Pre-filters in-transit malware packets detection in the network

Conventional malware detection systems cannot detect most of the new malware in the network without the availability of their signatures. In order to solve this problem, this paper proposes a technique to detect both metamorphic (mutated malware) and general (non-mutated) malware in the network using a combination of known malware sub-signature and machine learning classification. This network-based malware detection is achieved through a middle path for efficient processing of non-malware packets. The proposed technique has been tested and verified using multiple data sets (metamorphic malware, non-mutated malware, and UTM real traffic), this technique can detect most of malware packets in the network-based before they reached the host better than the previous works which detect malware in host-based. Experimental results showed that the proposed technique can speed up the transmission of more than 98% normal packets without sending them to the slow path, and more than 97% of malware packets are detected and dropped in the middle path. Furthermore, more than 75% of metamorphic malware packets in the test dataset could be detected. The proposed technique is 37 times faster than existing technique

Obfuscated computer virus detection using machine learning algorithm

Nowadays, computer virus attacks are getting very advanced. New obfuscated computer virus created by computer virus writers will generate a new shape of computer virus automatically for every single iteration and download. This constantly evolving computer virus has caused significant threat to information security of computer users, organizations and even government. However, signature based detection technique which is used by the conventional anti-computer virus software in the market fails to identify it as signatures are unavailable. This research proposed an alternative approach to the traditional signature based detection method and investigated the use of machine learning technique for obfuscated computer virus detection. In this work, text strings are used and have been extracted from virus program codes as the features to generate a suitable classifier model that can correctly classify obfuscated virus files. Text string feature is used as it is informative and potentially only use small amount of memory space. Results show that unknown files can be correctly classified with 99.5% accuracy using SMO classifier model. Thus, it is believed that current computer virus defense can be strengthening through machine learning approach

Metamorphic Malware Detection Based on Support Vector Machine Classification of Malware Sub-Signatures

Achieving accurate and efficient metamorphic malware detection remains a challenge. Metamorphic malware is able to mutate and alter its code structure in each infection, with some vital functionality and codesegment remain unchanged. We exploit these unchanged features for detecting metamorphic malware detection using Support Vector Machine(SVM) classifier. n-gram features are extracted directly from sample malware binaries to avoid disassembly, which are then masked with the extracted Snort signature n-grams. These masked features reduce considerably the number of selected n-gram features. Our method is capable to accurately detect metamorphic malware with ~99 % accuracy and low false positive rate. The proposed method is also superior than commercially available anti-viruses in detecting metamorphicmalware

Metamorphic malware detection based on support vector machine classification of malware sub-signatures

Achieving accurate and efficient metamorphic malware detection remains a challenge. Metamorphic malware is able to mutate and alter its code structure in each infection that can circumvent signature matching detection. However, some vital functionalities and code segments remain unchanged between mutations. We exploit these unchanged features by the mean of classification using Support Vector Machine (SVM). N-gram features are extracted directly from malware binaries to avoid disassembly, which these features are then masked with the extracted known malware signature n-grams. These masked features reduce the number of selected n-gram features considerably. Our method is capable to accurately detect metamorphic malware with ~99 accuracy and low false positive rate. The proposed method is also superior to commercially available anti-viruses for detecting metamorphic malware

Impact of Packet Inter-arrival Time Features for Online Peer-to-Peer (P2P) Classification

Identification of bandwidth-heavy Internet traffic is important for network administrators to throttle high-bandwidth application traffic. Flow features based classification have been previously proposed as promising method to identify Internet traffic based on packet statistical features. The selection of statistical features plays an important role for accurate and timely classification. In this work, we investigate the impact of packet inter-arrival time feature for online P2P classification in terms of accuracy, Kappa statistic and time. Simulations were conducted using available traces from University of Brescia, University of Aalborg and University of Cambridge. Experimental results show that the inclusion of inter-arrival time (IAT) as an online feature increases simulation time and decreases classification accuracy and Kappa statistic

Feature selection and machine learning classification for malware detection

Malware is a computer security problem that can morph to evade traditional detection methods based on known signature matching. Since new malware variants contain patterns that are similar to those in observed malware, machine learning techniques can be used to identify new malware. This work presents a comparative study of several feature selection methods with four different machine learning classifiers in the context of static malware detection based on n-grams analysis. The result shows that the use of Principal Component Analysis (PCA) feature selection and Support Vector Machines (SVM) classification gives the best classification accuracy using a minimum number of feature

Study of enhanced DCF (EDCF) in multimedia application

IEEE 802.11e Medium Access Control (MAC) is an emerging supplement to the IEEE 802.11 Wireless Local Area Network (WLAN) standard to support Quality-of-Service (QOS). The 802.11e MAC is based on both centrally-controlled and contention-based channel accesses. This project is aimed towards evaluating the contention-based channel access mechanism, called Enhanced Distributed Coordination Function (EDCF), in comparison with the 802.11 legacy MAC, Distributed Coordination Function. Then, by using EDCF model, the acceptable number of streams for traffic type individually and combination of all traffics are determined based on ITU-T requirements. Three different types of traffic are considered namely, voice, video and data. The evaluation was done using ns-2 simulator (version 2.26) running on Linux Fedora Core 2. The metrics used in the evaluation are throughput (Byte), delay (sec) and packet loss (%). Depending on graphs of these three metrics, the performance of EDCF and DCF are evaluated, and also the numbers of stream that fulfil the ITU-T requirements are determined. Through this simulation study, a summary can be made of that EDCF can provide differentiated channel access for different traffic types. Simulation results show that EDCF performs better performance than legacy DCF. Depending on ITU-T requirements especially for delay and packet loss, the acceptable number of streams both for traffic type individually and combination of all traffics type can be determined under EDCF model