Dynamic malware detection and phylogeny analysis using process mining

International Journal of Information Security - In the last years, mobile phones have become essential communication and productivity tools used daily to access business services and exchange...     

Automatic malware classification and new malware detection using machine learning

The explosive growth of malware variants poses a major threat to information security. Traditional anti-virus systems based on signatures fail to classify unknown malware into their corresponding families and to detect new kinds of malware programs. Therefore, we propose a machine learning based malware analysis system, which is composed of three modules: data processing, decision making, and new malware detection. The data processing module deals with gray-scale images, Opcode n-gram, and import functions, which are employed to extract the features of the malware. The decision-making module uses the features to classify the malware and to identify suspicious malware. Finally, the detection module uses the shared nearest neighbor (SNN) clustering algorithm to discover new malware families. Our approach is evaluated on more than 20 000 malware instances, which were collected by Kingsoft, ESET NOD32, and Anubis. The results show that our system can effectively classify the unknown malware with a best accuracy of 98.9%, and successfully detects 86.7% of the new malware.     

A comparison of static,dynamic, and hybrid analysis for malware detection

In this research, we compare malware detection techniques based on static, dynamic, and hybrid analysis. Specifically, we train Hidden Markov Models (HMMs) on both static and dynamic feature sets and compare the resulting detection rates over a substantial number of malware families. We also consider hybrid cases, where dynamic analysis is used in the training phase, with static techniques used in the detection phase, and vice versa. In our experiments, a fully dynamic approach generally yields the best detection rates. We discuss the implications of this research for malware detection based on hybrid techniques.     

Visual malware detection using local malicious pattern

Journal of Computer Virology and Hacking Techniques - In recent years, malware authors have had significant developments in offering new generations of malware and have tried to use different...     

基于深度学习的安卓恶意应用检测

针对传统安卓恶意程序检测技术检测准确率低,对采用了重打包和代码混淆等技术的安卓恶意程序无法成功识别等问题,设计并实现了DeepDroid算法。首先,提取安卓应用程序的静态特征和动态特征,结合静态特征和动态特征生成应用程序的特征向量;然后,使用深度学习算法中的深度置信网络（DBN）对收集到的训练集进行训练,生成深度学习网络;最后,利用生成的深度学习网络对待测安卓应用程序进行检测。实验结果表明,在使用相同测试集的情况下,DeepDroid算法的正确率比支持向量机（SVM）算法高出3.96个百分点,比朴素贝叶斯（Naive Bayes）算法高出12.16个百分点,比K最邻近（KNN）算法高出13.62个百分点。DeepDroid算法结合了安卓应用程序的静态特征和动态特征,采用了动态检测和静态检测相结合的检测方法,弥补了静态检测代码覆盖率不足和动态检测误报率高的缺点,在特征识别的部分采用DBN算法使得网络训练速度得到保证的同时还有很高的检测正确率。     

基于深度置信网络的Android恶意软件检测

针对采用重打包和代码混淆技术的Android恶意软件检测准确率低的问题,提出了一种基于深度置信网络的Android恶意软件检测算法。通过自动化提取Android应用软件的特征,构建对应的特征向量,训练基于深度置信网络的深度学习模型,实现了一种新的基于深度置信网络的Android恶意软件检测算法。实验结果表明,基于深度置信网络的深度学习模型可以更好地表征Android恶意软件,其检测效果也明显优于传统的机器学习模型。     

Joint network-host based malware detection using information-theoretic tools

In this paper, we propose two joint network-host based anomaly detection techniques that detect self-propagating malware in real-time by observing deviations from a behavioral model derived from a benign data profile. The proposed malware detection techniques employ perturbations in the distribution of keystrokes that are used to initiate network sessions. We show that the keystrokes’ entropy increases and the session-keystroke mutual information decreases when an endpoint is compromised by a self-propagating malware. These two types of perturbations are used for real-time malware detection. The proposed malware detection techniques are further compared with three prominent anomaly detectors, namely the maximum entropy detector, the rate limiting detector and the credit-based threshold random walk detector. We show that the proposed detectors provide considerably higher accuracy with almost 100% detection rates and very low false alarm rates.     

