Results 1 - 10
of
13
Opcode sequences as representation of executables for data-mining-based unknown malware detection
- INFORMATION SCIENCES 227
, 2013
"... Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signa ..."
Abstract
-
Cited by 12 (0 self)
- Add to MetaCart
(Show Context)
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signature-based detection is the most widespread method used in commercial antivirus. In spite of the broad use of this method, it can detect malware only after the malicious executable has already caused damage and provided the malware is adequately documented. Therefore, the signature-based method consistently fails to detect new malware. In this paper, we propose a new method to detect unknown malware families. This model is based on the frequency of the appearance of opcode sequences. Furthermore, we describe a technique to mine the relevance of each opcode and assess the frequency of each opcode sequence. In addition, we provide empirical validation that this new method is capable of detecting unknown malware.
Denial-of-service attacks on host-based generic unpackers
- BERLIN HEIDELBERG
, 2009
"... With the advance of packing techniques, a few generic and automatic unpackers have been proposed. These unpackers are designed to automatically unpack packed binaries without specific knowledge of the packing techniques used. In this paper, we present an automatic packer with which packed malware ..."
Abstract
-
Cited by 3 (2 self)
- Add to MetaCart
(Show Context)
With the advance of packing techniques, a few generic and automatic unpackers have been proposed. These unpackers are designed to automatically unpack packed binaries without specific knowledge of the packing techniques used. In this paper, we present an automatic packer with which packed malware forges spurious unpacking behaviors that lead to a denial-of-service attack on host-based generic unpackers. We present the design, implementation, and evaluation of the proposed packer and malware produced using the proposed packer, and show the success of denial-of-service attacks on host-based generic unpackers.
NOA: AN INFORMATION RETRIEVAL BASED MALWARE DETECTION SYSTEM
"... Communicated by Deepak Gang Abstract. Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer s ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Communicated by Deepak Gang Abstract. Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer security. Signature-based detection is the most widespread method used in commercial antivirus solutions. However, signature-based detection can detect malware only once the malicious executable has caused damage and has been conveniently registered and documented. Therefore, the signature-based method fails to detect obfuscated malware variants. In this paper, a new malware detection system is proposed based on information retrieval. For the representation of executables, the frequency of the appearance of opcode sequences is used. Through this architecture a malware detection system prototype is developed and evaluated in terms of performance, malware variant recall (false negative ratio) and false positive.
MALWARE DETECTION BASED ON STRUCTURAL AND BEHAVIOURAL FEATURES OF API CALLS
"... In this paper, we propose a five-step approach to detect obfuscated malware by investigating the structural and behavioural features of API calls. We have developed a fully automated system to disassemble and extract API call features effectively from executables. Using n-gram statistical analysis o ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
In this paper, we propose a five-step approach to detect obfuscated malware by investigating the structural and behavioural features of API calls. We have developed a fully automated system to disassemble and extract API call features effectively from executables. Using n-gram statistical analysis of binary content, we are able to classify if an executable file is malicious or benign. Our experimental results with a dataset of 242 malwares and 72 benign files have shown a promising accuracy of 96.5 % for the unigram model. We also provide a preliminary analysis by our approach using support vector machine (SVM) and by varying n-values from 1 to 5, we have analysed the performance that include accuracy, false positives and false negatives. By applying SVM, we propose to train the classifier and derive an optimum n-gram model for detecting both known and unknown malware efficiently. Keywords: Code obfuscation, Feature extraction, Malware, n-gram, SVM.
