A Comparative Study on Feature Selection Method for N-gram Mobile Malware Detection

Abstract In recent years, mobile device technology has become an important necessity in our community at large. The ability of the mobile technology today has become more similar to its desktop environment. Despite the advancement of the mobile devices technology provide, it has also exposes the mobile devices to the similar threat it predecessor possess. One of the anomaly based detection methods used in detecting mobile malware is the n-gram system call sequence. However, with the limited storage, memory and CPU processing power, mobile devices that provide this approach can exhaust the mobile device resources. This is due to the huge amount of system call to be collected and processed for the detection approach. To overcome the issues, this paper investigates the use of several different feature selection methods in optimizing the n-gram system call sequence feature in classifying benign and malicious mobile application. Several filter and wrapper feature selection methods are selected and their performance analyzed. The feature selection methods are evaluated based on the number of feature selected and the contribution it made to improve the True Positive Rate (TPR), False Positive Rate (FPR) and Accuracy of the Linear-SVM classifier in classifying benign and malicious mobile malware application

Machine Learning Aided Static Malware Analysis: A Survey and Tutorial

Malware analysis and detection techniques have been evolving during the last decade as a reflection to development of different malware techniques to evade network-based and host-based security protections. The fast growth in variety and number of malware species made it very difficult for forensics investigators to provide an on time response. Therefore, Machine Learning (ML) aided malware analysis became a necessity to automate different aspects of static and dynamic malware investigation. We believe that machine learning aided static analysis can be used as a methodological approach in technical Cyber Threats Intelligence (CTI) rather than resource-consuming dynamic malware analysis that has been thoroughly studied before. In this paper, we address this research gap by conducting an in-depth survey of different machine learning methods for classification of static characteristics of 32-bit malicious Portable Executable (PE32) Windows files and develop taxonomy for better understanding of these techniques. Afterwards, we offer a tutorial on how different machine learning techniques can be utilized in extraction and analysis of a variety of static characteristic of PE binaries and evaluate accuracy and practical generalization of these techniques. Finally, the results of experimental study of all the method using common data was given to demonstrate the accuracy and complexity. This paper may serve as a stepping stone for future researchers in cross-disciplinary field of machine learning aided malware forensics.Comment: 37 Page

Android Malware Clustering through Malicious Payload Mining

Clustering has been well studied for desktop malware analysis as an effective triage method. Conventional similarity-based clustering techniques, however, cannot be immediately applied to Android malware analysis due to the excessive use of third-party libraries in Android application development and the widespread use of repackaging in malware development. We design and implement an Android malware clustering system through iterative mining of malicious payload and checking whether malware samples share the same version of malicious payload. Our system utilizes a hierarchical clustering technique and an efficient bit-vector format to represent Android apps. Experimental results demonstrate that our clustering approach achieves precision of 0.90 and recall of 0.75 for Android Genome malware dataset, and average precision of 0.98 and recall of 0.96 with respect to manually verified ground-truth.Comment: Proceedings of the 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2017

Malware Detection Approaches based on Operational Codes (OpCodes) of Executable Programs: A Review

A malicious software, or Malware for a short, poses a threat to computer systems, which need to be analyzed, detected, and eliminated. Generally, malware is analyzed in two ways: dynamic malware analysis and static malware analysis. The former collects features dataset during running of the malware, and involves malware APIs, registry activities, file activities, process activities, and network activities based features. The latter collects features dataset prior and without running the malware, and involves Operational Codes (OpCodes) and text based (Bytecodes) features. However, several previous researchers addressed and reviewed malware detection approaches based on various aspects, but none of them addressed and reviewed the approaches merely based on malware OpCodes. Therefore, this paper aims to review Malware Detection Approaches based on OpCodes. The review explores, demonstrates, and compares the existing approaches for detecting malware according to their OpCodes only, and finally presents a comprehensive comparable envisage about them

An Efficient Sieve Technique In Mobile Malware Detection

Proliferation of mobile devices in the market has radically changed the way people handle their daily life activities.Rapid growth of mobile device technology has enabled users to use mobile device for various purposes such as web browsing,ubiquitous services,social networking,MMS and many more.Nowadays,Google’s Android Operating System has become the most popular choice of operating system for mobile devices since Android is an open source and easy to use.This scenario has also ignited possibility of malicious programs to exploit mobile devices and consequently expose any sensitive transaction made by the user.A malware ability to quickly evolve has made mobile malware detection a more complex. Antivirus and signature based IDS require a constant signature database update to keep up with the new malware,thus exhausting a mobile device’s resources.Even though,an anomaly-based detection can overcome this matter,an anomaly detection still produces a high amount of false alarms.Therefore,this research aims to improve Mobile Malware Detection by improving the accuracy,True Positive and True Negative as well as minimizing the False Positive rate using an n-gram system call sequence approach and a sieve technique.This research analyses the behaviour and traces of mobile malware application activity dynamically as mobile malware is executed on a mobile platform.Analysis done on mobile malware activity shows behaviour and traces of benign and malicious mobile applications are able to be distinctively classified through invocation of system call to a kernel level system by a mobile application.However,an n-gram system call sequence generated by this approach can contribute to a large amount of logged features that can consume a mobile device’s memory and storage.Hence this research, introduces a sieve technique in Mobile Malware Detection process in order to search for an optimum set of n-gram system call.In order to evaluate the performance of the proposed approach Accuracy,True Positive Rate,True Negative Rate,False Positive Rate and Receiver Operating Characteristic curve are measured with dataset of mobile malware from Malware Gnome Project and benign mobile application from Google Play Store.The experiment finding indicates the 3-gram system call sequence is capable of improving Mobile Malware Detection performance in terms of accuracy as well as minimizing the false alert.Whereas the sieve technique is able to reduce number of ngram system call features and providing an optimize 3-gram system call sequence features.The outcome indicate that a Mobile Malware Detection using 3-gram system call sequence as features and sieve technique is able to be used in improving a Mobile Malware Detection in classifying the benign and malicious mobile applications. The evaluation and validation shows that a Mobile Malware Detection using 3-gram system call sequence with sieve technique improve the classification performance.As a conclusion the 3-gram system call sequence Mobile Malware Detection with sieve technique is capable of classifying the benign and malicious mobile application more accurately and at the same time minimizing the false alarm

