Results 1 - 10
of
11
Opcode sequences as representation of executables for data-mining-based unknown malware detection
- INFORMATION SCIENCES 227
, 2013
"... Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signa ..."
Abstract
-
Cited by 12 (0 self)
- Add to MetaCart
(Show Context)
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signature-based detection is the most widespread method used in commercial antivirus. In spite of the broad use of this method, it can detect malware only after the malicious executable has already caused damage and provided the malware is adequately documented. Therefore, the signature-based method consistently fails to detect new malware. In this paper, we propose a new method to detect unknown malware families. This model is based on the frequency of the appearance of opcode sequences. Furthermore, we describe a technique to mine the relevance of each opcode and assess the frequency of each opcode sequence. In addition, we provide empirical validation that this new method is capable of detecting unknown malware.
Malware Analysis and Classification: A Survey
- Journal of Information Security
, 2014
"... Abstract One of the major and serious threats on the Internet today is malicious software, often referred to as a malware. The malwares being designed by attackers are polymorphic and metamorphic which have the ability to change their code as they propagate. Moreover, the diversity and volume of th ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
(Show Context)
Abstract One of the major and serious threats on the Internet today is malicious software, often referred to as a malware. The malwares being designed by attackers are polymorphic and metamorphic which have the ability to change their code as they propagate. Moreover, the diversity and volume of their variants severely undermine the effectiveness of traditional defenses which typically use signature based techniques and are unable to detect the previously unknown malicious executables. The variants of malware families share typical behavioral patterns reflecting their origin and purpose. The behavioral patterns obtained either statically or dynamically can be exploited to detect and classify unknown malwares into their known families using machine learning techniques. This survey paper provides an overview of techniques for analyzing and classifying the malwares.
NOA: AN INFORMATION RETRIEVAL BASED MALWARE DETECTION SYSTEM
"... Communicated by Deepak Gang Abstract. Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer s ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Communicated by Deepak Gang Abstract. Malware refers to any type of code written with the intention of harming a computer or network. The quantity of malware being produced is increasing every year and poses a serious global security threat. Hence, malware detection is a critical topic in computer security. Signature-based detection is the most widespread method used in commercial antivirus solutions. However, signature-based detection can detect malware only once the malicious executable has caused damage and has been conveniently registered and documented. Therefore, the signature-based method fails to detect obfuscated malware variants. In this paper, a new malware detection system is proposed based on information retrieval. For the representation of executables, the frequency of the appearance of opcode sequences is used. Through this architecture a malware detection system prototype is developed and evaluated in terms of performance, malware variant recall (false negative ratio) and false positive.
COLLECTIVE CLASSIFICATION FOR UNKNOWNMALWARE DETECTION
"... Abstract: Malware is any type of computer software harmful to computers and networks. The amount of malware is increasing every year and poses as a serious global security threat. Signature-based detection is the most broadly used commercial antivirus method, however, it fails to detect new and prev ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract: Malware is any type of computer software harmful to computers and networks. The amount of malware is increasing every year and poses as a serious global security threat. Signature-based detection is the most broadly used commercial antivirus method, however, it fails to detect new and previously unseen malware. Supervised machine-learning models have been proposed in order to solve this issue, but the usefulness of supervised learning is far to be perfect because it requires a significant amount of malicious code and benign software to be identified and labelled in beforehand. In this paper, we propose a new method that adopts a collective learning approach to detect unknown malware. Collective classification is a type of semi-supervised learning that presents an interesting method for optimising the classification of partially-labelled data. In this way, we propose here, for the first time, collective classification algorithms to build different machine-learning classifiers using a set of labelled (as malware and legitimate software) and unlabelled instances. We perform an empirical validation demonstrating that the labelling efforts are lower than when supervised learning is used, while maintaining high accuracy rates. 1
Using Opcode Sequences in Single-Class Learning to Detect Unknown Malware
"... Malware is any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing at a faster rate every year and poses a serious global security threat. Although signature-based detection is the most widespread method used in commercial antivirus programs, ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Malware is any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing at a faster rate every year and poses a serious global security threat. Although signature-based detection is the most widespread method used in commercial antivirus programs, it consistently fails to detect new malware. Supervised machine-learning models have been used to address this issue. However, the use of supervised learning is limited because it needs a large amount of malicious code and benign software to first be labelled. In this paper, we propose a new method that uses single-class learning to detect unknown malware families. This method is based on examining the frequencies of the appearance of opcode sequences to build a machine-learning classifier using only one set of labelled instances within a specific class of either malware or legitimate software. We performed an empirical study that shows that this method can reduce the effort of labelling software while maintaining high accuracy.