Active Malware Analysis using Stochastic Games
"... Cyber security is increasingly important for defending computer systems from loss of privacy or unauthorised use. One important aspect is threat analysis — how does an attacker infiltrate a system and what do they want once they are inside. This paper considers the problem of Active Malware Analysis ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Cyber security is increasingly important for defending computer systems from loss of privacy or unauthorised use. One important aspect is threat analysis — how does an attacker infiltrate a system and what do they want once they are inside. This paper considers the problem of Active Malware Analysis, where we learn about the human or software intruder by actively interacting with it with the goal of learning about its behaviours and intentions, whilst at the same time that intruder may be trying to avoid detection or showing those behaviours and intentions. This game-theoretic active learning is then used to obtain a behavioural clustering of malware, an important contribution for both understanding malware at a high level and more crucially, for the deployment of effective anti-malware defences. This paper
Using Opcode Sequences in Single-Class Learning to Detect Unknown Malware
"... Malware is any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing at a faster rate every year and poses a serious global security threat. Although signature-based detection is the most widespread method used in commercial antivirus programs, ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Malware is any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing at a faster rate every year and poses a serious global security threat. Although signature-based detection is the most widespread method used in commercial antivirus programs, it consistently fails to detect new malware. Supervised machine-learning models have been used to address this issue. However, the use of supervised learning is limited because it needs a large amount of malicious code and benign software to first be labelled. In this paper, we propose a new method that uses single-class learning to detect unknown malware families. This method is based on examining the frequencies of the appearance of opcode sequences to build a machine-learning classifier using only one set of labelled instances within a specific class of either malware or legitimate software. We performed an empirical study that shows that this method can reduce the effort of labelling software while maintaining high accuracy.
CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump
"... Abstract. In this paper, we present CodeXt—a novel malware code ex-traction framework built upon selective symbolic execution (S2E). Upon real-time detection of the attack, CodeXt is able to automatically and ac-curately pinpoint the exact start and boundaries of the attack code even if it is mingle ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper, we present CodeXt—a novel malware code ex-traction framework built upon selective symbolic execution (S2E). Upon real-time detection of the attack, CodeXt is able to automatically and ac-curately pinpoint the exact start and boundaries of the attack code even if it is mingled with random bytes in the memory dump. CodeXt has a generic way of handling self-modifying code and multiple layers of encod-ing, and it can automatically extract the complete hidden and transient code protected by multiple layers of sophisticated encoders without using any signature or pattern of the decoder. To the best of our knowledge, CodeXt is the first tool that can automatically extract code protected by Metasploit’s polymorphic xor additive feedback encoder Shikata-Ga-Nai, as well as transient code protected by multi-layer incremental encoding.
Towards a Sandbox for the Deobfuscation and Dissection of PHP Malware: A Literature Survey
"... Abstract The creation and proliferation of Remote Access Trojans (or web shells) capable of compromising web platforms has fuelled research into automated methods of dissecting and analysing these shells. In the past, such shells were ably detected using signature matching, a process that is curren ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract The creation and proliferation of Remote Access Trojans (or web shells) capable of compromising web platforms has fuelled research into automated methods of dissecting and analysing these shells. In the past, such shells were ably detected using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. This survey describes and evaluates some of the notable solutions that have been proposed to address the twin problems of code deobfuscation and dissection with the aim of identifying viable and automatable analysis techniques.
Windows API based Malware Detection and Framework Analysis
"... Abstract — Detection of zero day malware has been the great challenge for researchers from long time. Traditional signature based antimalware scanners detect malware based on their unique signatures. The major drawback of such traditional signatures based scanners is that it has no protection agains ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract — Detection of zero day malware has been the great challenge for researchers from long time. Traditional signature based antimalware scanners detect malware based on their unique signatures. The major drawback of such traditional signatures based scanners is that it has no protection against zero-day or unseen malware. Further usage of packers and obfuscation techniques empowered the malware writers to recreate malware variants quickly with slight or no change in malcode. These new variants are undetectable by traditional signature based scanner until their signatures are not present in database. Therefore researchers are working towards finding patterns or features which have unchangeable characteristics of malware even though the malware mutates or obfuscates itself. To address the limitation of traditional signature based scanner, we propose the malware detection method based on extracting relevant application programming interface (API) calls from sub categories of malware. These malware are categorized based on their infection mechanism and actions performed. And because of their fundamental difference in infection mechanism, they do not share similar type of API calls in all malware categories. In this paper, we elucidate an automated framework for analyzing and classifying executables based on their relevant API calls. We explain all the software components used to make the framework fully automatic for extracting API calls. We further explain the Document Class wise Frequency feature selection measure (DCFS) to get the relevant API calls from the extracted API calls to increase the detection rate. We conclude the paper with our experimental result and discussion.