DL-Droid: Deep learning based android malware detection using real devices

open access articleThe Android operating system has been the most popular for smartphones and tablets since 2012. This popularity has led to a rapid raise of Android malware in recent years. The sophistication of Android malware obfuscation and detection avoidance methods have significantly improved, making many traditional malware detection methods obsolete. In this paper, we propose DL-Droid, a deep learning system to detect malicious Android applications through dynamic analysis using stateful input generation. Experiments performed with over 30,000 applications (benign and malware) on real devices are presented. Furthermore, experiments were also conducted to compare the detection performance and code coverage of the stateful input generation method with the commonly used stateless approach using the deep learning system. Our study reveals that DL-Droid can achieve up to 97.8% detection rate (with dynamic features only) and 99.6% detection rate (with dynamic + static features) respectively which outperforms traditional machine learning techniques. Furthermore, the results highlight the significance of enhanced input generation for dynamic analysis as DL-Droid with the state-based input generation is shown to outperform the existing state-of-the-art approaches

Artificial intelligence in the cyber domain: Offense and defense

Artificial intelligence techniques have grown rapidly in recent years, and their applications in practice can be seen in many fields, ranging from facial recognition to image analysis. In the cybersecurity domain, AI-based techniques can provide better cyber defense tools and help adversaries improve methods of attack. However, malicious actors are aware of the new prospects too and will probably attempt to use them for nefarious purposes. This survey paper aims at providing an overview of how artificial intelligence can be used in the context of cybersecurity in both offense and defense.Web of Science123art. no. 41

Performance of Malware Classification on Machine Learning using Feature Selection

The exponential growth of malware has created a significant threat in our daily lives, which heavily rely on computers running all kinds of software. Malware writers create malicious software by creating new variants, new innovations, new infections and more obfuscated malware by using techniques such as packing and encrypting techniques. Malicious software classification and detection play an important role and a big challenge for cyber security research. Due to the increasing rate of false alarm, the accurate classification and detection of malware is a big necessity issue to be solved. In this research, eight malware family have been classifying according to their family the research provides four feature selection algorithms to select best feature for multiclass classification problem. Comparing. Then find these algorithms top 100 features are selected to performance evaluations. Five machine learning algorithms is compared to find best models. Then frequency distribution of features are find by feature ranking of best model. At last it is said that frequency distribution of every character of API call sequence can be used to classify malware family

Resilient and Scalable Android Malware Fingerprinting and Detection

Malicious software (Malware) proliferation reaches hundreds of thousands daily. The manual analysis of such a large volume of malware is daunting and time-consuming. The diversity of targeted systems in terms of architecture and platforms compounds the challenges of Android malware detection and malware in general. This highlights the need to design and implement new scalable and robust methods, techniques, and tools to detect Android malware. In this thesis, we develop a malware fingerprinting framework to cover accurate Android malware detection and family attribution. In this context, we emphasize the following: (i) the scalability over a large malware corpus; (ii) the resiliency to common obfuscation techniques; (iii) the portability over different platforms and architectures. In the context of bulk and offline detection on the laboratory/vendor level: First, we propose an approximate fingerprinting technique for Android packaging that captures the underlying static structure of the Android apps. We also propose a malware clustering framework on top of this fingerprinting technique to perform unsupervised malware detection and grouping by building and partitioning a similarity network of malicious apps. Second, we propose an approximate fingerprinting technique for Android malware's behavior reports generated using dynamic analyses leveraging natural language processing techniques. Based on this fingerprinting technique, we propose a portable malware detection and family threat attribution framework employing supervised machine learning techniques. Third, we design an automatic framework to produce intelligence about the underlying malicious cyber-infrastructures of Android malware. We leverage graph analysis techniques to generate relevant, actionable, and granular intelligence that can be used to identify the threat effects induced by malicious Internet activity associated to Android malicious apps. In the context of the single app and online detection on the mobile device level, we further propose the following: Fourth, we design a portable and effective Android malware detection system that is suitable for deployment on mobile and resource constrained devices, using machine learning classification on raw method call sequences. Fifth, we elaborate a framework for Android malware detection that is resilient to common code obfuscation techniques and adaptive to operating systems and malware change overtime, using natural language processing and deep learning techniques. We also evaluate the portability of the proposed techniques and methods beyond Android platform malware, as follows: Sixth, we leverage the previously elaborated techniques to build a framework for cross-platform ransomware fingerprinting relying on raw hybrid features in conjunction with advanced deep learning techniques

Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning

Internet of Things (IoT) in military setting generally consists of a diverse range of Internet-connected devices and nodes (e.g. medical devices to wearable combat uniforms), which are a valuable target for cyber criminals, particularly state-sponsored or nation state actors. A common attack vector is the use of malware. In this paper, we present a deep learning based method to detect Internet Of Battlefield Things (IoBT) malware via the device's Operational Code (OpCode) sequence. We transmute OpCodes into a vector space and apply a deep Eigenspace learning approach to classify malicious and bening application. We also demonstrate the robustness of our proposed approach in malware detection and its sustainability against junk code insertion attacks. Lastly, we make available our malware sample on Github, which hopefully will benefit future research efforts (e.g. for evaluation of proposed malware detection approaches)