基于动静结合的Android恶意代码行为相似性检测

针对同种族恶意软件行为具有相似性的特点进行研究,提出通过静态分析和动态运行程序相结合的方式度量软件行为的相似性。通过反编译和soot代码转换框架获取程序控制流图,利用行为子图匹配算法从静态方面对程序行为相似性进行度量;通过自动化测试框架运行程序,利用文本无关压缩算法将捕获到的trace文件压缩后进行相似性度量。该检测方法综合静态检测执行效率高和动态检测准确率高的优点,实验分析表明,该检测技术能够准确度量程序之间行为的相似性,在准确率上相较于Androidguard有大幅提升。     

Fraud and financial crime detection model using malware forensics

Recently various electronic financial services are provided by development of electronic devices and communication technology. By diversified electronic financial services and channels, users of none face-to-face electronic financial transaction services continuously increase. At the same time, under financial security environment, leakage threats of inside information and security threats against financial transaction users steadily increase. Accordingly, in this paper, based on framework standards of financial transaction detection and response, digital forensics techniques that has been used to analyze system intrusion incidents traditionally is used to detect anomaly transactions that may occur in the user terminal environment during electronic financial transactions. Particularly, for the method to analyze user terminals, automated malware forensics techniques that is used as supporting tool for malware code detection and analysis is used, and for the method to detect anomaly prior behaviors and transaction patterns of users, moving average based on the statistical basis is applied. In addition, the risk point calculation model is proposed by scoring anomaly transaction cases in the detection step by items. This model logs calculated risk point results as well as maintains incident accountability, which can be utilized as basic data for establishing security incident response and security policies.     

HybriDroid: an empirical analysis on effective malware detection model developed using ensemble methods

The Journal of Supercomputing - Malware detection from the smartphone has become a challenging issue for academicians and researchers. In this research paper, we applied five distinct machine...     

Multimodal information fusion for android malware detection using lazy learning

Multimedia Tools and Applications - Android has a large number of users that are accumulating with each passing day. Security of the Android ecosystem is a major concern for these users with the...     

Structural analysis of binary executable headers for malware detection optimization

In the context of the OpenDAVFI project (a fork of the French initiative DAVFI for giving birth to a new generation, open antivirus engine which has been funded by the French Government), different AV filters have been developped and chained to detect both known and unknown malware very accurately while requiring a very limited number of updates. While most AV software use different static and dynamic detection techniques which are mostly based on the general concept of (static or heuristic) signature, we have observed that many malware do not comply to the Microsoft specifications with respect to the MZ-PE format. In this technical correspondence, we present structural analysis tests which have been implemented in the DAVFI/OpenDAVFi project. These tests accurately detect malware and therefore greatly reduce the number of malware that have to be analyzed by subsequent modules in our detection chain.     

Entropy analysis to classify unknown packing algorithms for malware detection

The proportion of packed malware has been growing rapidly and now comprises more than 80 % of all existing malware. In this paper, we propose a method for classifying the packing algorithms of given unknown packed executables, regardless of whether they are malware or benign programs. First, we scale the entropy values of a given executable and convert the entropy values of a particular location of memory into symbolic representations. Our proposed method uses symbolic aggregate approximation (SAX), which is known to be effective for large data conversions. Second, we classify the distribution of symbols using supervised learning classification methods, i.e., naive Bayes and support vector machines for detecting packing algorithms. The results of our experiments involving a collection of 324 packed benign programs and 326 packed malware programs with 19 packing algorithms demonstrate that our method can identify packing algorithms of given executables with a high accuracy of 95.35 %, a recall of 95.83 %, and a precision of 94.13 %. We propose four similarity measurements for detecting packing algorithms based on SAX representations of the entropy values and an incremental aggregate analysis. Among these four metrics, the fidelity similarity measurement demonstrates the best matching result, i.e., a rate of accuracy ranging from 95.0 to 99.9 %, which is from 2 to 13  higher than that of the other three metrics. Our study confirms that packing algorithms can be identified through an entropy analysis based on a measure of the uncertainty of the running processes and without prior knowledge of the executables.     

