Software similarity and classification

This thesis analyses software programs in the context of their similarity to other software programs. Applications proposed and implemented include detecting malicious software and discovering security vulnerabilities

A STATE OF THE ART SURVEY ON POLYMORPHIC MALWARE ANALYSIS AND DETECTION TECHNIQUES

Nowadays, systems are under serious security threats caused by malicious software, commonly known as malware. Such malwares are sophisticatedly created with advanced techniques that make them hard to analyse and detect, thus causing a lot of damages. Polymorphism is one of the advanced techniques by which malware change their identity on each time they attack. This paper presents a detailed systematic and critical review that explores the available literature, and outlines the research efforts that have been made in relation to polymorphic malware analysis and their detection

Improved Detection for Advanced Polymorphic Malware

Malicious Software (malware) attacks across the internet are increasing at an alarming rate. Cyber-attacks have become increasingly more sophisticated and targeted. These targeted attacks are aimed at compromising networks, stealing personal financial information and removing sensitive data or disrupting operations. Current malware detection approaches work well for previously known signatures. However, malware developers utilize techniques to mutate and change software properties (signatures) to avoid and evade detection. Polymorphic malware is practically undetectable with signature-based defensive technologies. Today’s effective detection rate for polymorphic malware detection ranges from 68.75% to 81.25%. New techniques are needed to improve malware detection rates. Improved detection of polymorphic malware can only be accomplished by extracting features beyond the signature realm. Targeted detection for polymorphic malware must rely upon extracting key features and characteristics for advanced analysis. Traditionally, malware researchers have relied on limited dimensional features such as behavior (dynamic) or source/execution code analysis (static). This study’s focus was to extract and evaluate a limited set of multidimensional topological data in order to improve detection for polymorphic malware. This study used multidimensional analysis (file properties, static and dynamic analysis) with machine learning algorithms to improve malware detection. This research demonstrated improved polymorphic malware detection can be achieved with machine learning. This study conducted a number of experiments using a standard experimental testing protocol. This study utilized three advanced algorithms (Metabagging (MB), Instance Based k-Means (IBk) and Deep Learning Multi-Layer Perceptron) with a limited set of multidimensional data. Experimental results delivered detection results above 99.43%. In addition, the experiments delivered near zero false positives. The study’s approach was based on single case experimental design, a well-accepted protocol for progressive testing. The study constructed a prototype to automate feature extraction, assemble files for analysis, and analyze results through multiple clustering algorithms. The study performed an evaluation of large malware sample datasets to understand effectiveness across a wide range of malware. The study developed an integrated framework which automated feature extraction for multidimensional analysis. The feature extraction framework consisted of four modules: 1) a pre-process module that extracts and generates topological features based on static analysis of machine code and file characteristics, 2) a behavioral analysis module that extracts behavioral characteristics based on file execution (dynamic analysis), 3) an input file construction and submission module, and 4) a machine learning module that employs various advanced algorithms. As with most studies, careful attention was paid to false positive and false negative rates which reduce their overall detection accuracy and effectiveness. This study provided a novel approach to expand the malware body of knowledge and improve the detection for polymorphic malware targeting Microsoft operating systems

A Scalable Malware Classification based on Integrated Static and Dynamic Features

This paper presents a malware classification approach which aims to improve precision and support scalability. To this end, a hybrid approach combining both static and dynamic features is adopted. The hybrid approach has the advantage of being a complete and robust solution to evasion techniques used by malware writers. The proposed methodology allowed achieving a very promising accuracy of 99.41% in classifying malware into families while considerably reducing the feature space compared to competing approaches in the literature

Bridging the detection gap: a study on a behavior-based approach using malware techniques

In recent years the intensity and complexity of cyber attacks have increased at a rapid rate. The cost of these attacks on U.S. based companies is in the billions of dollars, including the loss of intellectual property and reputation. Novel and diverse approaches are needed to mitigate the cost of a security breach, and bridge the gap between malware detection and a security breach. This thesis focuses on the short term need to mitigate the impact of undetected shellcodes that cause security breaches. The thesis\u27s approach focuses on the agents driving the attacks, capturing their actions, in order to piece together the attacks for forensics purposes, as well as to better understand the opponent. The work presented in this thesis employs models of normal operating system behavior to detect access to the operating system\u27s shell interface. It also utilizes malware techniques to avoid detection and subsequent termination of the monitoring system, as well as dynamic shellcode execution methodologies in the testing of the thesis\u27 modules to implement a monitoring system --Document

Advanced SDN-Based QoS and Security Solutions for Heterogeneous Networks

This thesis tries to study how SDN can be employed in order to support Quality of Service and how the support of this functionality is fundamental for today networks. Considering, not only the present networks, but also the next generation ones, the importance of the SDN paradigm become manifest as the use of satellite networks, which can be useful considering their broadcasting capabilities. For these reasons, this research focuses its attention on satellite - terrestrial networks and in particular on the use of SDN inside this environment. An important fact to be taken into account is that the growing of the information technologies has pave the way for new possible threats. This research study tries to cover also this problem considering how SDN can be employed for the detection of past and future malware inside networks

