Deteksi Malware Ransomware Berdasarkan Panggilan API dengan Metode Ekstraksi Fitur N-gram dan TF-IDF

Ransomware merupakan ancaman malware yang paling menakutkan saat ini karena memiliki kemampuan mengenkripsi data, selain itu jumlah serangan ransomware yang terus meningkat mengakibatkan kerugian yang tidak sedikit. Penanganan atas serangan ini semakin sulit dilakukan dikarenakan varian ransomware yang terus berkembang. Dibutuhkan suatu sistem yang mampu mendeteksi ransomware bahkan untuk varian ransomware terbaru. Melalui penelitian ini kami membuat suatu sistem yang mampu mendeteksi ransomware dan normalware menggunakan metode machine learning dengan memanfaatkan data panggilan API dari ransomware dan normalware. Pada penelitian ini kami hanya melakukan binary classification untuk semua varian ransomware yang terdeteksi. Proses ekstraksi fitur terlebih dilakukan dengan metode N-gram dan TF-IDF pada panggilan API untuk membentuk subset fitur yang digunakan dalam proses pembelajaran model. Pembuatan model deteksi dilakukan dengan melatih data panggilan API dari beberapa varian ransomware. Pengujian model dilakukan baik terhadap varian ransomware yang sudah dilatih sebelumnya maupun varian ransomware diluar data latih. Proses pembelajaran model dilakukan untuk mencari kesamaan fitur dari data panggilan API berbagai varian ransomware pada data latih, kesamaan fitur ini akan dimanfaatkan untuk mendeteksi varian lain dari ransomware diluar data latih. Hasil penelitian menunjukkan bahwa akurasi rata-rata model terhadap varian ransomware dalam data latih adalah 94% dengan skor error rate tertinggi 10%. Adapun hasil deteksi ransomware untuk varian diluar data latih menunjukkan akurasi rata-rata 83% dengan skor error rate tertinggi 30%. Sehingga dengan demikian model yang dibuat pada penelitian ini dapat digunakan untuk mendeteksi ransomware meskipun varian dari ransomware mengalami perkembangan

MULTIPLE ANDROID PACKAGE FILES EXTRACTOR IN MINING REQUEST PERMISSIONS AND API CALLS

Android smartphone has the highest demand in the world due to the ability of the devices and the open source software concept. Numbers of Android applications are increasing as to fulfill users and businesses’ needs. Not only Android gains huge business return but its applications has also become the target of attackers. One of the approaches to investigate and detect malware is through a reverse engineering technique where the profile parameters are extracted. The process of reversing Android execute file (.apk) individually takes a long time. Other than having used several tools, the approach leaves open the possibility of misconduct during the mining of necessary source codes. Therefore, an Android permissions and Application Programming Interface (API) calls extractor tool were developed for Android mobile devices apps. This tool had the capability to record all request permissions and required API calls inside the AndroidManifest.xml and classes.dex made to App executable file. In addition, the automatic feature of the tool allowed for the recording of the permission and API calls more than one Android Package Kit (APK) files at a time. MAPE (Multiple Android Package Extractor) was developed using Node.js. Currently, researchers either disclose mining techniques or use existing tools manually. MAPE used a sequential search in Depth First Search (DFS) technique to accomplish the operation. This tool can shorten the researchers’ processing time on retrieving request permissions and targeting API calls. The output produced by MAPE can be used for several purposes such as Apps categorization and malware detection

Malware Detection Approaches based on Operational Codes (OpCodes) of Executable Programs: A Review

A malicious software, or Malware for a short, poses a threat to computer systems, which need to be analyzed, detected, and eliminated. Generally, malware is analyzed in two ways: dynamic malware analysis and static malware analysis. The former collects features dataset during running of the malware, and involves malware APIs, registry activities, file activities, process activities, and network activities based features. The latter collects features dataset prior and without running the malware, and involves Operational Codes (OpCodes) and text based (Bytecodes) features. However, several previous researchers addressed and reviewed malware detection approaches based on various aspects, but none of them addressed and reviewed the approaches merely based on malware OpCodes. Therefore, this paper aims to review Malware Detection Approaches based on OpCodes. The review explores, demonstrates, and compares the existing approaches for detecting malware according to their OpCodes only, and finally presents a comprehensive comparable envisage about them

