Beyond the Hype: A Real-World Evaluation of the Impact and Cost of Machine Learning-Based Malware Detection

There is a lack of scientific testing of commercially available malware detectors, especially those that boast accurate classification of never-before-seen (i.e., zero-day) files using machine learning (ML). The result is that the efficacy and gaps among the available approaches are opaque, inhibiting end users from making informed network security decisions and researchers from targeting gaps in current detectors. In this paper, we present a scientific evaluation of four market-leading malware detection tools to assist an organization with two primary questions: (Q1) To what extent do ML-based tools accurately classify never-before-seen files without sacrificing detection ability on known files? (Q2) Is it worth purchasing a network-level malware detector to complement host-based detection? We tested each tool against 3,536 total files (2,554 or 72% malicious, 982 or 28% benign) including over 400 zero-day malware, and tested with a variety of file types and protocols for delivery. We present statistical results on detection time and accuracy, consider complementary analysis (using multiple tools together), and provide two novel applications of a recent cost-benefit evaluation procedure by Iannaconne & Bridges that incorporates all the above metrics into a single quantifiable cost. While the ML-based tools are more effective at detecting zero-day files and executables, the signature-based tool may still be an overall better option. Both network-based tools provide substantial (simulated) savings when paired with either host tool, yet both show poor detection rates on protocols other than HTTP or SMTP. Our results show that all four tools have near-perfect precision but alarmingly low recall, especially on file types other than executables and office files -- 37% of malware tested, including all polyglot files, were undetected.Comment: Includes Actionable Takeaways for SOC

On-Demand Composition of Smart Service Systems in Decentralized Environments

The increasing number of smart systems inevitably leads to a huge number of systems that potentially provide independently designed, autonomously operating services. In near-future smart computing systems, such as smart cities, smart grids or smart mobility, independently developed and heterogeneous services need to be dynamically interconnected in order to develop their full potential in a rather complex collaboration with others. Since the services are developed independently, it is challenging to integrate them on-the-fly at run time. Due to the increasing degree of distribution, such systems operate in a decentralized and volatile environment, where central management is infeasible. Conversely, the increasing computational power of such systems also supersedes the need for central management. The four identified key problems of adaptable, collaborative Smart Service Systems are on-demand composition of complex service structures in decentralized environments, the absence of a comprehensive, serendipity-aware specification, a discontinuity from design-time specification to run-time execution, and the lack of a development methodology that separates the development of a service from that of its role essential to a collaboration. This approach utilizes role-based models, which have a collaborative nature, for automated, on-demand service composition. A rigorous two-phase development methodology is proposed in order to demarcate the development of the services from that of their role essential to a collaboration. Therein, a collaboration designer specifies the collaboration including its abstract functionality using the proposed role-based collaboration specification for Smart Service Systems. Thereof, a partial implementation is derived, which is complemented by services developed in the second phase. The proposed middleware architecture provides run-time support and bridges the gap between design and run time. It implements a protocol for coordinated, role-based composition and adaptation of Smart Service Systems. The approach is quantitatively and qualitatively evaluated by means of a case study and a performance evaluation in order to identify limitations of complex service structures and the trade-off of employing the concept of roles for composition and adaptation of Smart Service Systems.:1 Introduction 1.1 Motivation 1.2 Terminology 1.3 Problem Statement 1.4 Requirements Analysis 1.5 Research Questions and Hypothesis 1.6 Focus and Limitations 1.7 Outline 2 The Role Concept in Computer Science 2.1 What is a Role in Computer Science? 2.2 Roles in RoleDiSCo 3 State of the Art & Related Work 3.1 Role-based Modeling Abstractions for Software Systems 3.1.1 Classification 3.1.2 Approaches 3.1.3 Summary 3.2 Role-based Run-Time Systems 3.2.1 Classification 3.2.2 Approaches 3.2.3 Summary 3.3 Spontaneously Collaborating Run-Time Systems 3.3.1 Classification 3.3.2 Approaches 3.3.3 Summary 3.4 Summary 4 On-Demand Composition and Adaptation of Smart Service Systems 4.1 RoleDiSCo Development Methodology 4.1.1 Role-based Collaboration Specification for Smart Service Systems 4.1.2 Derived Partial Implementation 4.1.3 Player & Context Provision 4.2 RoleDiSCo Middleware Architecture for Smart Service Systems 4.2.1 Infrastructure Abstraction Layer 4.2.2 Context Management 4.2.3 Local Repositories & Knowledge 4.2.4 Discovery 4.2.5 Dispatcher 4.3 Coordinated Composition and Subsequent Adaptation 4.3.1 Initialization and Planning 4.3.2 Composition: Coordinating Subsystem 4.3.3 Composition: Non-Coordinating Subsystem 4.3.4 Competing Collaborations & Negotiation 4.3.5 Subsequent Adaptation 4.3.6 Terminating a Pervasive Collaboration 4.4 Summary 5 Implementing RoleDiSCo 5.1 RoleDiSCo Development Support 5.2 RoleDiSCo Middleware 5.2.1 Infrastructure Abstraction Layer 5.2.2 Knowledge Repositories and Local Class Discovery 5.2.3 Planner 6 Evaluation 6.1 Case Study: Distributed Slideshow 6.1.1 Scenario 6.1.2 Phase 1: Collaboration Design 6.1.3 Phase 2: Player Complementation 6.1.4 Coordinated Composition and Adaptation at Run Time 6.2 Runtime Evaluation 6.2.1 General Testbed Setup and Scenarios 6.2.2 Discovery Time 6.2.3 Composition Time 6.2.4 Discussion 6.3 The ›Role‹ of Roles 6.4 Summary 7 Conclusion 7.1 Summary 7.2 Research Results 7.3 Future Wor

