Machine Learning Techniques for Malware Detection with Challenges and Future Directions

In the recent times Cybersecurity is the hot research topic because of its sensitivity. Especially at the times of digital world where everything is now transformed into digital medium. All the critical transactions are being carried out online with internet applications. Malware is an important issue which has the capability of stealing the privacy and funds from an ordinary person who is doing sensitive transactions through his mobile device. Researchers in the current time are striving to develop efficient techniques to detect these kinds of attacks. Not only individuals are getting offended even the governments are getting effected by these kinds of attacks and losing big amount of funds. In this work various Artificial intelligent and machine learning techniques are discussed which were implements for the detection of malware. Traditional machine learning techniques like Decision tree, K-Nearest Neighbor and Support vector machine and further to advanced machine learning techniques like Artificial neural network and convolution neural network are discussed. Among the discussed techniques, the work got the highest accuracy is 99% followed by 98.422%, 97.3% and 96% where the authors have implemented package-level API calls as feature, followed by advanced classification technique. Also, dataset details are discussed and listed which were used for the experimentation of malware detection, among the many dataset DREBIN had the most significant number of samples with 123453 Benign samples and 5560 Malware samples. Finally, open challenges are listed, and the future directions are highlighted which would encourage a new researcher to adopt this field of research and solve these open challenges with the help of future direction details provided in this paper. The paper is concluded with the limitation and conclusion sectio

Timed Automata for Mobile Ransomware Detection

Considering the plethora of private and sensitive information stored in smartphone and tablets, it is easy to understand the reason why attackers develop everyday more and more aggressive malicious payloads with the aim to exfiltrate our data. One of the last trend in mobile malware landascape is represented by the so-called ransomware, a threat capable to lock the user interface and to cipher the data of the mobile device under attack. In this paper we propose an approach to model an Android application in terms of timed automaton by considering system call traces i.e., performing a dynamic analysis. We obtain encouraging results in the experimental analysis we performed exploiting real-world  (ransomware and legitimate) Android applications

The arms race: adversarial search defeats entropy used to detect malware

Malware creators have been getting their way for too long now. String-based similarity measures can leverage ground truth in a scalable way and can operate at a level of abstraction that is difficult to combat from the code level. At the string level, information theory and, specifically, entropy play an important role related to detecting patterns altered by concealment strategies, such as polymorphism or encryption. Controlling the entropy levels in different parts of a disk resident executable allows an analyst to detect malware or a black hat to evade the detection. This paper shows these two perspectives into two scalable entropy-based tools: EnTS and EEE. EnTS, the detection tool, shows the effectiveness of detecting entropy patterns, achieving 100% precision with 82% accuracy. It outperforms VirusTotal for accuracy on combined Kaggle and VirusShare malware. EEE, the evasion tool, shows the effectiveness of entropy as a concealment strategy, attacking binary-based state of the art detectors. It learns their detection patterns in up to 8 generations of its search process, and increments their false negative rate from range 0–9%, up to the range 90–98.7%

The arms race: adversarial search defeats entropy used to detect malware

Malware creators have been getting their way for too long now. String-based similarity measures can leverage ground truth in a scalable way and can operate at a level of abstraction that is difficult to combat from the code level. At the string level, information theory and, specifically, entropy play an important role related to detecting patterns altered by concealment strategies, such as polymorphism or encryption. Controlling the entropy levels in different parts of a disk resident executable allows an analyst to detect malware or a black hat to evade the detection. This paper shows these two perspectives into two scalable entropy-based tools: EnTS and EEE. EnTS, the detection tool, shows the effectiveness of detecting entropy patterns, achieving 100% precision with 82% accuracy. It outperforms VirusTotal for accuracy on combined Kaggle and VirusShare malware. EEE, the evasion tool, shows the effectiveness of entropy as a concealment strategy, attacking binary-based state of the art detectors. It learns their detection patterns in up to 8 generations of its search process, and increments their false negative rate from range 0–9%, up to the range 90–98.7%

Malgazer: An Automated Malware Classifier With Running Window Entropy and Machine Learning

This dissertation explores functional malware classification using running window entropy and machine learning classifiers. This topic was under researched in the prior literature, but the implications are important for malware defense. This dissertation will present six new design science artifacts. The first artifact was a generalized machine learning based malware classifier model. This model was used to categorize and explain the gaps in the prior literature. This artifact was also used to compare the prior literature to the classifiers created in this dissertation, herein referred to as “Malgazer” classifiers. Running window entropy data was required, but the algorithm was too slow to compute at scale. This dissertation presents an optimized version of the algorithm that requires less than 2% of the time of the original algorithm. Next, the classifications for the malware samples were required, but there was no one unified and consistent source for this information. One of the design science artifacts was the method to determine the classifications from publicly available resources. Once the running window entropy data was computed and the functional classifications were collected, the machine learning algorithms were trained at scale so that one individual could complete over 200 computationally intensive experiments for this dissertation. The method to scale the computations was an instantiation design science artifact. The trained classifiers were another design science artifact. Lastly, a web application was developed so that the classifiers could be utilized by those without a programming background. This was the last design science artifact created by this research. Once the classifiers were developed, they were compared to prior literature theoretically and empirically. A malware classification method from prior literature was chosen (referred to herein as “GIST”) for an empirical comparison to the Malgazer classifiers. The best Malgazer classifier produced an accuracy of approximately 95%, which was around 0.76% more accurate than the GIST method on the same data sets. Then, the Malgazer classifier was compared to the prior literature theoretically, based upon the empirical analysis with GIST, and Malgazer performed at least as well as the prior literature. While the data, methods, and source code are open sourced from this research, most prior literature did not provide enough information or data to replicate and verify each method. This prevented a full and true comparison to prior literature, but it did not prevent recommending the Malgazer classifier for some use cases

