Comparison of Deep Learning and the Classical Machine Learning Algorithm for the Malware Detection

Recently, Deep Learning has been showing promising results in various Artificial Intelligence applications like image recognition, natural language processing, language modeling, neural machine translation, etc. Although, in general, it is computationally more expensive as compared to classical machine learning techniques, their results are found to be more effective in some cases. Therefore, in this paper, we investigated and compared one of the Deep Learning Architecture called Deep Neural Network (DNN) with the classical Random Forest (RF) machine learning algorithm for the malware classification. We studied the performance of the classical RF and DNN with 2, 4 & 7 layers architectures with the four different feature sets, and found that irrespective of the features inputs, the classical RF accuracy outperforms the DNN.Comment: 11 Pages, 1 figur

An investigation of a deep learning based malware detection system

We investigate a Deep Learning based system for malware detection. In the investigation, we experiment with different combination of Deep Learning architectures including Auto-Encoders, and Deep Neural Networks with varying layers over Malicia malware dataset on which earlier studies have obtained an accuracy of (98%) with an acceptable False Positive Rates (1.07%). But these results were done using extensive man-made custom domain features and investing corresponding feature engineering and design efforts. In our proposed approach, besides improving the previous best results (99.21% accuracy and a False Positive Rate of 0.19%) indicates that Deep Learning based systems could deliver an effective defense against malware. Since it is good in automatically extracting higher conceptual features from the data, Deep Learning based systems could provide an effective, general and scalable mechanism for detection of existing and unknown malware.Comment: 13 Pages, 4 figure

A Threat to Cyber Resilience : A Malware Rebirthing Botnet

This paper presents a threat to cyber resilience in the form of a conceptual model of a malware rebirthing botnet which can be used in a variety of scenarios. It can be used to collect existing malware and rebirth it with new functionality and signatures that will avoid detection by AV software and hinder analysis. The botnet can then use the customized malware to target an organization with an orchestrated attack from the member machines in the botnet for a variety of malicious purposes, including information warfare applications. Alternatively, it can also be used to inject known malware signatures into otherwise non malicious code and traffic to overloading the sensors and processing systems employed by intrusion detection and prevention systems to create a denial of confidence of the sensors and detection systems. This could be used as a force multiplier in asymmetric warfare applications to create confusion and distraction whilst attacks are made on other defensive fronts

Visualization Techniques For Malware Behavior Analysis

Malware spread via Internet is a great security threat, so studying their behavior is important to identify and classify them. Using SSDT hooking we can obtain malware behavior by running it in a controlled environment and capturing interactions with the target operating system regarding file, process, registry, network and mutex activities. This generates a chain of events that can be used to compare them with other known malware. In this paper we present a simple approach to convert malware behavior into activity graphs and show some visualization techniques that can be used to analyze malware behavior, individually or grouped. © 2011 SPIE.8019The Society of Photo-Optical Instrumentation Engineers (SPIE)Tufte, E.R., (2001) The Visual Display of Quantitative Information, , Graphic PressKeim, D., Visual data mining. Tutorial (1997) Proc. 23rd International Conference on Very Large Data BasesCleveland, W.S., (1993) Visualizing Data, , Hobart PressGrégio, A.R.A., Aplicação de técnicas de data mining para a análise de logs de tráfego tcp/ip (2007) Applied Computing at INPE - Brazilian Institute for Space Research, , Masters dissertationInselberg, A., The plane with parallel coordinates (1985) The Visual Computer, 1 (2), pp. 69-91Inselberg, A., (2009) Parallel Coordinates - Visual Multidimensional Geometry and its Applications, , SpringerKohonen, T., (1997) Self-Organizing Maps, , SpringerBeddow, J., Shape coding of multidimensional data on a mircocomputer display (1990) Proc. of the First IEEE Conference on Visualization, pp. 238-246Keim, D.A., Kriegel, H.-P., Using visualization to support data mining of large existing databases (1993) Proc. IEEE Visualization '93 WorkshopShneiderman, B., Tree visualization with tree-maps: A 2-D space-filling approach (1991) ACM Transactions on Graphics, 11, pp. 92-99www.shadowserver.orgwww.cert.brwww.cert.br/docs/whitepapers/spambotsCalais, P.H., Pires, D.E.V., Guedes, D.O., Meira Jr., W., Hoepers, C., Steding-Jessen, K., A campaign-based characterization of spamming strategies (2008) Proc. of Fifth Conference on E-mail and Anti-Spa

Effective methods to detect metamorphic malware: A systematic review

The succeeding code for metamorphic Malware is routinely rewritten to remain stealthy and undetected within infected environments. This characteristic is maintained by means of encryption and decryption methods, obfuscation through garbage code insertion, code transformation and registry modification which makes detection very challenging. The main objective of this study is to contribute an evidence-based narrative demonstrating the effectiveness of recent proposals. Sixteen primary studies were included in this analysis based on a pre-defined protocol. The majority of the reviewed detection methods used Opcode, Control Flow Graph (CFG) and API Call Graph. Key challenges facing the detection of metamorphic malware include code obfuscation, lack of dynamic capabilities to analyse code and application difficulty. Methods were further analysed on the basis of their approach, limitation, empirical evidence and key parameters such as dataset, Detection Rate (DR) and False Positive Rate (FPR)