HMCMA: Design of an Efficient Model with Hybrid Machine Learning in Cyber security for Enhanced Detection of Malicious Activities

In the rapidly evolving landscape of cyber security, the incessant advancement of malicious activities presents a formidable challenge, necessitating a paradigm shift in detection methodologies. Traditional methods, primarily reliant on static rule-based systems, exhibit palpable limitations in grappling with the dynamic and sophisticated nature of modern cyber threats. This inadequacy underscores the urgent need for innovative approaches that can adeptly adapt and respond to the ever-changing threat environment. Addressing this exigency, the present research introduces a novel hybrid machine learning model, ingeniously crafted to transcend the constraints of existing malicious activity detection frameworks. The proposed model synergizes the strengths of diverse machine learning strategies, including anomaly detection techniques including Isolation Forest and One-Class SVM, and validates the results of these classifiers using Random Forest and Gradient Boosting operations. The validated malware instances are classified into malware types using fusion of Convolutional Neural Networks (CNNs) and Long Short Term Memory (LSTM) based Recurrent Neural Networks (RNNs) under real-time network configuration sets. This eclectic amalgamation not only leverages the unique capabilities of each algorithm but also harmonizes them to forge a more robust and precise detection mechanisms. The strategic integration of these algorithms facilitates a comprehensive analysis of network traffic and system logs, thereby significantly enhancing the detection accuracy. Furthermore, the model's adaptive learning component ensures its relevance and efficacy in the face of evolving cyber threats, a quintessential feature for contemporary cyber security solutions. Empirical evaluations, conducted using multiple malware datasets and samples, substantiate the model's superiority over existing methods. It exhibited a remarkable 10.4% improvement in precision, an 8.5% increase in accuracy, a 4.9% enhancement in recall, an 8.3% rise in AUC, a 4.5% boost in specificity, and a notable 2.5% reduction in detection delay. These compelling results underscore the model's potential in revolutionizing malicious activity detection, providing organizations with a more effective and resilient defense mechanism against a spectrum of cyber threats. The research culminates in a significant stride forward in cyber security, offering a robust, adaptive, and comprehensive solution that addresses the pressing need for advanced malicious activity detection, thereby bolstering the overall cyber security posture of organizations in the digital age sets

On Malfunction, Mechanisms and Malware Classification

Malware has been around since the 1980s and is a large and expensive security concern today, constantly growing over the past years. As our social, professional and financial lives become more digitalised, they present larger and more profitable targets for malware. The problem of classifying and preventing malware is therefore urgent, and it is complicated by the existence of several specific approaches. In this paper, we use an existing malware taxonomy to formulate a general, language independent functional description of malware as transformers between states of the host system and described by a trust relation with its components. This description is then further generalised in terms of mechanisms, thereby contributing to a general understanding of malware. The aim is to use the latter in order to present an improved classification method for malware

