Malware classification using self organising feature maps and machine activity data

In this article we use machine activity metrics to automatically distinguish between malicious and trusted portable executable software samples. The motivation stems from the growth of cyber attacks using techniques that have been employed to surreptitiously deploy Advanced Persistent Threats (APTs). APTs are becoming more sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution. Our hypothesis is that we can produce a high degree of accuracy in distinguishing malicious from trusted samples using Machine Learning with features derived from the inescapable footprint left behind on a computer system during execution. This includes CPU, RAM, Swap use and network traffic at a count level of bytes and packets. These features are continuous and allow us to be more flexible with the classification of samples than discrete features such as API calls (which can also be obfuscated) that form the main feature of the extant literature. We use these continuous data and develop a novel classification method using Self Organizing Feature Maps to reduce over fitting during training through the ability to create unsupervised clusters of similar ‘behaviour’ that are subsequently used as features for classification, rather than using the raw data. We compare our method to a set of machine classification methods that have been applied in previous research and demonstrate an increase of between 7.24% and 25.68% in classification accuracy using our method and an unseen dataset over the range of other machine classification methods that have been applied in previous research

Analysis of Feature Categories for Malware Visualization

It is important to know which features are more effective for certain visualization types. Furthermore, selecting an appropriate visualization tool plays a key role in descriptive, diagnostic, predictive and prescriptive analytics. Moreover, analyzing the activities of malicious scripts or codes is dependent on the extracted features. In this paper, the authors focused on reviewing and classifying the most common extracted features that have been used for malware visualization based on specified categories. This study examines the features categories and its usefulness for effective malware visualization. Additionally, it focuses on the common extracted features that have been used in the malware visualization domain. Therefore, the conducted literature review finding revealed that the features could be categorized into four main categories, namely, static, dynamic, hybrid, and application metadata. The contribution of this research paper is about feature selection for illustrating which features are effective with which visualization tools for malware visualization

Comparative analysis of various machine learning algorithms for ransomware detection

Recently, the ransomware attack posed a serious threat that targets a wide range of organizations and individuals for financial gain. So, there is a real need to initiate more innovative methods that are capable of proactively detect and prevent this type of attack. Multiple approaches were innovated to detect attacks using different techniques. One of these techniques is machine learning techniques which provide reasonable results, in most attack detection systems. In the current article, different machine learning techniques are tested to analyze its ability in a detection ransomware attack. The top 1000 features extracted from raw byte with the use of gain ratio as a feature selection method. Three different classifiers (decision tree (J48), random forest, radial basis function (RBF) network) available in Waikato Environment for Knowledge Analysis (WEKA) based machine learning tool are evaluated to achieve significant detection accuracy of ransomware. The result shows that random forest gave the best detection accuracy almost around 98%

Modelling the malware propagation in mobile computer devices

Nowadays malware is a major threat to the security of cyber activities. The rapid development of the Internet and the progressive implementation of the Internet of Things (IoT) increase the security needs of networks. This research presents a theoretical model of malware propagation for mobile computer devices. It is based on the susceptible-exposed-infected-recovered-susceptible (SEIRS) epidemic model. The scheme is based on a concrete connection pattern between nodes defined by both a particular neighbourhood which fixes the connection between devices, and a local rule which sets whether the link is infective or not. The results corroborate the ability of our model to perform the behaviour patterns provided by the ordinary differential equation (ODE) traditional method

Construcción de clasificadores de malware para agencias de seguridad del Estado

El sandboxing ha sido usado de manera regular para analizar muestras de software y determinar si estas contienen propiedades o comportamientos sospechosos. A pesar de que el sandboxing es una técnica poderosa para desarrollar análisis de malware, esta requiere que un analista de malware desarrolle un análisis riguroso de los resultados para determinar la naturaleza de la muestra: goodware o malware. Este artículo propone dos modelos de aprendizaje automáticos capaces de clasificar muestras con base a un análisis de firmas o permisos extraídos por medio de Cuckoo sandbox, Androguard y VirusTotal. En este artículo también se presenta una propuesta de arquitectura de centinela IoT que protege dispositivos IoT, usando uno de los modelos de aprendizaje automáticos desarrollados anteriormente. Finalmente, diferentes enfoques y perspectivas acerca del uso de sandboxing y aprendizaje automático por parte de agencias de seguridad del Estado también son aportados.Sandboxing has been used regularly to analyze software samples and determine if these contain suspicious properties or behaviors. Even if sandboxing is a powerful technique to perform malware analysis, it requires that a malware analyst performs a rigorous analysis of the results to determine the nature of the sample: goodware or malware. This paper proposes two machine learning models able to classify samples based on signatures and permissions obtained through Cuckoo sandbox, Androguard and VirusTotal. The developed models are also tested obtaining an acceptable percentage of correctly classified samples, being in this way useful tools for a malware analyst. A proposal of architecture for an IoT sentinel that uses one of the developed machine learning model is also showed. Finally, different approaches, perspectives, and challenges about the use of sandboxing and machine learning by security teams in State security agencies are also shared

Bot-IMG: A framework for image-based detection of Android botnets using machine learning