New Face of Terror: Cyber Threats, Emails Containing Viruses
"... ABSTRACT Cyber terrorism can be defined as any act which is unlawful or use of force or violence against any individuals or property to intimidate or to disturb a government, the civilians, etc. According to the FBI, "Cyber terrorism could thus be well defined as the use of computing resources ..."
Abstract
- Add to MetaCart
ABSTRACT Cyber terrorism can be defined as any act which is unlawful or use of force or violence against any individuals or property to intimidate or to disturb a government, the civilians, etc. According to the FBI, "Cyber terrorism could thus be well defined as the use of computing resources to intimidate or coerce others". An example of cyber terrorism could be hacking into a hospital computer system and changing someone's medicine prescription to a lethal dosage as an act of revenge. It sounds farfetched, but these things can and do happen. The various forms of computer attack that exist have in common the relatively low level of risk for the criminal, set against a potential for harm and damage the resources. Keywords: Cyber threat, email viruses, cyber terrorism. INTRODUCTION Cyber terrorism is a form of computer-related crime committed using internet technology; it covers all crimes committed in cyberspace. In the virtual world, crime can be automated, creating the potential for a large-scale cyber epidemic, capable of being launched remotely via a network (freeing the criminal from constraints of time and space), with the possibility of delayed action Internet technology facilitates a wide range of infractions: theft, information sabotage, copyright infractions, breach of professional trust, digital privacy, intellectual property, distribution of illegal content, anti-competitive attacks, industrial espionage, trademark infringements, disinformation, denial of service, various forms of fraud. WHY THE INTERNET USED BY CYBER CRIMINALS a) Virtually The uncoupling of transactions from physical media (virtualization), communication tools Technology & Management Research [ISSN: 2249 -0892] Vol. 01 -Issue: 01 (Jan -Jun 2011) involving encryption, steganography and anonymity: these are factors which criminals in different countries exploit in order to collaborate while dispensing with physical meetings, operating in a flexible, secure manner and with complete impunity. They can form teams, plan crimes and carry them out, whether in the traditional manner or using new technologies. The global reach of the internet allows criminals to act globally, on a large scale and very rapidly. b) Networking of resources The wide-scale networking of computer and information resources makes them attractive targets for economic crime using new technologies. The various forms of computer attack that exist have in common the relatively low level of risk for the criminal, set against a potential for harm and damage that greatly exceeds the resources necessary to launch an attack. Electronic identity theft, easy anonymity and the possibilities for taking control of computers make it easy to carry out illegal acts without exposing oneself to any great risk. c) Exposing Cyber Criminals is difficult Computer-related crime is sophisticated, and is usually committed across national borders, frequently with a time delay. The traces it leaves in the systems are intangible and difficult to gather and save. They take the form of digital information stored on all sorts of media: working memory, storage peripherals, hard discs, external discs and USB sticks, electronic components, etc. The problem is how to capture the wide variety of evidence turned up in a digital search. TYPES OF CYBER ATTACKS a) Stealing of users' passwords The main methods used to obtain the connection parameters of legitimate users to gain access to systems are: Deception (social engineering): Listening to traffic: "Trojan horse" • Accessing the password storage file. • Cracking passwords that are sent in encrypted form. • Spying on users by activating their multimedia peripherals to record their connection parameters. Once in possession of the access key necessary to get into the systems (the combination of username and password), it is easy to penetrate the systems and carry out all sorts of read and write operations. The challenge for the hacker is to avoid being detected and to leave no trace of his presence in the systems accessed. Asian Journal of Technology & Management Research [ISSN: 2249 -0892] Vol. 01 -Issue: 01 (Jan -Jun 2011) b) Denial-of-service attacks A denial-of-service attack is typically carried out by overloading system capacity. Targeted systems, inundated with far more requests than they are equipped to cope with, crash and become unavailable. These attacks can be perpetrated by taking advantage of flaws in the operating system and exploiting certain system features, for example, buffer management (buffer overflow attack), causing serious malfunctioning which can lead to system shutdown. E-mail bombing, which involves flooding a user's inbox with messages, is one form of a denial-of-service attack. c) Defacement attacks A defacement attack is carried out by replacing the victim's web page with another, where the content of the new page (e.g. pornographic, political) will depend on the hacker's motives. One
Comparative Analysis of Voting Schemes for Ensemble-based Malware Detection *
"... Abstract Malicious software (malware) represents a threat to the security and the privacy of computer users. Traditional signature-based and heuristic-based methods are inadequate for detecting some forms of malware. This paper presents a malware detection method based on supervised learning. The m ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract Malicious software (malware) represents a threat to the security and the privacy of computer users. Traditional signature-based and heuristic-based methods are inadequate for detecting some forms of malware. This paper presents a malware detection method based on supervised learning. The main contributions of the paper are two ensemble learning algorithms, two pre-processing techniques, and an empirical evaluation of the proposed algorithms. Sequences of operational codes are extracted as features from malware and benign files. These sequences are used to create three different data sets with different configurations. A set of learning algorithms is evaluated on the data sets. The predictions from the learning algorithms are combined by an ensemble algorithm. The predicted outcome of the ensemble algorithm is decided on the basis of voting. The experimental results show that the veto approach can accurately detect both novel and known malware instances with the higher recall in comparison to majority voting, however, the precision of the veto voting is lower than the majority voting. The veto voting is further extended as trust-based veto voting. A comparison of the majority voting, the veto voting, and the trust-based veto voting is performed. The experimental results indicate the suitability of each voting scheme for detecting a particular class of software. The experimental results for the composite F1-measure indicate that the majority voting is slightly better than the trusted veto voting while the trusted veto is significantly better than the veto classifier.
