Reliable Malware Analysis and Detection using Topology Data Analysis

Increasingly, malwares are becoming complex and they are spreading on networks targeting different infrastructures and personal-end devices to collect, modify, and destroy victim information. Malware behaviors are polymorphic, metamorphic, persistent, able to hide to bypass detectors and adapt to new environments, and even leverage machine learning techniques to better damage targets. Thus, it makes them difficult to analyze and detect with traditional endpoint detection and response, intrusion detection and prevention systems. To defend against malwares, recent work has proposed different techniques based on signatures and machine learning. In this paper, we propose to use an algebraic topological approach called topological-based data analysis (TDA) to efficiently analyze and detect complex malware patterns. Next, we compare the different TDA techniques (i.e., persistence homology, tomato, TDA Mapper) and existing techniques (i.e., PCA, UMAP, t-SNE) using different classifiers including random forest, decision tree, xgboost, and lightgbm. We also propose some recommendations to deploy the best-identified models for malware detection at scale. Results show that TDA Mapper (combined with PCA) is better for clustering and for identifying hidden relationships between malware clusters compared to PCA. Persistent diagrams are better to identify overlapping malware clusters with low execution time compared to UMAP and t-SNE. For malware detection, malware analysts can use Random Forest and Decision Tree with t-SNE and Persistent Diagram to achieve better performance and robustness on noised data

DroidDetectMW: A Hybrid Intelligent Model for Android Malware Detection

Malicious apps specifically aimed at the Android platform have increased in tandem with the proliferation of mobile devices. Malware is now so carefully written that it is difficult to detect. Due to the exponential growth in malware, manual methods of malware are increasingly ineffective. Although prior writers have proposed numerous high-quality approaches, static and dynamic assessments inherently necessitate intricate procedures. The obfuscation methods used by modern malware are incredibly complex and clever. As a result, it cannot be detected using only static malware analysis. As a result, this work presents a hybrid analysis approach, partially tailored for multiple-feature data, for identifying Android malware and classifying malware families to improve Android malware detection and classification. This paper offers a hybrid method that combines static and dynamic malware analysis to give a full view of the threat. Three distinct phases make up the framework proposed in this research. Normalization and feature extraction procedures are used in the first phase of pre-processing. Both static and dynamic features undergo feature selection in the second phase. Two feature selection strategies are proposed to choose the best subset of features to use for both static and dynamic features. The third phase involves applying a newly proposed detection model to classify android apps; this model uses a neural network optimized with an improved version of HHO. Application of binary and multi-class classification is used, with binary classification for benign and malware apps and multi-class classification for detecting malware categories and families. By utilizing the features gleaned from static and dynamic malware analysis, several machine-learning methods are used for malware classification. According to the results of the experiments, the hybrid approach improves the accuracy of detection and classification of Android malware compared to the scenario when considering static and dynamic information separately

Explainable Malware Detection System Using Transformers-Based Transfer Learning and Multi-Model Visual Representation

Android has become the leading mobile ecosystem because of its accessibility and adaptability. It has also become the primary target of widespread malicious apps. This situation needs the immediate implementation of an effective malware detection system. In this study, an explainable malware detection system was proposed using transfer learning and malware visual features. For effective malware detection, our technique leverages both textual and visual features. First, a pre-trained model called the Bidirectional Encoder Representations from Transformers (BERT) model was designed to extract the trained textual features. Second, the malware-to-image conversion algorithm was proposed to transform the network byte streams into a visual representation. In addition, the FAST (Features from Accelerated Segment Test) extractor and BRIEF (Binary Robust Independent Elementary Features) descriptor were used to efficiently extract and mark important features. Third, the trained and texture features were combined and balanced using the Synthetic Minority Over-Sampling (SMOTE) method; then, the CNN network was used to mine the deep features. The balanced features were then input into the ensemble model for efficient malware classification and detection. The proposed method was analyzed extensively using two public datasets, CICMalDroid 2020 and CIC-InvesAndMal2019. To explain and validate the proposed methodology, an interpretable artificial intelligence (AI) experiment was conducted

Protecting Android Devices from Malware Attacks: A State-of-the-Art Report of Concepts, Modern Learning Models and Challenges

Advancements in microelectronics have increased the popularity of mobile devices like cellphones, tablets, e-readers, and PDAs. Android, with its open-source platform, broad device support, customizability, and integration with the Google ecosystem, has become the leading operating system for mobile devices. While Android's openness brings benefits, it has downsides like a lack of official support, fragmentation, complexity, and security risks if not maintained. Malware exploits these vulnerabilities for unauthorized actions and data theft. To enhance device security, static and dynamic analysis techniques can be employed. However, current attackers are becoming increasingly sophisticated, and they are employing packaging, code obfuscation, and encryption techniques to evade detection models. Researchers prefer flexible artificial intelligence methods, particularly deep learning models, for detecting and classifying malware on Android systems. In this survey study, a detailed literature review was conducted to investigate and analyze how deep learning approaches have been applied to malware detection on Android systems. The study also provides an overview of the Android architecture, datasets used for deep learning-based detection, and open issues that will be studied in the future

Inner-Eye: Appearance-based Detection of Computer Scams

As more and more inexperienced users gain Internet access, fraudsters are attempting to take advantage of them in new ways. Instead of sophisticated exploitation techniques, simple confidence tricks can be used to create malware that is both very effective and likely to evade detection by traditional security software. Heuristics that detect complex malicious behavior are powerless against some common frauds. This work explores the use of imaging and text-matching techniques to detect typical computer scams such as pharmacy and rogue antivirus frauds. The Inner-Eye system implements the chosen approach in a scalable and efficient manner through the use of virtualization

A Taxonomy for Social Engineering attacks

As the technology to secure information improves, hackers will employ less technical means to get access to unauthorized data. The use of Social Engineering as a non tech method of hacking has been increasingly used during the past few years. There are different types of social engineering methods reported but what is lacking is a unifying effort to understand these methods in the aggregate. This paper aims to classify these methods through taxonomy so that organizations can gain a better understanding of these attack methods and accordingly be vigilant against them

Insights into user behavior in dealing with common Internet attacks

Ankara : The Department of Computer Engineering and the Graduate School of Engineering and Science of Bilkent University, 2011.Thesis (Master's) -- Bilkent University, 2011.Includes bibliographical references leaves 45-50.The Internet’s immense popularity has made it an attractive medium for attackers. Today, criminals often make illegal profits by targeting Internet users. Most common Internet attacks require some form of user interaction such as clicking on an exploit link, or dismissing a security warning dialogue. Hence, the security problem at hand is not only a technical one, but it also has a strong human aspect. Although the security community has proposed many technical solutions to mitigate common Internet attacks, the behavior of users when they face these attacks remains a largely unexplored area. In this work, we describe an online experiment platform we built for testing the behavior of users when they are confronted with common, concrete attack scenarios such as reflected cross-site scripting, session fixation, scareware and file sharing scams. We conducted experiments with more than 160 Internet users with diverse backgrounds. Our findings show that non-technical users can exhibit comparable performance to knowledgeable users at averting relatively simple and well-known threats (e.g., email scams). While doing so, they do not consciously perceive the risk, but solely depend on their intuition and past experience (i.e., there is a training effect). However, in more sophisticated attacks, these nontechnical users often rely on misleading cues such as the “size” and “length” of artifacts (e.g., URLs), and fail to protect themselves. Our findings also show that trick banners that are common in file sharing websites and shortened URLs have high success rates of deceiving non-technical users, thus posing a severe security risk.Yılmaz, Utku OzanM.S