Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey

Malwares are big threat to digital world and evolving with high complexity. It can penetrate networks, steal confidential information from computers, bring down servers and can cripple infrastructures etc. To combat the threat/attacks from the malwares, anti- malwares have been developed. The existing anti-malwares are mostly based on the assumption that the malware structure does not changes appreciably. But the recent advancement in second generation malwares can create variants and hence posed a challenge to anti-malwares developers. To combat the threat/attacks from the second generation malwares with low false alarm we present our survey on malwares and its detection techniques.Comment: 5 Page

Differentiating malware from cleanware using behavioural analysis

This paper proposes a scalable approach for distinguishing malicious files from clean files by investigating the behavioural features using logs of various API calls. We also propose, as an alternative to the traditional method of manually identifying malware files, an automated classification system using runtime features of malware files. For both projects, we use an automated tool running in a virtual environment to extract API call features from executables and apply pattern recognition algorithms and statistical methods to differentiate between files. Our experimental results, based on a dataset of 1368 malware and 456 cleanware files, provide an accuracy of over 97% in distinguishing malware from cleanware. Our techniques provide a similar accuracy for classifying malware into families. In both cases, our results outperform comparable previously published techniques

Research on Associative Classification Rules of Malware Detection based on Incremental Learning

病毒检测与防御是计算机安全问题中的一个重要的研究课题。目前，病毒的花样不断的翻新，并大量的使用了多重加密壳、驱动关联壳、变形壳等代码保护机制以及多态和变形等新的技术,使得病毒的爆发可以躲避检测而进行传播，传统恶意代码查杀技术遭到严峻的挑战。关联分类做为数据挖掘研究的热点之一，具有良好的分类准确性，其分类规则更易于理解和重用。关联规则分类方法能够通过对以往的病毒文件和正常文件的学习,提取出它们的特征表征,找出其中的关联规则,进而实现对病毒的检测。 传统基于关联规则分类的病毒检测技术中采用重复学习历史规则的方法，容易造成时空开销过大和一次性挖掘大数据量样本引起的频繁集组合爆炸问题。目前对关联分类...Malware detectionis is an important component of computer security. In recent years, the speed of the outbreak and spread of the virus is worrying. The use of a large number of polymorphic and deformation techniques make it possible to evade the detection. Traditional malicious code detection technology is now facing a severe challenge. As one of the most heated issue of data mining, association r...学位：工学硕士院系专业：软件学院_计算机软件与理论学号：2432006115266

Classifying malicious windows executables using anomaly based detection

A malicious executable is broadly defined as any program or piece of code designed to cause damage to a system or the information it contains, or to prevent the system from being used in a normal manner. A generic term used to describe any kind of malicious software is Maiware, which includes Viruses, Worms, Trojans, Backdoors, Root-kits, Spyware and Exploits. Anomaly detection is technique which builds a statistical profile of the normal and malicious data and classifies unseen data based on these two profiles. A detection system is presented here which is anomaly based and focuses on the Windows® platform. Several file infection techniques were studied to understand what particular features in the executable binary are more susceptible to being used for the malicious code propagation. A framework is presented for collecting data for both static (non-execution based) as well as dynamic (execution based) analysis of the malicious executables. Two specific features are extracted using static analysis, Windows API (from the Import Address Table of the Portable Executable Header) and the hex byte frequency count (collected using Hexdump utility) which have been explained in detail. Dynamic analysis features which were extracted are briefly mentioned and the major challenges faced using this data is explained. Classification results using Support Vector Machines for anomaly detection is shown for the two static analysis features. Experimental results have provided classification results with up to 94% accuracy for new, previously unseen executables

