Comprehensive Botnet Detection by Mitigating Adversarial Attacks, Navigating the Subtleties of Perturbation Distances and Fortifying Predictions with Conformal Layers

Botnets are computer networks controlled by malicious actors that present significant cybersecurity challenges. They autonomously infect, propagate, and coordinate to conduct cybercrimes, necessitating robust detection methods. This research addresses the sophisticated adversarial manipulations posed by attackers, aiming to undermine machine learning-based botnet detection systems. We introduce a flow-based detection approach, leveraging machine learning and deep learning algorithms trained on the ISCX and ISOT datasets. The detection algorithms are optimized using the Genetic Algorithm (GA) and Particle Swarm Optimization (PSO) to obtain a baseline detection method. The Carlini &amp; Wagner (C&amp;W) and Generative Adversarial Network (GAN) attacks generate deceptive data with subtle perturbations, targeting each feature used for classification while preserving their semantic and syntactic relationships, which ensures that the adversarial samples retain meaningfulness and realism. An in-depth analysis of the required L2 distance from the original sample for the malware sample to misclassify is performed across various iteration checkpoints, showing different levels of misclassification at different L2 distances of the pertrub sample from the original sample. Our work delves into the vulnerability of various models, examining the transferability of adversarial examples from a Neural Network surrogate model to Tree-based algorithms. Subsequently, models that initially misclassified the perturbed samples are retrained, enhancing their resilience and detection capabilities. In the final phase, a conformal prediction layer is integrated, significantly rejecting incorrect predictions — 58.20% in the ISCX dataset and 98.94% in the ISOT dataset.</p

Android Malware Classification and Optimisation Based on BM25 Score of Android API

With the growth of Android devices, there is a rise in malware applications affecting these networked devices. Android malware classification is an important task in ensuring the security and privacy of Android devices. One promising approach to this problem is to capture the difference in the usage of API in benign and malware applications through the BM25 (Best Matching 25) scoring function by calculating the BM25 score of each API (Application Program Interface). A linear regression model is fitted using the BM25 score to select the 1000 most important APIs using the feature importance weight of the linear regression model. The selected API's BM25 score and the Permission and Intents of an application are used to train Naive Bayes, Random Forest, Decision Tree, Support Vector Machine, and CNN (Convolutional Neural Network) for classification. To illustrate the effectiveness of using the BM25 score of APIs for malware classification, we train the optimised Particle Swarm Optimisation (PSO) based Machine learning and Deep Learning algorithms using Permission and Intents features with and without the BM25 score. Experiments show that the BM25 score improves the result. Overall, this study demonstrates the potential of using the BM25 score of API calls, in combination with Permissions and Intents, as a valuable tool for Android malware classification.</p

IoT-based Android Malware Detection Using Graph Neural Network With Adversarial Defense

Since the Internet of Things (IoT) is widely adopted using Android applications, detecting malicious Android apps is essential. In recent years, Android graph based deep learning research has proposed many approaches to extract relationships from the application as a graph to generate graph embeddings. First, we demonstrate the effectiveness of graph-based classification using Graph Neural Networks (GNN) based classifier to generate API graph embedding. The graph embedding is used with ‘Permission’ and ‘Intent’ to train multiple machine learning and deep learning algorithms to detect Android malware. The classification achieved an accuracy of 98.33 in CICMaldroid and 98.68 in Drebin dataset. However, the graph-based deep learning is vulnerable as an attacker can add fake relationships to avoid detection by the classifier. Second, we propose a Generative Adversarial Network (GAN) based algorithm named VGAEMalGAN to attack the graph-based GNN Android malware classifier. The VGAE-MalGAN generator generates adversarial malware API graphs, and the VGAE-MalGAN substitute detector (SD) tries to fit the detector. Experimental analysis shows that VGAE-MalGAN can effectively reduce the detection rate of GNN malware classifiers. Although the model fails to detect adversarial malware, experimental analysis shows that retraining the model with generated adversarial samples helps to combat adversarial attacks