Results 1 - 10
of
12
MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection
- In Advanced Information Networking and Applications, Research Track – Security and Privacy, AINA ’14
, 2014
"... Abstract—Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that muta ..."
Abstract
-
Cited by 5 (5 self)
- Add to MetaCart
(Show Context)
Abstract—Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that mutates the dynamic binary code and changes the opcode with every run to avoid detection. This makes malware difficult to detect in real-time and generally requires a behavioral signature for detection. In this paper we present a new framework called MARD for Metamorphic Malware Analysis and Real-Time Detection, to protect the end points that are often the last defense, against metamorphic malware. MARD provides: (1) automation (2) platform independence (3) optimizations for real-time performance and (4) modularity. We also present a comparison of MARD with other such recent efforts. Experi-mental evaluation of MARD achieves a detection rate of 99.6% and a false positive rate of 4%.
Statistical Analysis Between Malware and Benign Based on IA-32 Instruction
"... Malicious software is one of the serious threats in the information society. A natural result of evolved ma-licious software, techniques for detecting malicious software are also in progress. Based on statistical data about existing malicious software is most important to detect new malicious softwa ..."
Abstract
- Add to MetaCart
(Show Context)
Malicious software is one of the serious threats in the information society. A natural result of evolved ma-licious software, techniques for detecting malicious software are also in progress. Based on statistical data about existing malicious software is most important to detect new malicious software. Studies which statisti-cal malicious software analysis so far have mainly fo-cused only opcode which a part of whole instruction. This paper analyses the statistical data which con-siders whole instruction, not only opcode but also 5 types of operands. We find out that major of instruc-tion both benign and malicious software are related function call, and it can not be a good predictor for de-tecting malicious software. But, when the benign’s in-struction frequency gets smaller, the relation between rare instruction malicious software classes multiplies. Also, this paper discovers some instructions which are only used in malicious software.
Subroutine Entry Point Recognition Using Data Mining
"... This paper introduces a novel approach to subroutine entry point recognition using data mining. The proposed method applies a Naïve Bayes classifier over features consisting of sequences of normalized disassembled instructions and sequences of preceding bytes. These features combined account for pro ..."
Abstract
- Add to MetaCart
(Show Context)
This paper introduces a novel approach to subroutine entry point recognition using data mining. The proposed method applies a Naïve Bayes classifier over features consisting of sequences of normalized disassembled instructions and sequences of preceding bytes. These features combined account for properties of compilers that introduce code at the start of subroutines and padding bytes before the start of subroutines. Experiments were conducted on a dataset consisting of Windows PE32 x86 binaries generated from a collection of small open-source applications for Windows using several compiler settings. Ten-fold cross-validation was applied for training and testing the classifier. The proposed method achieves an average true positive rate 98 % with a false positive rate of 0.7% for certain features.
ISMAILA IDRIS,
"... This paper initializes a two element concentration vector as a feature vector for classification and spam detection. Negative selection algorithm proposed by the immune system in solving problems in spam detection is used to distinguish spam from non-spam (self from non-self). Self concentration and ..."
Abstract
- Add to MetaCart
This paper initializes a two element concentration vector as a feature vector for classification and spam detection. Negative selection algorithm proposed by the immune system in solving problems in spam detection is used to distinguish spam from non-spam (self from non-self). Self concentration and non-self concentration are generated to form two element concentration vectors. In this approach to e-mail classification, the e-mail are considered as an optimization problem using genetic algorithm to minimize the cost function that was generated and then classification of these cost function shall aid in creating a classifier. This classifier will aid in the new formation of algorithm that comprises of both greater efficiency detector rate and also speedy detection of spam e-mail. The algorithm implementation of the research work shall come in stages were spam and non-spam are detected in all phases for an efficient classifier.
1Back to Static Analysis for Kernel-Level Rootkit Detection
"... Abstract — Rootkit’s main goal is to hide itself and other modules present in the malware. Their stealthy nature has made their detection further difficult, specially in the case of kernel-level rootkits. There have been many dynamic analysis techniques proposed for detecting kernel-level rootkits, ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract — Rootkit’s main goal is to hide itself and other modules present in the malware. Their stealthy nature has made their detection further difficult, specially in the case of kernel-level rootkits. There have been many dynamic analysis techniques proposed for detecting kernel-level rootkits, while on the other hand, static analysis has not been popular. This is perhaps due to its poor performance in detecting malware in general, which could be attributed to the level of obfuscation employed in binaries which make static analysis difficult if not impossible. In this manuscript we make two important observations, first there is usually little obfuscation used in legitimate kernel-level code, as opposed to the malicious kernel-level code. Second, one of the main approaches to penetrate the Windows operating system is through kernel-level drivers. Therefore by focusing on detecting malicious kernel drivers employed by the rootkit, one could detect the rootkit while avoiding the issues with current detection technique. Given these two observation, we propose a simple static analysis technique with the aim of detecting malicious driver. We first study the current trends in the implementation of kernel-level rookits. Afterwards, we proposed a set of features to quantify the malicious behavior in kernel drivers. These features are then evaluated through a set of experiments on 4420 malicious and legitimate drivers, obtaining an accuracy of 98.15 % in distinguishing between these drivers. Index Terms — Malware, Rootkit, Static analysis, Kernel driver. I.
Comparative Analysis of Feature Extraction Methods of Malware Detection
"... Recent years have encountered massive growth in malwares which poses a severe threat to modern computers and internet security. Existing malware detection systems are confronting with unknown malware variants. Recently developed malware detection systems investigated that the diverse forms of malwar ..."
Abstract
- Add to MetaCart
(Show Context)
Recent years have encountered massive growth in malwares which poses a severe threat to modern computers and internet security. Existing malware detection systems are confronting with unknown malware variants. Recently developed malware detection systems investigated that the diverse forms of malware exhibit similar patterns in their structure with minor variations. Hence, it is required to discriminate the types of features extracted for detecting malwares. So that potential of malware detection system can be leveraged to combat with unfamiliar malwares. We mainly focus on the categorization of features based on malware analysis. This paper highlights general framework of malware detection system and pinpoints strengths and weaknesses of each method. Finally we presented overview of performance of present malware detection systems based on features. Keywords:
SVM Based Effective Malware Detection System
"... Abstract—Malware is coined as an instance of malicious code that has the potential to harm a computer or network. Recent years have encountered massive growth in malwares as existing signature based malware detection approaches are becoming ineffective and intractable. Cyber criminals and malware de ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—Malware is coined as an instance of malicious code that has the potential to harm a computer or network. Recent years have encountered massive growth in malwares as existing signature based malware detection approaches are becoming ineffective and intractable. Cyber criminals and malware developers have adapted code obfuscation techniques which undermines the effectiveness of malware defense mechanism. Hence we propounded a system which focuses on static analysis in addition with automated behavior analysis in emulated environment generating behavior reports to investigate malwares. The proposed method uses programs as opcode density histograms and reduces the explosion of features. We employed eigen vector subspace analysis to filter and diminish the misclassification and interference of features. Our system uses a hybrid approach for discovering malware based on support vector machine classifier so that potential of malware detection system can be leveraged to combat with diverse forms of malwares while attaining high accuracy and low false alarms.
