Windows hosts are also on the rise. Traditional static analysis methods such as signature matching mechanisms have been difficult to adapt to the detection of new malware. Therefore, a novel visual detection method of malware is proposed for first-time to convert the Windows API call sequence with sequential nature into feature images based on the Gramian Angular Field (GAF) idea, and train a neural network to identify malware. The experimental results demonstrate the effectiveness of our proposed method. For the binary classification of malware, the GAF visualization image of the API call sequence is compared with its original sequence. After GAF visualization, the classification accuracy of the classic machine learning model MLP is improved by 9.64%, and the classification accuracy of the deep learning model CNN is improved by 4.82%. Furthermore, our experiments show that the proposed method is also feasible and effective for the multi-class classification of malware.

Computer Science

Hemant Rathore,Swati Agarwal,Sanjay K. Sahay,Mohit Sewak

DOI: https://doi.org/10.1007/978-3-030-04780-1_28

2019-04-04

Abstract:Research shows that over the last decade, malware has been growing exponentially, causing substantial financial losses to various organizations. Different anti-malware companies have been proposing solutions to defend attacks from these malware. The velocity, volume, and the complexity of malware are posing new challenges to the anti-malware community. Current state-of-the-art research shows that recently, researchers and anti-virus organizations started applying machine learning and deep learning methods for malware analysis and detection. We have used opcode frequency as a feature vector and applied unsupervised learning in addition to supervised learning for malware classification. The focus of this tutorial is to present our work on detecting malware with 1) various machine learning algorithms and 2) deep learning models. Our results show that the Random Forest outperforms Deep Neural Network with opcode frequency as a feature. Also in feature reduction, Deep Auto-Encoders are overkill for the dataset, and elementary function like Variance Threshold perform better than others. In addition to the proposed methodologies, we will also discuss the additional issues and the unique challenges in the domain, open research problems, limitations, and future directions.

Cryptography and Security,Machine Learning

Ritik Mehta,Olha Jurečková,Mark Stamp

2023-07-08

Abstract:Many different machine learning and deep learning techniques have been successfully employed for malware detection and classification. Examples of popular learning techniques in the malware domain include Hidden Markov Models (HMM), Random Forests (RF), Convolutional Neural Networks (CNN), Support Vector Machines (SVM), and Recurrent Neural Networks (RNN) such as Long Short-Term Memory (LSTM) networks. In this research, we consider a hybrid architecture, where HMMs are trained on opcode sequences, and the resulting hidden states of these trained HMMs are used as feature vectors in various classifiers. In this context, extracting the HMM hidden state sequences can be viewed as a form of feature engineering that is somewhat analogous to techniques that are commonly employed in Natural Language Processing (NLP). We find that this NLP-based approach outperforms other popular techniques on a challenging malware dataset, with an HMM-Random Forrest model yielding the best results.

Cryptography and Security,Machine Learning

Dan Li,Lichao Zhao,Qingfeng Cheng,Ning Lu,Wenbo Shi

DOI: https://doi.org/10.1002/cpe.5308

2019-01-01

Abstract:SummaryThe number of malware has exploded due to the openness of the Android platform, and the endless stream of malware poses a threat to the privacy, tariffs, and device of mobile phone users. A novel Android mobile malware detection system is proposed, which employs an optimized deep convolutional neural network to learn from opcode sequences. The optimized convolutional neural network is trained multiple times by the raw opcode sequences extracted from the decompiled Android file, so that the feature information can be effectively learned and the malicious program can be detected more accurately. More critically, the k‐max pooling method with better results is adopted in the pooling operation phase, which improves the detection effect of the proposed method. The experimental results show that the detection system achieved the accuracy of 99%, which is 2%‐11% higher than the accuracy of the machine learning detection algorithms when using the same data set. It also ensures that the indicators, such as F1‐score, recall, and precision, are maintained above 97%. Based on the detection system, a multi–data set comparison experiment is carried out. The introduced k‐max pooling is deeply studied, and the effect of k of k‐max pooling on the overall detection effect is observed.

Jiaqi Yan,Guanhua Yan,Dong Jin

DOI: https://doi.org/10.1109/dsn.2019.00020

2019-01-01

Abstract:Malware have been one of the biggest cyber threats in the digital world for a long time. Existing machine learning based malware classification methods rely on handcrafted features extracted from raw binary files or disassembled code. The diversity of such features created has made it hard to build generic malware classification systems that work effectively across different operational environments. To strike a balance between generality and performance, we explore new machine learning techniques to classify malware programs represented as their control flow graphs (CFGs). To overcome the drawbacks of existing malware analysis methods using inefficient and nonadaptive graph matching techniques, in this work, we build a new system that uses deep graph convolutional neural network to embed structural information inherent in CFGs for effective yet efficient malware classification. We use two large independent datasets that contain more than 20K malware samples to evaluate our proposed system and the experimental results show that it can classify CFG-represented malware programs with performance comparable to those of the state-of-the-art methods applied on handcrafted malware features.

Ashu Sharma,Sanjay K. Sahay

DOI: https://doi.org/10.48550/arXiv.1606.06897

2016-06-22

Cryptography and Security

Abstract:Combating malware is very important for software/systems security, but to prevent the software/systems from the advanced malware, viz. metamorphic malware is a challenging task, as it changes the structure/code after each infection. Therefore in this paper, we present a novel approach to detect the advanced malware with high accuracy by analyzing the occurrence of opcodes (features) by grouping the executables. These groups are made on the basis of our earlier studies [1] that the difference between the sizes of any two malware generated by popular advanced malware kits viz. PS-MPC, G2 and NGVCK are within 5 KB. On the basis of obtained promising features, we studied the performance of thirteen classifiers using N-fold cross-validation available in machine learning tool WEKA. Among these thirteen classifiers we studied in-depth top five classifiers (Random forest, LMT, NBT, J48 and FT) and obtain more than 96.28% accuracy for the detection of unknown malware, which is better than the maximum detection accuracy (95.9%) reported by Santos et al (2013). In these top five classifiers, our approach obtained a detection accuracy of 97.95% by the Random forest.

Omar A. Alzubi,Issa Qiqieh,Jafar A. Alzubi

DOI: https://doi.org/10.1007/s10586-022-03686-0

2022-08-04

Cluster Computing

Abstract:In recent years, the exponential growth of malware has posed a significant security threat to intelligent systems. Earlier static and dynamic analysis methods fail to achieve effective recognition rate and incurs high computational complexity. The recently developed machine learning (ML) and deep learning (DL) models can be employed to detect and classify cyberattacks and Malware efficiently. This paper presents a fusion of deep learning based cyberattack detection and classification model for intelligent systems named FDL-CADIS technique. The proposed FDL-CADIS technique transforms the Malware binary files into two-dimensional images, which are then classified by the fusion model. The FDL-CADIS technique employs the binary input images into the MobileNetv2 model for the extraction of features and the hyper parameter tuning process takes place utilizing the black widow optimization technique. The MobileNetv2 model derives all features from the Malware dataset and trains the model using the derived features. Finally, an ensemble of voting based classifiers, including gated recurrent unit and long short-term memory techniques, for Malware cyberattack detection and classification was developed. A comprehensive range of experimental analysis is performed against the benchmark dataset to demonstrate the FDL-CADIS technique's promising performance. According to the comparative analysis of the results, the FDL-CADIS technique outperformed current approaches.