基于免疫原理的恶意软件检测模型*

针对恶意软件检测尤其是未知恶意软件检测的不足,提出一种基于免疫原理的恶意软件检测模型,该模型采用程序运行时产生的IRP请求序列作为抗原,定义系统中的正常程序为自体,恶意程序为非自体,通过选定数量的抗体,采用人工免疫原理对非自体进行识别。实验结果表明,此模型在恶意软件的检测方面具有较高的准确率,且误报和漏报率较低,是一种有效的恶意软件检测方法。     

AIHGAT: A novel method of malware detection and homology analysis using assembly instruction heterogeneous graph

International Journal of Information Security - At present, the trend of familiarization of malicious code is becoming more and more obvious, and the research on the homology of malware (the...     

Discovering optimal features using static analysis and a genetic search based method for Android malware detection

Mobile device manufacturers are rapidly producing miscellaneous Android versions worldwide. Simultaneously, cyber criminals are executing malicious actions, such as tracking user activities, stealing personal data, and committing bank fraud. These criminals gain numerous benefits as too many people use Android for their daily routines, including important communi-cations. With this in mind, security practitioners have conducted static and dynamic analyses to identify malware. This study used static analysis because of its overall code coverage, low resource consumption, and rapid processing. However, static analysis requires a minimum number of features to efficiently classify malware. Therefore, we used genetic search (GS), which is a search based on a genetic algorithm (GA), to select the features among 106 strings. To evaluate the best features determined by GS, we used five machine learning classifiers, namely, Naïve Bayes (NB), functional trees (FT), J48, random forest (RF), and multilayer perceptron (MLP). Among these classifiers, FT gave the highest accuracy (95%) and true positive rate (TPR) (96.7%) with the use of only six features.     

A graph-based model for malware detection and classification using system-call groups

In this paper we present a graph-based model that, utilizing relations between groups of System-calls, detects whether an unknown software sample is malicious or benign, and classifies a malicious software to one of a set of known malware families. More precisely, we utilize the System-call Dependency Graphs (or, for short, ScD-graphs), obtained by traces captured through dynamic taint analysis. We design our model to be resistant against strong mutations applying our detection and classification techniques on a weighted directed graph, namely Group Relation Graph, or Gr-graph for short, resulting from ScD-graph after grouping disjoint subsets of its vertices. For the detection process, we propose the \(\Delta \)-similarity metric, and for the process of classification, we propose the SaMe-similarity and NP-similarity metrics consisting the SaMe-NP similarity. Finally, we evaluate our model for malware detection and classification showing its potentials against malicious software measuring its detection rates and classification accuracy.     

基于对象语义的恶意代码检测方法

恶意代码变种给信息系统安全造成了巨大威胁, 为有效检测变种恶意代码, 通过动态监控、解析系统调用及参数, 将不同对象操作关联到同一对象, 构建对象状态变迁图, 然后对状态变迁图进行抗混淆处理, 获取具有一定抗干扰性的恶意代码行为特征图。最后, 基于该特征图检测未知代码。实验结果表明, 该方法能够有效抵抗恶意代码重排、垃圾系统调用等混淆技术干扰, 而且误报率低, 在检测变种恶意代码时具有较好的效果。     

Graph-based predictable feature analysis

We propose graph-based predictable feature analysis (GPFA), a new method for unsupervised learning of predictable features from high-dimensional time series, where high predictability is understood very generically as low variance in the distribution of the next data point given the previous ones. We show how this measure of predictability can be understood in terms of graph embedding as well as how it relates to the information-theoretic measure of predictive information in special cases. We confirm the effectiveness of GPFA on different datasets, comparing it to three existing algorithms with similar objectives—namely slow feature analysis, forecastable component analysis, and predictable feature analysis—to which GPFA shows very competitive results.