Malware Identification Technique and its Applications

随着互联网技术的发展和安全形势的变化,恶意软件的数量呈指数级增长,恶意软件的变种更是层出不穷,传统的鉴别方法已经不能及时有效的处理这种海量数据,这使得以客户端为战场的传统查杀与防御模式不能适应新的安全需求,各大安全厂商开始构建各自的“云安全“计划。在这种大背景下,研究恶意软件检测关键技术是非常必要的。针对恶意软件数量大、变化快、维度高与干扰多的问题,我们研究云计算环境下的软件行为鉴别技术,探讨海量软件样本数据挖掘新方法、事件序列簇类模式挖掘新模型和算法及在恶意软件鉴别中的应用,并构建面向云安全的恶意软件智能鉴别系统原型以及中文钓鱼网站检测系统架构。With the development of the Internet technology and the changes of the situation of Internet security,we witness exponential increase of the number of malicious software and their endless variants.Traditional detection methods cannot effectively and timely deal with such mass of malicious software data,making traditional anti-virus platform running on PC client cannot satisfy current security requirements any more,thus some major Internet security venders have been launching their 'cloud security' program.Under such background,it is urgent to develop some new effective and efficient techniques for malware detection.In this paper,we investigate malware detection techniques based on cloud computing,including mining massive software samples,and applying new clustering models/algorithms for event sequences into malware detection,to deal with the critical issues of malware as being of large amount,fast change,highdimension and noise-laden.Furthermore,we propose a prototype of intelligent malware detection system for cloud security.国家自然科学基金(面向软件行为鉴别的事件序列挖掘方法研究;NO.61175123);深圳市生物、互联网、新能源产业发展专项资金(NO.CXB201005250021A

Intra-procedural Path-insensitive Grams (i-grams) and Disassembly Based Features for Packer Tool Classification and Detection

The DoD relies on over seven million computing devices worldwide to accomplish a wide range of goals and missions. Malicious software, or malware, jeopardizes these goals and missions. However, determining whether an arbitrary software executable is malicious can be difficult. Obfuscation tools, called packers, are often used to hide the malicious intent of malware from anti-virus programs. Therefore detecting whether or not an arbitrary executable file is packed is a critical step in software security. This research uses machine learning methods to build a system, the Polymorphic and Non-Polymorphic Packer Detection (PNPD) system, that detects whether an executable is packed using both sequences of instructions, called i-grams, and disassembly information as features for machine learning. Both i-grams and disassembly features successfully detect packed executables with top configurations achieving average accuracies above 99.5\%, average true positive rates above 0.977, and average false positive rates below 1.6e-3 when detecting polymorphic packers

FINGERPRINTING MALICIOUS IP TRAFFIC

In the new global economy, cyber-attacks have become a central issue. The detection, mitigation and attribution of such cyber-attacks require efficient and practical techniques to fingerprint malicious IP traffic. By fingerprinting, we refer to: (1) the detection of malicious network flows and, (2) the attribution of the detected flows to malware families that generate them. In this thesis, we firstly address the detection problem and solve it by using a classification technique. The latter uses features that exploit only high-level properties of traffic flows and therefore does not rely on deep packet inspection. As such, our technique is effective even in the presence of encrypted traffic. Secondly, whenever a malicious flow is detected, we propose another technique to attribute such a flow to the malware family that generated it. The attribution technique is built upon k-means clustering, sequence mining and Pushdown Automata (PDAs) to capture the network behaviors of malware family groups. Indeed, the generated PDAs are actually network signatures for malware family groups. Our results show that the proposed malicious detection and attribution techniques achieve high accuracy with low false (positive and negative) alerts

A Novel Malware Target Recognition Architecture for Enhanced Cyberspace Situation Awareness

The rapid transition of critical business processes to computer networks potentially exposes organizations to digital theft or corruption by advanced competitors. One tool used for these tasks is malware, because it circumvents legitimate authentication mechanisms. Malware is an epidemic problem for organizations of all types. This research proposes and evaluates a novel Malware Target Recognition (MaTR) architecture for malware detection and identification of propagation methods and payloads to enhance situation awareness in tactical scenarios using non-instruction-based, static heuristic features. MaTR achieves a 99.92% detection accuracy on known malware with false positive and false negative rates of 8.73e-4 and 8.03e-4 respectively. MaTR outperforms leading static heuristic methods with a statistically significant 1% improvement in detection accuracy and 85% and 94% reductions in false positive and false negative rates respectively. Against a set of publicly unknown malware, MaTR detection accuracy is 98.56%, a 65% performance improvement over the combined effectiveness of three commercial antivirus products