393 research outputs found
Measuring Malware Evolution
In this research, we simulate the effect of code evolution by applying a variety of code morphing strategies. Specifically, we consider code substitution, transposition, insertion, and deletion. We then analyze the effect of these code morphing strategies relative to a variety of malware scores that have been considered in previous research. Our goal is to gain a better understanding of the strengths and weaknesses of these various malware scoring techniques. This research should prove useful in designing more robust scores for detecting malware
Pre-filters in-transit malware packets detection in the network
Conventional malware detection systems cannot detect most of the new malware in the network without the availability of their signatures. In order to solve this problem, this paper proposes a technique to detect both metamorphic (mutated malware) and general (non-mutated) malware in the network using a combination of known malware sub-signature and machine learning classification. This network-based malware detection is achieved through a middle path for efficient processing of non-malware packets. The proposed technique has been tested and verified using multiple data sets (metamorphic malware, non-mutated malware, and UTM real traffic), this technique can detect most of malware packets in the network-based before they reached the host better than the previous works which detect malware in host-based. Experimental results showed that the proposed technique can speed up the transmission of more than 98% normal packets without sending them to the slow path, and more than 97% of malware packets are detected and dropped in the middle path. Furthermore, more than 75% of metamorphic malware packets in the test dataset could be detected. The proposed technique is 37 times faster than existing technique
Vigenère Score for Malware Detection
Previous research has applied classic cryptanalytic techniques to the malware detection problem. Speci cally, scores based on simple substitution cipher cryptanal- ysis and various generalizations have been considered. In this research, we analyze two new malware scoring techniques based on classic cryptanalysis. Our rst ap- proach relies on the Index of Coincidence, which is used, for example, to determine the length of the keyword in a Vigenère ciphertext. We also consider a score based on a more complete cryptanalysis of a Vigenère cipher. We nd that the Vigenère score is competitive with previous statistical-based malware scores
Survey of Machine Learning Techniques for Malware Analysis
Coping with malware is getting more and more challenging, given their
relentless growth in complexity and volume. One of the most common approaches
in literature is using machine learning techniques, to automatically learn
models and patterns behind such complexity, and to develop technologies for
keeping pace with the speed of development of novel malware. This survey aims
at providing an overview on the way machine learning has been used so far in
the context of malware analysis. We systematize surveyed papers according to
their objectives (i.e., the expected output, what the analysis aims to), what
information about malware they specifically use (i.e., the features), and what
machine learning techniques they employ (i.e., what algorithm is used to
process the input and produce the output). We also outline a number of problems
concerning the datasets used in considered works, and finally introduce the
novel concept of malware analysis economics, regarding the study of existing
tradeoffs among key metrics, such as analysis accuracy and economical costs
Decrypting SSL/TLS traffic for hidden threats detection
The paper presents an analysis of the main mechanisms of decryption of
SSL/TLS traffic. Methods and technologies for detecting malicious activity in
encrypted traffic that are used by leading companies are also considered. Also,
the approach for intercepting and decrypting traffic transmitted over SSL/TLS
is developed, tested and proposed. The developed approach has been automated
and can be used for remote listening of the network, which will allow to
decrypt transmitted data in a mode close to real time.Comment: 4 pages, 1 table, 1 figur
- …