Effective Detection of Vulnerable and Malicious Browser Extensions

Unsafely coded browser extensions can compromise the security of a browser, making them attractive targets for attackers as a primary vehicle for conducting cyber-attacks. Among others, the three factors making vulnerable extensions a high-risk security threat for browsers include: i) the wide popularity of browser extensions, ii) the similarity of browser extensions with web applications, and iii) the high privilege of browser extension scripts. Furthermore, mechanisms that specifically target to mitigate browser extension-related attacks have received less attention as opposed to solutions that have been deployed for common web security problems (such as SQL injection, XSS, logic flaws, client-side vulnerabilities, drive-by-download, etc.). To address these challenges, recently some techniques have been proposed to defend extension-related attacks. These techniques mainly focus on information flow analysis to capture suspicious data flows, impose privilege restriction on API calls by malicious extensions, apply digital signatures to monitor process and memory level activities, and allow browser users to specify policies in order to restrict the operations of extensions. This article presents a model-based approach to detect vulnerable and malicious browser extensions by widening and complementing the existing techniques. We observe and utilize various common and distinguishing characteristics of benign, vulnerable, and malicious browser extensions. These characteristics are then used to build our detection models, which are based on the Hidden Markov Model constructs. The models are well trained using a set of features extracted from a number of browser extensions together with user supplied specifications. Along the course of this study, one of the main challenges we encountered was the lack of vulnerable and malicious extension samples. To address this issue, based on our previous knowledge on testing web applications and heuristics obtained from available vulnerable and malicious extensions, we have defined rules to generate training samples. The approach is implemented in a prototype tool and evaluated using a number of Mozilla Firefox extensions. Our evaluation indicated that the approach not only detects known vulnerable and malicious extensions, but also identifies previously undetected extensions with a negligible performance overhead

Protection Models for Web Applications

Early web applications were a set of static web pages connected to one another. In contrast, modern applications are full-featured programs that are nearly equivalent to desktop applications in functionality. However, web servers and web browsers, which were initially designed for static web pages, have not updated their protection models to deal with the security consequences of these full-featured programs. This mismatch has been the source of several security problems in web applications. This dissertation proposes new protection models for web applications. The design and implementation of prototypes of these protection models in a web server and a web browser are also described. Experiments are used to demonstrate the improvements in security and performance from using these protection models. Finally, this dissertation also describes systematic design methods to support the security of web applications

Unpicking the Gordian knot: a systems approach to traumatic brain injury care in low-income and middle-income countries.

The Global Burden of Diseases, Injuries, and Risk Factors Study showed that in 2010 trauma accounted for 9% of the world's deaths - around 5 million people - while also resulting in millions of non-fatal injuries with resultant disability. Around 90% of injury-related deaths occurred in low and middle income countries (LMICs) which also saw the greatest rise in these injuries due to road traffic collisions.1 More recent Global Health Estimates from the World Health Organisation for 2015 show a similar picture.2 As a disease subtype, Traumatic Brain Injury (TBI) is one of the most devastating, with clinical, societal, and economic sequelae.3 It is also startlingly common with an estimated 50 million or more cases per year; enough for half of the world's population to suffer a TBI in their lifetime and again disproportionately affecting lower-income regions.

Design of Automation Environment for Analyzing Various IoT Malware

With the increasing proliferation of IoT systems, the security of IoT systems has become very important to individuals and businesses. IoT malware has been increasing exponentially since the emergence of Mirai in 2016. Because the IoT system environment is diverse, IoT malware also has various environments. In the case of existing analysis systems, there is no environment for dynamic analysis by running IoT malware of various architectures. It is inefficient in terms of time and cost to build an environment that analyzes malware one by one for analysis. The purpose of this paper is to improve the problems and limitations of the existing analysis system and provide an environment to analyze a large amount of IoT malware. Using existing open source analysis tools suitable for various IoT malicious codes and QEMU, a virtualization software, the environment in which the actual malicious code will run is built, and the library or system call that is actually called is statically and dynamically analyzed. In the text, the analysis system is applied to the actual collected malicious code to check whether it is analyzed and derive statistics. Information on the architecture of malicious code, attack method, command used, and access path can be checked, and this information can be used as a basis for malicious code detection research or classification research. The advantages are described of the system designed compared to the most commonly used automated analysis tools and improvements to existing limitations