Feature selection and clustering for malicious and benign software characterization

Malware or malicious code is design to gather sensitive information without knowledge or permission of the users or damage files in the computer system. As the use of computer systems and Internet is increasing, the threat of malware is also growing. Moreover, the increase in data is raising difficulties to identify if the executables are malicious or benign. Hence, we have devised a method that collects features from portable executable file format using static malware analysis technique. We have also optimized the important or useful features by either normalizing or giving weightage to the feature. Furthermore, we have compared accuracy of various unsupervised learning algorithms for clustering huge dataset of samples. So once the clusters are created we can use antivirus (AV) to identify one or two file and if they are detected by AV then all the files in cluster are malicious even if the files contain novel or unknown malware; otherwise all are benign

The Effect of Code Obfuscation on Authorship Attribution of Binary Computer Files

In many forensic investigations, questions linger regarding the identity of the authors of the software specimen. Research has identified methods for the attribution of binary files that have not been obfuscated, but a significant percentage of malicious software has been obfuscated in an effort to hide both the details of its origin and its true intent. Little research has been done around analyzing obfuscated code for attribution. In part, the reason for this gap in the research is that deobfuscation of an unknown program is a challenging task. Further, the additional transformation of the executable file introduced by the obfuscator modifies or removes features from the original executable that would have been used in the author attribution process. Existing research has demonstrated good success in attributing the authorship of an executable file of unknown provenance using methods based on static analysis of the specimen file. With the addition of file obfuscation, static analysis of files becomes difficult, time consuming, and in some cases, may lead to inaccurate findings. This paper presents a novel process for authorship attribution using dynamic analysis methods. A software emulated system was fully instrumented to become a test harness for a specimen of unknown provenance, allowing for supervised control, monitoring, and trace data collection during execution. This trace data was used as input into a supervised machine learning algorithm trained to identify stylometric differences in the specimen under test and provide predictions on who wrote the specimen. The specimen files were also analyzed for authorship using static analysis methods to compare prediction accuracies with prediction accuracies gathered from this new, dynamic analysis based method. Experiments indicate that this new method can provide better accuracy of author attribution for files of unknown provenance, especially in the case where the specimen file has been obfuscated

Detection and Classification of Malicious Processes Using System Call Analysis

Despite efforts to mitigate the malware threat, the proliferation of malware continues, with record-setting numbers of malware samples being discovered each quarter. Malware are any intentionally malicious software, including software designed for extortion, sabotage, and espionage. Traditional malware defenses are primarily signature-based and heuristic-based, and include firewalls, intrusion detection systems, and antivirus software. Such defenses are reactive, performing well against known threats but struggling against new malware variants and zero-day threats. Together, the reactive nature of traditional defenses and the continuing spread of malware motivate the development of new techniques to detect such threats. One promising set of techniques uses features extracted from system call traces to infer malicious behaviors. This thesis studies the problem of detecting and classifying malicious processes using system call trace analysis. The goal of this study is to identify techniques that are `lightweight' enough and exhibit a low enough false positive rate to be deployed in production environments. The major contributions of this work are (1) a study of the effects of feature extraction strategy on malware detection performance; (2) the comparison of signature-based and statistical analysis techniques for malware detection and classification; (3) the use of sequential detection techniques to identify malicious behaviors as quickly as possible; (4) a study of malware detection performance at very low false positive rates; and (5) an extensive empirical evaluation, wherein the performance of the malware detection and classification systems are evaluated against data collected from production hosts and from the execution of recently discovered malware samples. The outcome of this study is a proof-of-concept system that detects the execution of malicious processes in production environments and classifies them according to their similarity to known malware.Ph.D., Electrical Engineering -- Drexel University, 201