8 research outputs found
Image-based malware classification hybrid framework based on space-filling curves
There exists a never-ending “arms race” between malware analysts and adversarial malicious code developers as malevolent programs evolve and countermeasures are developed to detect and eradicate them. Malware has become more complex in its intent and capabilities over time, which has prompted the need for constant improvement in detection and defence methods. Of particular concern are the anti-analysis obfuscation techniques, such as packing and encryption, that are employed by malware developers to evade detection and thwart the analysis process. In such cases, malware is generally impervious to basic analysis methods and so analysts must use more invasive techniques to extract signatures for classification, which are inevitably not scalable due to their complexity. In this article, we present a hybrid framework for malware classification designed to overcome the challenges incurred by current approaches. The framework incorporates novel static and dynamic malware analysis methods, where static malware executables and dynamic process memory dumps are converted to images mapped through space-filling curves, from which visual features are extracted for classification. The framework is less invasive than traditional analysis methods in that there is no reverse engineering required, nor does it suffer from the obfuscation limitations of static analysis. On a dataset of 13,599 obfuscated and non-obfuscated malware samples from 23 families, the framework outperformed both static and dynamic standalone methods with precision, recall and accuracy scores of 97.6%, 97.6% and 97.6% respectively
Machine learning classification for advanced malware detection
This introductory document discusses topics related to malware detection via the application
of machine learning algorithms. It is intended as a supplement to the published work
submitted (a complete list of which can be found in Table 1) and outlines the motivation
behind the experiments.
The document begins with the following sections:
• Section 2 presents a preliminary discussion of the research methodology employed.
• Section 3 presents the background analysis of malware detection in general, and the
use of machine learning.
• Section 4 provides a brief introduction of the most common machine learning
algorithms in current use.
The remaining sections present the main body of the experimental work, which lead to the
conclusions in Section 10.
• Section 5 analyzes different initialization strategies for machine learning models, with
a view to ensuring that the most effective training and testing strategy is employed.
Following this, a purely dynamic approach is proposed, which results in perfect
classification of the samples against benign files, and therefore provides a baseline
against which the performance of subsequent static approaches can be compared.
• Section 6 introduces the static-based tests, beginning with the challenging problem of
zero-day detection samples, i.e. malware samples for which not enough data has been
gathered yet to train the machine learning models.
• Section 7 describes the testing of several different approaches to static malware
detection. During these tests, the effectiveness of these algorithms is analyzed and
compared with other means of classification.
7
• Section 8 proposes and compares techniques to boost the detection accuracy by
combining the scores obtained from other detection algorithms, with a view to
improving static classification scores and thus reach the perfect detection obtained
with dynamic features.
• Section 9 tests the effectiveness of generic malware models by assessing the detection
effectiveness of a generic malware model trained on several different families. The
experiments are intended to introduce a more realistic scenario where a single,
comprehensive, machine learning model is used to detect several families. This
Section shows the difficulty to build a single model to detect several malware families
Image-based malware classification: A space filling curve approach
Anti-virus (AV) software is effective at distinguishing between benign and malicious programs yet lack the ability to effectively classify malware into their respective family classes. AV vendors receive considerably large volumes of malicious programs daily and so classification is crucial to quickly identify variants of existing malware that would otherwise have to be manually examined. This paper proposes a novel method of visualizing and classifying malware using Space-Filling Curves (SFC\u27s) in order to improve the limitations of AV tools. The classification models produced were evaluated on previously unseen samples and showed promising results, with precision, recall and accuracy scores of 82%, 80% and 83% respectively. Furthermore, a comparative assessment with previous research and current AV technologies revealed that the method presented her was robust, outperforming most commercial and open-source AV scanner software programs
Malware Resistant Data Protection in Hyper-connected Networks: A survey
Data protection is the process of securing sensitive information from being
corrupted, compromised, or lost. A hyperconnected network, on the other hand,
is a computer networking trend in which communication occurs over a network.
However, what about malware. Malware is malicious software meant to penetrate
private data, threaten a computer system, or gain unauthorised network access
without the users consent. Due to the increasing applications of computers and
dependency on electronically saved private data, malware attacks on sensitive
information have become a dangerous issue for individuals and organizations
across the world. Hence, malware defense is critical for keeping our computer
systems and data protected. Many recent survey articles have focused on either
malware detection systems or single attacking strategies variously. To the best
of our knowledge, no survey paper demonstrates malware attack patterns and
defense strategies combinedly. Through this survey, this paper aims to address
this issue by merging diverse malicious attack patterns and machine learning
(ML) based detection models for modern and sophisticated malware. In doing so,
we focus on the taxonomy of malware attack patterns based on four fundamental
dimensions the primary goal of the attack, method of attack, targeted exposure
and execution process, and types of malware that perform each attack. Detailed
information on malware analysis approaches is also investigated. In addition,
existing malware detection techniques employing feature extraction and ML
algorithms are discussed extensively. Finally, it discusses research
difficulties and unsolved problems, including future research directions.Comment: 30 pages, 9 figures, 7 tables, no where submitted ye
Intrusion detection system for IoT networks for detection of DDoS attacks
PhD ThesisIn this thesis, a novel Intrusion Detection System (IDS) based on the hybridization of the
Deep Learning (DL) technique and the Multi-objective Optimization method for the detection
of Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) networks is
proposed. IoT networks consist of different devices with unique hardware and software
configurations communicating over different communication protocols, which produce huge
multidimensional data that make IoT networks susceptible to cyber-attacks. The network IDS
is a vital tool for protecting networks against threats and malicious attacks. Existing systems
face significant challenges due to the continuous emergence of new and more sophisticated
cyber threats that are not recognized by them, and therefore advanced IDS is required.
This thesis focusses especially on the DDoS attack that is one of the cyber-attacks that has
affected many IoT networks in recent times and had resulted in substantial devastating losses.
A thorough literature review is conducted on DDoS attacks in the context of IoT networks,
IDSs available especially for the IoT networks and the scope and applicability of DL
methodology for the detection of cyber-attacks. This thesis includes three main contributions
for 1) developing a feature selection algorithm for an IoT network fulfilling six important
objectives, 2) designing four DL models for the detection of DDoS attacks and 3) proposing a
novel IDS for IoT networks. In the proposed work, for developing advanced IDS, a Jumping
Gene adapted NSGA-II multi-objective optimization algorithm for reducing the dimensionality
of massive IoT data and Deep Learning model consisting of a Convolutional Neural Network
(CNN) combined with Long Short-Term Memory (LSTM) for classification are employed. The
experimentation is conducted using a High-Performance Computer (HPC) on the latest
CISIDS2017 datasets for DDoS attacks and achieved an accuracy of 99.03 % with a 5-fold
reduction in training time. The proposed method is compared with machine learning (ML)
algorithms and other state-of-the-art methods, which confirms that the proposed method
outperforms other approaches.Government of Indi