A roadside units positioning framework in the context of vehicle-to-infrastructure based on integrated AHP-entropy and group-VIKOR

The positioning of roadside units (RSUs) in a vehicle-to-infrastructure (V2I) communication system may have an impact on network performance. Optimal RSU positioning is required to reduce cost and maintain the quality of service. However, RSU positioning is considered a difficult task due to numerous criteria, such as the cost of RSUs, the intersection area and communication strength, which affect the positioning process and must be considered. Furthermore, the conflict and trade-off amongst these criteria and the significance of each criterion are reflected on the RSU positioning process. Towards this end, a four-stage methodology for a new RSU positioning framework using multi-criteria decision-making (MCDM) in V2I communication system context has been designed. Real time V2I hardware for data collection purpose was developed. This hardware device consisted of multi mobile-nodes (in the car) and RSUs and connected via an nRF24L01+ PA/LNA transceiver module with a microcontroller. In the second phase, different testing scenarios were identified to acquire the required data from the V2I devices. These scenarios were evaluated based on three evaluation attributes. A decision matrix consisted of the scenarios as alternatives and its assessment per criterion was constructed. In the third phase, the alternatives were ranked using hybrid of MCDM techniques, specifically the Analytic Hierarchy Process (AHP), Entropy and Vlsekriterijumska Optimizacija I Kompromisno Resenje (VIKOR). The result of each decision ranking was aggregated using Borda voting approach towards a final group ranking. Finally, the validation process was made to ensure the ranking result undergoes a systematic and valid rank. The results indicate the following: (1) The rank of scenarios obtained from group VIKOR suggested the second scenario with, four RSUs, a maximum distance of 200 meters between RSUs and the antennas height of two-meter, is the best positioning scenarios; and (2) in the objective validation. The study also reported significant differences between the scores of the groups, indicating that the ranking results are valid. Finally, the integration of AHP, Entropy and VIKOR has effectively solved the RSUs positioning problems

MDFRCNN: Malware Detection using Faster Region Proposals Convolution Neural Network

Technological advancement of smart devices has opened up a new trend: Internet of Everything (IoE), where all devices are connected to the web. Large scale networking benefits the community by increasing connectivity and giving control of physical devices. On the other hand, there exists an increased ‘Threat’ of an ‘Attack’. Attackers are targeting these devices, as it may provide an easier ‘backdoor entry to the users’ network’.MALicious softWARE (MalWare) is a major threat to user security. Fast and accurate detection of malware attacks are the sine qua non of IoE, where large scale networking is involved. The paper proposes use of a visualization technique where the disassembled malware code is converted into gray images, as well as use of Image Similarity based Statistical Parameters (ISSP) such as Normalized Cross correlation (NCC), Average difference (AD), Maximum difference (MaxD), Singular Structural Similarity Index Module (SSIM), Laplacian Mean Square Error (LMSE), MSE and PSNR. A vector consisting of gray image with statistical parameters is trained using a Faster Region proposals Convolution Neural Network (F-RCNN) classifier. The experiment results are promising as the proposed method includes ISSP with F-RCNN training. Overall training time of learning the semantics of higher-level malicious behaviors is less. Identification of malware (testing phase) is also performed in less time. The fusion of image and statistical parameter enhances system performance with greater accuracy. The benchmark database from Microsoft Malware Classification challenge has been used to analyze system performance, which is available on the Kaggle website. An overall average classification accuracy of 98.12% is achieved by the proposed method

IoT Sentinel: Automated Device-Type Identification for Security Enforcement in IoT

With the rapid growth of the Internet-of-Things (IoT), concerns about the security of IoT devices have become prominent. Several vendors are producing IP-connected devices for home and small office networks that often suffer from flawed security designs and implementations. They also tend to lack mechanisms for firmware updates or patches that can help eliminate security vulnerabilities. Securing networks where the presence of such vulnerable devices is given, requires a brownfield approach: applying necessary protection measures within the network so that potentially vulnerable devices can coexist without endangering the security of other devices in the same network. In this paper, we present IOT SENTINEL, a system capable of automatically identifying the types of devices being connected to an IoT network and enabling enforcement of rules for constraining the communications of vulnerable devices so as to minimize damage resulting from their compromise. We show that IOT SENTINEL is effective in identifying device types and has minimal performance overhead