www.zju.edu.cn/jzus; www.springerlink.com
, 2010
"... Abstract: Along with the evolution of computer viruses, the number of file samples that need to be analyzed has constantly increased. An automatic and robust tool is needed to classify the file samples quickly and efficiently. Inspired by the human immune system, we developed a local concentration b ..."
Abstract
- Add to MetaCart
Abstract: Along with the evolution of computer viruses, the number of file samples that need to be analyzed has constantly increased. An automatic and robust tool is needed to classify the file samples quickly and efficiently. Inspired by the human immune system, we developed a local concentration based virus detection method, which connects a certain number of two-element local concentration vectors as a feature vector. In contrast to the existing data mining technique, the new method does not remember exact file content for virus detection, but use a non-signature paradigm, such that it can detect some previously unknown viruses and overcome the techniques like obfuscation to bypass signatures. This model first extracts the viral tendency of each fragment and identifies a set of statical structural detectors, then uses an information-theoretic preprocess to remove redundancy in the detectors’ set to generate ‘self ’ and ‘nonself ’ detector libraries. Finally, ‘self ’ and ‘nonself ’ local concentrations are constructed by using the libraries, to form a vector with an array of two elements of local concentrations for detecting viruses efficiently. Several standard data mining classifiers, including k-nearest neighbor (KNN), RBF neural networks, and support vector machine (SVM) are leveraged to classify the local concentration vector as the feature of a benign or malicious program and to verify the effectiveness and robustness of this approach. Experimental results demonstrate that the proposed approach not only has a much faster speed, but also gives around 98 % of accuracy.
Detection of Malware and Malicious Executables Using E-Birch Algorithm Dr. Ashit Kumar Dutta
"... Abstract—Malware detection is one of the challenges to the modern computing world. Web mining is the subset of data mining used to provide solutions for complex problems. Web intelligence is the new hope for the field of computer science to bring solution for the malware detection. Web mining is the ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—Malware detection is one of the challenges to the modern computing world. Web mining is the subset of data mining used to provide solutions for complex problems. Web intelligence is the new hope for the field of computer science to bring solution for the malware detection. Web mining is the method of web intelligence to make web as an intelligent tool to combat malware and phishing websites. Generally, malware is injected through websites into the user system and modifies the executable file and paralyze the whole activity of the system. Antivirus application utilizes the data mining technique to find the malware in the web. There is a need of heuristic approach to solve the malware problem. Dynamic analysis methods yield better result than the static methods. Data mining is the best option for the dynamic analysis of malware or malicious program. The purpose of the research is to apply the enhanced Birch algorithm to find the malware and modified executables of Windows and Android operating system.
stamp.jsp?tp=&arnumber=6956729&isnumber=6956719 Instructions-based Detection of Sophisticated Obfuscation and Packing
"... Abstract—Every day thousands of malware are released on-line. The vast majority of these malware employ some kind of obfuscation ranging from simple XOR encryption, to more sophisticated anti-analysis, packing and encryption techniques. Universal unpackers or code emulation systems can unpack the fi ..."
Abstract
- Add to MetaCart
Abstract—Every day thousands of malware are released on-line. The vast majority of these malware employ some kind of obfuscation ranging from simple XOR encryption, to more sophisticated anti-analysis, packing and encryption techniques. Universal unpackers or code emulation systems can unpack the file and reveal its hidden code. However, these methods are very time consuming when compared to static analysis. Moreover, considering the large amount of new malware being produced daily, it is not practical to solely depend on dynamic analysis methods. Therefore, finding a way to filter the samples and delegate only obfuscated and suspicious ones to more rigorous tests would significantly improve the overall scanning process. In this paper, we show that entropy-based detection for encrypted