The file attached to this record is the author's final peer reviewed version.To enable more effective mitigation of Android botnets, image-based detection approaches offer great promise. Such image-based or visualization methods provide detection solutions that are less reliant on hand-engineered features which require domain knowledge. In this paper we propose Bot- IMG, a framework for visualization and image-based detection of Android botnets using machine learning. Furthermore, we evaluated the efficacy of Bot-IMG framework using the ISCX botnet dataset. In particular, we implement an image- based detection method using Histogram of Oriented Gradients (HOG) as feature descriptors within the framework, and utilized Autoencoders in conjunction with traditional machine learning classifiers. From the experiments performed, we obtained up to 95.3% classification accuracy using train-test split of 80:20 and 93.1% classification accuracy with 10-fold cross validation

Construcción de clasificadores de malware para agencias de seguridad del Estado

Sandboxing has been used regularly to analyze software samples and determine if these contain suspicious properties or behaviors. Even if sandboxing is a powerful technique to perform malware analysis, it requires that a malware analyst performs a rigorous analysis of the results to determine the nature of the sample: goodware or malware. This paper proposes two machine learning models able to classify samples based on signatures and permissions obtained through Cuckoo sandbox, Androguard and VirusTotal. The developed models are also tested obtaining an acceptable percentage of correctly classified samples, being in this way useful tools for a malware analyst. A proposal of architecture for an IoT sentinel that uses one of the developed machine learning model is also showed. Finally, different approaches, perspectives, and challenges about the use of sandboxing and machine learning by security teams in State security agencies are also shared.El sandboxing ha sido usado de manera regular para analizar muestras de software y determinar si estas contienen propiedades o comportamientos sospechosos. A pesar de que el sandboxing es una técnica poderosa para desarrollar análisis de malware, esta requiere que un analista de malware desarrolle un análisis riguroso de los resultados para determinar la naturaleza de la muestra: goodware o malware. Este artículo propone dos modelos de aprendizaje automáticos capaces de clasificar muestras con base a un análisis de firmas o permisos extraídos por medio de Cuckoo sandbox, Androguard y VirusTotal. En este artículo también se presenta una propuesta de arquitectura de centinela IoT que protege dispositivos IoT, usando uno de los modelos de aprendizaje automáticos desarrollados anteriormente. Finalmente, diferentes enfoques y perspectivas acerca del uso de sandboxing y aprendizaje automático por parte de agencias de seguridad del Estado también son aportados

Federated Agentless Detection of Endpoints Using Behavioral and Characteristic Modeling

During the past two decades computer networks and security have evolved that, even though we use the same TCP/IP stack, network traffic behaviors and security needs have significantly changed. To secure modern computer networks, complete and accurate data must be gathered in a structured manner pertaining to the network and endpoint behavior. Security operations teams struggle to keep up with the ever-increasing number of devices and network attacks daily. Often the security aspect of networks gets managed reactively instead of providing proactive protection. Data collected at the backbone are becoming inadequate during security incidents. Incident response teams require data that is reliably attributed to each individual endpoint over time. With the current state of dissociated data collected from networks using different tools it is challenging to correlate the necessary data to find origin and propagation of attacks within the network. Critical indicators of compromise may go undetected due to the drawbacks of current data collection systems leaving endpoints vulnerable to attacks. Proliferation of distributed organizations demand distributed federated security solutions. Without robust data collection systems that are capable of transcending architectural and computational challenges, it is becoming increasingly difficult to provide endpoint protection at scale. This research focuses on reliable agentless endpoint detection and traffic attribution in federated networks using behavioral and characteristic modeling for incident response

Early-stage malware prediction using recurrent neural networks

Static malware analysis is well-suited to endpoint anti-virus systems as it can be conducted quickly by examining the features of an executable piece of code and matching it to previously observed malicious code. However, static code analysis can be vulnerable to code obfuscation techniques. Behavioural data collected during file execution is more difficult to obfuscate, but takes a relatively long time to capture - typically up to 5 minutes, meaning the malicious payload has likely already been delivered by the time it is detected. In this paper we investigate the possibility of predicting whether or not an executable is malicious based on a short snapshot of behavioural data. We find that an ensemble of recurrent neural networks are able to predict whether an executable is malicious or benign within the first 5 seconds of execution with 94% accuracy. This is the first time general types of malicious file have been predicted to be malicious during execution rather than using a complete activity log file post-execution, and enables cyber security endpoint protection to be advanced to use behavioural data for blocking malicious payloads rather than detecting them post-execution and having to repair the damage

Successful Operational Cyber Security Strategies for Small Businesses

Cybercriminals threaten strategic and efficient use of the Internet within the business environment. Each year, cybercrimes in the United States cost business leaders approximately $6 billion, and globally,$445 billion. The purpose of this multiple case study was to explore the operational strategies chief information security officers of high-technology companies used to protect their businesses from cyberattacks. Organizational learning theory was the conceptual framework for the study. The population of the study was 3 high-technology business owners operating in Florida who have Internet expertise and successfully protected their businesses from cyberattacks. Member checking and methodological triangulation were used to valid the data gathered through semistructured interviews, a review of company websites, and social media pages. Data were analyzed using thematic analysis, which supported the identification of 4 themes: effective leadership, cybersecurity awareness, reliance on third-party vendors, and cybersecurity training. The implications of this study for positive social change include a safe and secure environment for conducting electronic transactions, which may result in increased business and consumer confidence strengthened by the protection of personal and confidential information. The creation and sustainability of a safe Internet environment may lead to increased usage and trust in online business activities, leading to greater online business through consumer confidence and communication