Detection and Classification of Malicious Processes Using System Call Analysis

Despite efforts to mitigate the malware threat, the proliferation of malware continues, with record-setting numbers of malware samples being discovered each quarter. Malware are any intentionally malicious software, including software designed for extortion, sabotage, and espionage. Traditional malware defenses are primarily signature-based and heuristic-based, and include firewalls, intrusion detection systems, and antivirus software. Such defenses are reactive, performing well against known threats but struggling against new malware variants and zero-day threats. Together, the reactive nature of traditional defenses and the continuing spread of malware motivate the development of new techniques to detect such threats. One promising set of techniques uses features extracted from system call traces to infer malicious behaviors. This thesis studies the problem of detecting and classifying malicious processes using system call trace analysis. The goal of this study is to identify techniques that are `lightweight' enough and exhibit a low enough false positive rate to be deployed in production environments. The major contributions of this work are (1) a study of the effects of feature extraction strategy on malware detection performance; (2) the comparison of signature-based and statistical analysis techniques for malware detection and classification; (3) the use of sequential detection techniques to identify malicious behaviors as quickly as possible; (4) a study of malware detection performance at very low false positive rates; and (5) an extensive empirical evaluation, wherein the performance of the malware detection and classification systems are evaluated against data collected from production hosts and from the execution of recently discovered malware samples. The outcome of this study is a proof-of-concept system that detects the execution of malicious processes in production environments and classifies them according to their similarity to known malware.Ph.D., Electrical Engineering -- Drexel University, 201

Selected Computing Research Papers Volume 5 June 2016

An Analysis of Current Computer Assisted Learning Techniques Aimed at Boosting Pass Rate Level and Interactivity of Students (Gilbert Bosilong) ........................................ 1 Evaluating the Ability of Anti-Malware to Overcome Code Obfuscation (Matthew Carson) .................................................................................................................................. 9 Evaluation of Current Research in Machine Learning Techniques Used in Anomaly-Based Network Intrusion Detection (Masego Chibaya) ..................................................... 15 A Critical Evaluation of Current Research on Techniques Aimed at Improving Search Efficiency over Encrypted Cloud Data (Kgosi Dickson) ........................................ 21 A Critical Analysis and Evaluation of Current Research on Credit Card Fraud Detection Methods (Lebogang Otto Gaboitaolelwe) .......................................................... 29 Evaluation of Research in Automatic Detection of Emotion from Facial Expressions (Olorato D. Gaonewe) ......................................................................................................... 35 A Critical Evaluation on Methods of Increasing the Detection Rate of Anti-Malware Software (Thomas Gordon) ................................................................................................ 43 An Evaluation of the Effectiveness of the Advanced Intrusion Detection Systems Utilizing Optimization on System Security Technologies (Carlos Lee) ............................ 49 An Evaluation of Current Research on Data Mining Techniques in Decision Support (Keamogetse Mojapelo) ...................................................................................................... 57 A Critical Investigation of the Cognitive Appeal and Impact of Video Games on Players (Kealeboga Charlie Mokgalo) ................................................................................ 65 Evaluation of Computing Research Aimed at Improving Virtualization Implementation in the Cloud (Keletso King Mooketsane) ................................................. 73 A Critical Evaluation of the Technology Used In Robotic Assisted Surgeries (Botshelo Keletso Mosekiemang) ....................................................................................... 79 An Evaluation of Current Bio-Metric Fingerprint Liveness Detection (George Phillipson) ........................................................................................................................... 85 A Critical Evaluation of Current Research into Malware Detection Using Neural-Network Classification (Tebogo Duduetsang Ramatebele) ................................................ 91 Evaluating Indirect Detection of Obfuscated Malware (Benjamin Stuart Roberts) ......... 101 Evaluation of Current Security Techniques for Online Banking Transactions (Annah Vickerman) ....................................................................................................................... 10

Malwise-an effective and efficient classification system for packed and polymorphic malware

Signature-based malware detection systems have been a much used response to the pervasive problem of malware. Identification of malware variants is essential to a detection system and is made possible by identifying invariant characteristics in related samples. To classify the packed and polymorphic malware, this paper proposes a novel system, named Malwise, for malware classification using a fast application-level emulator to reverse the code packing transformation, and two flowgraph matching algorithms to perform classification. An exact flowgraph matching algorithm is employed that uses string-based signatures, and is able to detect malware with near real-time performance. Additionally, a more effective approximate flowgraph matching algorithm is proposed that uses the decompilation technique of structuring to generate string-based signatures amenable to the string edit distance. We use real and synthetic malware to demonstrate the effectiveness and efficiency of Malwise. Using more than 15,000 real malware, collected from honeypots, the effectiveness is validated by showing that there is an 88 percent probability that new malware is detected as a variant of existing malware. The efficiency is demonstrated from a smaller sample set of malware where 86 percent of the samples can be classified in under 1.3 seconds