1,402 research outputs found
Learning Fast and Slow: PROPEDEUTICA for Real-time Malware Detection
In this paper, we introduce and evaluate PROPEDEUTICA, a novel methodology
and framework for efficient and effective real-time malware detection,
leveraging the best of conventional machine learning (ML) and deep learning
(DL) algorithms. In PROPEDEUTICA, all software processes in the system start
execution subjected to a conventional ML detector for fast classification. If a
piece of software receives a borderline classification, it is subjected to
further analysis via more performance expensive and more accurate DL methods,
via our newly proposed DL algorithm DEEPMALWARE. Further, we introduce delays
to the execution of software subjected to deep learning analysis as a way to
"buy time" for DL analysis and to rate-limit the impact of possible malware in
the system. We evaluated PROPEDEUTICA with a set of 9,115 malware samples and
877 commonly used benign software samples from various categories for the
Windows OS. Our results show that the false positive rate for conventional ML
methods can reach 20%, and for modern DL methods it is usually below 6%.
However, the classification time for DL can be 100X longer than conventional ML
methods. PROPEDEUTICA improved the detection F1-score from 77.54% (conventional
ML method) to 90.25%, and reduced the detection time by 54.86%. Further, the
percentage of software subjected to DL analysis was approximately 40% on
average. Further, the application of delays in software subjected to ML reduced
the detection time by approximately 10%. Finally, we found and discussed a
discrepancy between the detection accuracy offline (analysis after all traces
are collected) and on-the-fly (analysis in tandem with trace collection). Our
insights show that conventional ML and modern DL-based malware detectors in
isolation cannot meet the needs of efficient and effective malware detection:
high accuracy, low false positive rate, and short classification time.Comment: 17 pages, 7 figure
Agent-based Vs Agent-less Sandbox for Dynamic Behavioral Analysis
Malicious software is detected and classified by either static analysis or dynamic analysis. In static analysis, malware samples are reverse engineered and analyzed so that signatures of malware can be constructed. These techniques can be easily thwarted through polymorphic, metamorphic malware, obfuscation and packing techniques, whereas in dynamic analysis malware samples are executed in a controlled environment using the sandboxing technique, in order to model the behavior of malware. In this paper, we have analyzed Petya, Spyeye, VolatileCedar, PAFISH etc. through Agent-based and Agentless dynamic sandbox systems in order to investigate and benchmark their efficiency in advanced malware detection
Op2Vec: An Opcode Embedding Technique and Dataset Design for End-to-End Detection of Android Malware
Android is one of the leading operating systems for smart phones in terms of
market share and usage. Unfortunately, it is also an appealing target for
attackers to compromise its security through malicious applications. To tackle
this issue, domain experts and researchers are trying different techniques to
stop such attacks. All the attempts of securing Android platform are somewhat
successful. However, existing detection techniques have severe shortcomings,
including the cumbersome process of feature engineering. Designing
representative features require expert domain knowledge. There is a need for
minimizing human experts' intervention by circumventing handcrafted feature
engineering. Deep learning could be exploited by extracting deep features
automatically. Previous work has shown that operational codes (opcodes) of
executables provide key information to be used with deep learning models for
detection process of malicious applications. The only challenge is to feed
opcodes information to deep learning models. Existing techniques use one-hot
encoding to tackle the challenge. However, the one-hot encoding scheme has
severe limitations. In this paper, we introduce; (1) a novel technique for
opcodes embedding, which we name Op2Vec, (2) based on the learned Op2Vec we
have developed a dataset for end-to-end detection of android malware.
Introducing the end-to-end Android malware detection technique avoids
expert-intensive handcrafted features extraction, and ensures automation. Some
of the recent deep learning-based techniques showed significantly improved
results when tested with the proposed approach and achieved an average
detection accuracy of 97.47%, precision of 0.976 and F1 score of 0.979
Graph Mining for Cybersecurity: A Survey
The explosive growth of cyber attacks nowadays, such as malware, spam, and
intrusions, caused severe consequences on society. Securing cyberspace has
become an utmost concern for organizations and governments. Traditional Machine
Learning (ML) based methods are extensively used in detecting cyber threats,
but they hardly model the correlations between real-world cyber entities. In
recent years, with the proliferation of graph mining techniques, many
researchers investigated these techniques for capturing correlations between
cyber entities and achieving high performance. It is imperative to summarize
existing graph-based cybersecurity solutions to provide a guide for future
studies. Therefore, as a key contribution of this paper, we provide a
comprehensive review of graph mining for cybersecurity, including an overview
of cybersecurity tasks, the typical graph mining techniques, and the general
process of applying them to cybersecurity, as well as various solutions for
different cybersecurity tasks. For each task, we probe into relevant methods
and highlight the graph types, graph approaches, and task levels in their
modeling. Furthermore, we collect open datasets and toolkits for graph-based
cybersecurity. Finally, we outlook the potential directions of this field for
future research
- …